sepolicy: remove ashmemd
Bug: 139855428 Test: m selinux_policy Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
This commit is contained in:
Tri Vo
parent
e612ecd6ed
commit
bfcddbe25e
22 changed files with 4 additions and 60 deletions
|
|
@ -103,7 +103,6 @@ neverallow app_zygote {
|
||||||
neverallow app_zygote {
|
neverallow app_zygote {
|
||||||
service_manager_type
|
service_manager_type
|
||||||
-activity_service
|
-activity_service
|
||||||
-ashmem_device_service
|
|
||||||
-webviewupdate_service
|
-webviewupdate_service
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
typeattribute ashmemd coredomain;
|
|
||||||
type ashmemd_exec, exec_type, file_type, system_file_type;
|
|
||||||
|
|
||||||
init_daemon_domain(ashmemd)
|
|
||||||
|
|
||||||
binder_use(ashmemd)
|
|
||||||
add_service(ashmemd, ashmem_device_service)
|
|
||||||
|
|
||||||
allow ashmemd ashmem_device:chr_file rw_file_perms;
|
|
||||||
|
|
@ -125,7 +125,6 @@
|
||||||
su_tmpfs
|
su_tmpfs
|
||||||
super_block_device
|
super_block_device
|
||||||
sysfs_fs_f2fs
|
sysfs_fs_f2fs
|
||||||
system_ashmem_hwservice
|
|
||||||
system_bootstrap_lib_file
|
system_bootstrap_lib_file
|
||||||
system_event_log_tags_file
|
system_event_log_tags_file
|
||||||
system_lmk_prop
|
system_lmk_prop
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
;; types removed from current policy
|
;; types removed from current policy
|
||||||
|
(type ashmemd)
|
||||||
(type hal_wifi_offload_hwservice)
|
(type hal_wifi_offload_hwservice)
|
||||||
(type mediacodec_service)
|
(type mediacodec_service)
|
||||||
(type perfprofd_data_file)
|
(type perfprofd_data_file)
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,6 @@
|
||||||
linker_prop
|
linker_prop
|
||||||
ota_metadata_file
|
ota_metadata_file
|
||||||
art_apex_dir
|
art_apex_dir
|
||||||
system_ashmem_hwservice
|
|
||||||
system_group_file
|
system_group_file
|
||||||
system_passwd_file
|
system_passwd_file
|
||||||
vendor_apex_file
|
vendor_apex_file
|
||||||
|
|
|
||||||
|
|
@ -187,16 +187,3 @@ neverallow coredomain {
|
||||||
full_treble_only(`
|
full_treble_only(`
|
||||||
neverallow coredomain tee_device:chr_file { open read append write ioctl };
|
neverallow coredomain tee_device:chr_file { open read append write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
# Allow access to ashmemd to request /dev/ashmem fds.
|
|
||||||
allow {
|
|
||||||
coredomain
|
|
||||||
-init
|
|
||||||
-iorapd
|
|
||||||
} ashmem_device_service:service_manager find;
|
|
||||||
|
|
||||||
binder_call({
|
|
||||||
coredomain
|
|
||||||
-init
|
|
||||||
-iorapd
|
|
||||||
}, ashmemd)
|
|
||||||
|
|
|
||||||
|
|
@ -186,7 +186,6 @@
|
||||||
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
|
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
|
||||||
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
|
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
|
||||||
/system/bin/atrace u:object_r:atrace_exec:s0
|
/system/bin/atrace u:object_r:atrace_exec:s0
|
||||||
/system/bin/ashmemd u:object_r:ashmemd_exec:s0
|
|
||||||
/system/bin/auditctl u:object_r:auditctl_exec:s0
|
/system/bin/auditctl u:object_r:auditctl_exec:s0
|
||||||
/system/bin/bcc u:object_r:rs_exec:s0
|
/system/bin/bcc u:object_r:rs_exec:s0
|
||||||
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
|
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,3 @@ hal_server_domain(hal_allocator_default, hal_allocator)
|
||||||
|
|
||||||
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
|
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
|
||||||
init_daemon_domain(hal_allocator_default)
|
init_daemon_domain(hal_allocator_default)
|
||||||
|
|
||||||
# To talk to ashmemd
|
|
||||||
binder_use(hal_allocator_default)
|
|
||||||
|
|
|
||||||
|
|
@ -79,7 +79,6 @@ android.hidl.base::IBase u:object_r:hidl_
|
||||||
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
|
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
|
||||||
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
|
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
|
||||||
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
|
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
|
||||||
android.system.ashmem::IAshmem u:object_r:system_ashmem_hwservice:s0
|
|
||||||
android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
|
android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
|
||||||
android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
|
android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
|
||||||
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
|
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
|
||||||
|
|
|
||||||
|
|
@ -92,12 +92,10 @@ neverallow isolated_app *:service_manager ~find;
|
||||||
|
|
||||||
# b/17487348
|
# b/17487348
|
||||||
# Isolated apps can only access three services,
|
# Isolated apps can only access three services,
|
||||||
# activity_service, display_service, webviewupdate_service, and
|
# activity_service, display_service, webviewupdate_service.
|
||||||
# ashmem_device_service.
|
|
||||||
neverallow isolated_app {
|
neverallow isolated_app {
|
||||||
service_manager_type
|
service_manager_type
|
||||||
-activity_service
|
-activity_service
|
||||||
-ashmem_device_service
|
|
||||||
-display_service
|
-display_service
|
||||||
-webviewupdate_service
|
-webviewupdate_service
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,3 @@
|
||||||
type ashmem_device_service, app_api_service, service_manager_type;
|
|
||||||
type attention_service, system_server_service, service_manager_type;
|
type attention_service, system_server_service, service_manager_type;
|
||||||
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
|
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
|
||||||
type gsi_service, service_manager_type;
|
type gsi_service, service_manager_type;
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,6 @@ android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s
|
||||||
app_binding u:object_r:app_binding_service:s0
|
app_binding u:object_r:app_binding_service:s0
|
||||||
app_prediction u:object_r:app_prediction_service:s0
|
app_prediction u:object_r:app_prediction_service:s0
|
||||||
apexservice u:object_r:apex_service:s0
|
apexservice u:object_r:apex_service:s0
|
||||||
ashmem_device_service u:object_r:ashmem_device_service:s0
|
|
||||||
gsiservice u:object_r:gsi_service:s0
|
gsiservice u:object_r:gsi_service:s0
|
||||||
appops u:object_r:appops_service:s0
|
appops u:object_r:appops_service:s0
|
||||||
appwidget u:object_r:appwidget_service:s0
|
appwidget u:object_r:appwidget_service:s0
|
||||||
|
|
|
||||||
|
|
@ -177,6 +177,5 @@ userdebug_or_eng(`
|
||||||
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
|
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
|
||||||
')
|
')
|
||||||
|
|
||||||
# Allow access to ashmemd to request /dev/ashmem fds.
|
# Allow (rw_file_perms - open) access to /dev/ashmem.
|
||||||
binder_call(untrusted_app_all, ashmemd)
|
|
||||||
allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
|
allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
|
||||||
|
|
|
||||||
|
|
@ -113,7 +113,6 @@ neverallow webview_zygote {
|
||||||
neverallow webview_zygote {
|
neverallow webview_zygote {
|
||||||
service_manager_type
|
service_manager_type
|
||||||
-activity_service
|
-activity_service
|
||||||
-ashmem_device_service
|
|
||||||
-webviewupdate_service
|
-webviewupdate_service
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -357,9 +357,6 @@ allow appdomain audioserver_tmpfs:file { getattr map read write };
|
||||||
allow appdomain system_server_tmpfs:file { getattr map read write };
|
allow appdomain system_server_tmpfs:file { getattr map read write };
|
||||||
allow appdomain zygote_tmpfs:file { map read };
|
allow appdomain zygote_tmpfs:file { map read };
|
||||||
|
|
||||||
# Allow vendor apps access to ashmem_server to request /dev/ashmem fds.
|
|
||||||
binder_call({ appdomain -coredomain }, ashmem_server)
|
|
||||||
|
|
||||||
###
|
###
|
||||||
### Neverallow rules
|
### Neverallow rules
|
||||||
###
|
###
|
||||||
|
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
||||||
hwbinder_use(ashmem_server)
|
|
||||||
get_prop(ashmem_server, hwservicemanager_prop)
|
|
||||||
add_hwservice(ashmem_server, system_ashmem_hwservice)
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
||||||
# TODO(b/133869224): Make private once ashmemd
|
|
||||||
# is cleaned up from vendor sepolicy.
|
|
||||||
type ashmemd, domain, ashmem_server;
|
|
||||||
|
|
@ -351,7 +351,6 @@ hal_attribute(wifi_supplicant);
|
||||||
# from one core domain to another, without having to update the vendor image
|
# from one core domain to another, without having to update the vendor image
|
||||||
# which contains clients of this service.
|
# which contains clients of this service.
|
||||||
|
|
||||||
attribute ashmem_server;
|
|
||||||
attribute camera_service_server;
|
attribute camera_service_server;
|
||||||
attribute display_service_server;
|
attribute display_service_server;
|
||||||
attribute scheduler_service_server;
|
attribute scheduler_service_server;
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,7 @@ allow domain null_device:chr_file rw_file_perms;
|
||||||
allow domain zero_device:chr_file rw_file_perms;
|
allow domain zero_device:chr_file rw_file_perms;
|
||||||
allow {
|
allow {
|
||||||
domain
|
domain
|
||||||
# TODO(b/113362644): route coredomain to ashmemd
|
# TODO(b/113362644): route coredomain to libcutils.
|
||||||
#-coredomain
|
#-coredomain
|
||||||
-mediaprovider
|
-mediaprovider
|
||||||
-ephemeral_app
|
-ephemeral_app
|
||||||
|
|
@ -83,14 +83,6 @@ allow {
|
||||||
# This device is used by libcutils.
|
# This device is used by libcutils.
|
||||||
allow domain ashmem_libcutils_device:chr_file rw_file_perms;
|
allow domain ashmem_libcutils_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
# Allow using fds to /dev/ashmem.
|
|
||||||
allow domain ashmem_server:fd use;
|
|
||||||
|
|
||||||
# Allow vendor hals to access IAshmem
|
|
||||||
# TODO(b/134783601): Change to a whitelist.
|
|
||||||
allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
|
|
||||||
allow { domain -coredomain -appdomain } ashmem_server: binder call;
|
|
||||||
|
|
||||||
# /dev/binder can be accessed by ... everyone! :)
|
# /dev/binder can be accessed by ... everyone! :)
|
||||||
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
|
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,6 @@ type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type hal_wifi_offload_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_wifi_offload_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
|
||||||
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||||
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||||
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||||
|
|
|
||||||
|
|
@ -171,7 +171,6 @@ neverallow { domain -system_server -dumpstate -installd } installd_service:servi
|
||||||
neverallow { domain -system_server -dumpstate } installd:binder call;
|
neverallow { domain -system_server -dumpstate } installd:binder call;
|
||||||
neverallow installd {
|
neverallow installd {
|
||||||
domain
|
domain
|
||||||
-ashmem_server
|
|
||||||
-system_server
|
-system_server
|
||||||
-servicemanager
|
-servicemanager
|
||||||
userdebug_or_eng(`-su')
|
userdebug_or_eng(`-su')
|
||||||
|
|
|
||||||
|
|
@ -305,7 +305,6 @@ neverallow {
|
||||||
|
|
||||||
neverallow vold {
|
neverallow vold {
|
||||||
domain
|
domain
|
||||||
-ashmem_server
|
|
||||||
-hal_health_storage_server
|
-hal_health_storage_server
|
||||||
-hal_keymaster_server
|
-hal_keymaster_server
|
||||||
-system_suspend_server
|
-system_suspend_server
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue