Merge "SELinux policy for system server JVMTI property"
This commit is contained in:
David Sehr
Gerrit Code Review
commit
c0bb680fee
4 changed files with 16 additions and 0 deletions
|
|
@ -32,6 +32,7 @@
|
|||
art_apex_dir
|
||||
service_manager_service
|
||||
system_group_file
|
||||
system_jvmti_agent_prop
|
||||
system_passwd_file
|
||||
timezonedetector_service
|
||||
userspace_reboot_prop
|
||||
|
|
|
|||
|
|
@ -67,6 +67,7 @@ persist.sys.theme u:object_r:theme_prop:s0
|
|||
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
|
||||
ro.sys.safemode u:object_r:safemode_prop:s0
|
||||
persist.sys.audit_safemode u:object_r:safemode_prop:s0
|
||||
persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0
|
||||
persist.service. u:object_r:system_prop:s0
|
||||
persist.service.bdroid. u:object_r:bluetooth_prop:s0
|
||||
persist.security. u:object_r:system_prop:s0
|
||||
|
|
|
|||
|
|
@ -894,6 +894,8 @@ allow system_server profman_dump_data_file:dir w_dir_perms;
|
|||
userdebug_or_eng(`
|
||||
allow system_server user_profile_data_file:file create_file_perms;
|
||||
')
|
||||
# Allow system server to load JVMTI agents under control of a property.
|
||||
get_prop(system_server,system_jvmti_agent_prop)
|
||||
|
||||
# UsbDeviceManager uses /dev/usb-ffs
|
||||
allow system_server functionfs:dir search;
|
||||
|
|
@ -1031,6 +1033,17 @@ allow system_server metadata_file:dir search;
|
|||
allow system_server password_slot_metadata_file:dir rw_dir_perms;
|
||||
allow system_server password_slot_metadata_file:file create_file_perms;
|
||||
|
||||
# JVMTI agent settings are only readable from the system server.
|
||||
neverallow {
|
||||
domain
|
||||
-system_server
|
||||
-dumpstate
|
||||
-init
|
||||
-vendor_init
|
||||
} {
|
||||
system_jvmti_agent_prop
|
||||
}:file no_rw_file_perms;
|
||||
|
||||
# Read/Write /proc/pressure/memory
|
||||
allow system_server proc_pressure_mem:file rw_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -63,6 +63,7 @@ system_restricted_prop(linker_prop)
|
|||
system_restricted_prop(nnapi_ext_deny_product_prop)
|
||||
system_restricted_prop(restorecon_prop)
|
||||
system_restricted_prop(system_boot_reason_prop)
|
||||
system_restricted_prop(system_jvmti_agent_prop)
|
||||
system_restricted_prop(userspace_reboot_exported_prop)
|
||||
|
||||
compatible_property_only(`
|
||||
|
|
|
|||
Loading…
Reference in a new issue