tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Snap for 11967491 from b70ff52882 to 24Q3-release

Browse source 
Change-Id: I1f38f1972f363cec24061d0adf217aeea9808150
This commit is contained in:
Android Build Coastguard Worker 2024-06-13 23:25:37 +00:00
commit c3a7a5bb6c
4 changed files with 10 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
contexts/plat_file_contexts_test
View file

@ -407,6 +407,7 @@
/system/bin/traced traced_exec /system/bin/traced traced_exec
/system/bin/traced_perf traced_perf_exec /system/bin/traced_perf traced_perf_exec
/system/bin/traced_probes traced_probes_exec /system/bin/traced_probes traced_probes_exec
/system/bin/traced_relay traced_exec
/system/bin/heapprofd heapprofd_exec /system/bin/heapprofd heapprofd_exec
/system/bin/uncrypt uncrypt_exec /system/bin/uncrypt uncrypt_exec
/system/bin/update_verifier update_verifier_exec /system/bin/update_verifier update_verifier_exec

1
private/file_contexts
View file

@ -339,6 +339,7 @@
/system/bin/traced u:object_r:traced_exec:s0 /system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_perf u:object_r:traced_perf_exec:s0 /system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0 /system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/traced_relay u:object_r:traced_exec:s0
/system/bin/trace_redactor u:object_r:trace_redactor_exec:s0 /system/bin/trace_redactor u:object_r:trace_redactor_exec:s0
/system/bin/heapprofd u:object_r:heapprofd_exec:s0 /system/bin/heapprofd u:object_r:heapprofd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0 /system/bin/uncrypt u:object_r:uncrypt_exec:s0

7
private/statsd.te
View file

@ -19,8 +19,11 @@ allow statsd incidentd:fifo_file write;
# Allow StatsCompanionService to pipe data to statsd. # Allow StatsCompanionService to pipe data to statsd.
allow statsd system_server:fifo_file { read write getattr }; allow statsd system_server:fifo_file { read write getattr };
# Allow Statsd to pipe data to privileged apps. # Allow any app to pipe data to statsd.
allow statsd priv_app:fifo_file { read write getattr }; # Access control to all statsd APIs inherit from system_api_service, so
# appdomain permissions are granted to avoid listing each individual
# service that can access system_api_service.
allow statsd appdomain:fifo_file { read write getattr };
# Allow statsd to retrieve SF statistics over binder # Allow statsd to retrieve SF statistics over binder
binder_call(statsd, surfaceflinger); binder_call(statsd, surfaceflinger);

6
private/vmnic.te
View file

@ -13,13 +13,13 @@ is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
# Let the vmnic domain use Binder. # Let the vmnic domain use Binder.
binder_use(vmnic) binder_use(vmnic)
# Allow for creating TAP network interfaces. # Allow for creating and deleting TAP network interfaces.
allow vmnic self:global_capability_class_set net_admin; allow vmnic self:global_capability_class_set net_admin;
allow vmnic self:tun_socket create_socket_perms_no_ioctl; allow vmnic self:tun_socket create_socket_perms_no_ioctl;
allow vmnic tun_device:chr_file rw_file_perms; allow vmnic tun_device:chr_file rw_file_perms;
allowxperm vmnic tun_device:chr_file ioctl { TUNSETIFF TUNSETPERSIST }; allowxperm vmnic tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETPERSIST };
allow vmnic self:udp_socket create_socket_perms; allow vmnic self:udp_socket create_socket_perms;
allowxperm vmnic self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS }; allowxperm vmnic self:udp_socket ioctl SIOCSIFFLAGS;
# Only virtualizationservice can communicate to vmnic # Only virtualizationservice can communicate to vmnic
neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call; neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call;