init: remove open, read, write access to 'sysfs' type.
Add write access to: sysfs_android_usb sysfs_leds sysfs_power sysfs_zram Add setattr access to: sysfs_android_usb sysfs_devices_system_cpu sysfs_lowmemorykiller sysfs_power sysfs_leds sysfs_ipv4 Bug: 65643247 Test: walleye boots with no denials from init to sysfs. Change-Id: Ibc9a54a5f43f3d53ab7cbb0fdb9589959b31ebde
This commit is contained in:
parent
cea60d7eb5
commit
c2241a8d16
2 changed files with 23 additions and 5 deletions
|
@ -101,6 +101,7 @@ genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
|
|||
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
|
||||
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
|
||||
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
|
||||
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
|
||||
genfscon sysfs /power/state u:object_r:sysfs_power:s0
|
||||
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
|
||||
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
|
||||
|
|
|
@ -211,6 +211,7 @@ allow init {
|
|||
-contextmount_type
|
||||
-proc
|
||||
-sdcard_type
|
||||
-sysfs
|
||||
-rootfs
|
||||
}:file { open read setattr };
|
||||
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
||||
|
@ -292,6 +293,24 @@ allow init {
|
|||
proc_security
|
||||
}:file rw_file_perms;
|
||||
|
||||
# init access to /sys files.
|
||||
allow init {
|
||||
sysfs_android_usb
|
||||
sysfs_leds
|
||||
sysfs_power
|
||||
sysfs_zram
|
||||
}:file w_file_perms;
|
||||
|
||||
# init chmod/chown access to /sys files.
|
||||
allow init {
|
||||
sysfs_android_usb
|
||||
sysfs_devices_system_cpu
|
||||
sysfs_ipv4
|
||||
sysfs_leds
|
||||
sysfs_lowmemorykiller
|
||||
sysfs_power
|
||||
}:file setattr;
|
||||
|
||||
# Set usermodehelpers.
|
||||
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
|
||||
|
||||
|
@ -300,11 +319,6 @@ allow init self:global_capability_class_set net_admin;
|
|||
# Reboot.
|
||||
allow init self:global_capability_class_set sys_boot;
|
||||
|
||||
# Write to sysfs nodes.
|
||||
allow init sysfs_type:dir r_dir_perms;
|
||||
allow init sysfs_type:lnk_file read;
|
||||
allow init sysfs_type:file rw_file_perms;
|
||||
|
||||
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
|
||||
# Init will also walk through the directory as part of a recursive restorecon.
|
||||
allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
|
||||
|
@ -458,3 +472,6 @@ neverallow init servicemanager:service_manager list;
|
|||
|
||||
# Init should not be creating subdirectories in /data/local/tmp
|
||||
neverallow init shell_data_file:dir { write add_name remove_name };
|
||||
|
||||
# Init should not access sysfs node that are not explicitly labeled.
|
||||
neverallow init sysfs:file { open read write };
|
||||
|
|
Loading…
Reference in a new issue