Initial selinux policy support for memfd am: 9f5d0d90a3 am: 5314cb2a93
am: beb8e5d159
Change-Id: Ia03563336f924ea99af2763b2edc71c2be52b6d3
This commit is contained in:
Jeff Vander Stoep
android-build-merger
commit
c4bc7d04db
12 changed files with 34 additions and 23 deletions
|
|
@ -1,15 +1,3 @@
|
|||
# TODO: deal with tmpfs_domain pub/priv split properly
|
||||
# Read system properties managed by zygote.
|
||||
allow appdomain zygote_tmpfs:file read;
|
||||
|
||||
# Read from (but not create) system_server buffers transferred through
|
||||
# ashmem, e.g. battery stats.
|
||||
allow appdomain system_server_tmpfs:file read;
|
||||
|
||||
# Get info from priv_app through ashmem, such as contact
|
||||
# info etc.
|
||||
allow appdomain priv_app_tmpfs:file read;
|
||||
|
||||
# Allow apps to read the Test Harness Mode property. This property is used in
|
||||
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
|
||||
get_prop(appdomain, test_harness_prop)
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@
|
|||
( new_objects
|
||||
activity_task_service
|
||||
adb_service
|
||||
app_binding_service
|
||||
app_prediction_service
|
||||
apex_data_file
|
||||
apex_mnt_dir
|
||||
apex_key_file
|
||||
|
|
@ -17,6 +15,9 @@
|
|||
apexd_exec
|
||||
apexd_prop
|
||||
apexd_tmpfs
|
||||
appdomain_tmpfs
|
||||
app_binding_service
|
||||
app_prediction_service
|
||||
app_zygote
|
||||
app_zygote_tmpfs
|
||||
biometric_service
|
||||
|
|
@ -48,6 +49,7 @@
|
|||
external_vibrator_service
|
||||
hal_atrace_hwservice
|
||||
hal_face_hwservice
|
||||
hal_graphics_composer_server_tmpfs
|
||||
hal_health_storage_hwservice
|
||||
hal_input_classifier_hwservice
|
||||
hal_power_stats_hwservice
|
||||
|
|
|
|||
|
|
@ -2,3 +2,6 @@ typeattribute mediaextractor coredomain;
|
|||
|
||||
init_daemon_domain(mediaextractor)
|
||||
tmpfs_domain(mediaextractor)
|
||||
allow mediaextractor appdomain_tmpfs:file { getattr map read write };
|
||||
allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
|
||||
allow mediaextractor system_server_tmpfs:file { getattr map read write };
|
||||
|
|
|
|||
|
|
@ -57,14 +57,14 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
|
|||
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
|
||||
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
|
||||
mlsconstrain { file sock_file } { open setattr unlink link rename }
|
||||
( (t2 != app_data_file and t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
|
||||
( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
|
||||
# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
|
||||
mlsconstrain { lnk_file } { open setattr unlink link rename read }
|
||||
( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
|
||||
# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
|
||||
# TODO: Migrate to equivalence when it's no longer needed.
|
||||
mlsconstrain { lnk_file } { open setattr unlink link rename read }
|
||||
( (t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
|
||||
( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
|
||||
|
||||
#
|
||||
# Constraints for file types other than app data files.
|
||||
|
|
@ -76,7 +76,7 @@ mlsconstrain dir { read getattr search }
|
|||
(t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
|
||||
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
|
||||
(t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
(t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
|
||||
# Write operations: Subject must be equivalent to the object unless the
|
||||
# subject or the object is trusted.
|
||||
|
|
@ -84,7 +84,7 @@ mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
|
|||
(t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
|
||||
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
|
||||
(t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
(t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
|
||||
# Special case for FIFOs.
|
||||
# These can be unnamed pipes, in which case they will be labeled with the
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ typeattribute surfaceflinger coredomain;
|
|||
|
||||
type surfaceflinger_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(surfaceflinger)
|
||||
tmpfs_domain(surfaceflinger)
|
||||
|
||||
typeattribute surfaceflinger mlstrustedsubject;
|
||||
typeattribute surfaceflinger display_service_server;
|
||||
|
|
@ -13,6 +14,7 @@ read_runtime_log_tags(surfaceflinger)
|
|||
# Perform HwBinder IPC.
|
||||
hal_client_domain(surfaceflinger, hal_graphics_allocator)
|
||||
hal_client_domain(surfaceflinger, hal_graphics_composer)
|
||||
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
|
||||
hal_client_domain(surfaceflinger, hal_omx)
|
||||
hal_client_domain(surfaceflinger, hal_configstore)
|
||||
hal_client_domain(surfaceflinger, hal_power)
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ tmpfs_domain(system_server)
|
|||
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
|
||||
|
||||
allow system_server zygote_tmpfs:file read;
|
||||
allow system_server appdomain_tmpfs:file { getattr map read write };
|
||||
|
||||
# For art.
|
||||
allow system_server dalvikcache_data_file:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
### extend from this policy. Only policies which should apply to ALL
|
||||
### zygote spawned apps should be added here.
|
||||
###
|
||||
type appdomain_tmpfs, file_type;
|
||||
|
||||
# WebView and other application-specific JIT compilers
|
||||
allow appdomain self:process execmem;
|
||||
|
|
@ -351,6 +352,12 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
|
|||
# Read access to FDs from the DropboxManagerService.
|
||||
allow appdomain dropbox_data_file:file { getattr read };
|
||||
|
||||
# Read tmpfs types from these processes.
|
||||
allow appdomain audioserver_tmpfs:file { getattr map read write };
|
||||
allow appdomain system_server_tmpfs:file { getattr map read write };
|
||||
allow appdomain zygote_tmpfs:file { map read };
|
||||
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -1,6 +1,12 @@
|
|||
type hal_graphics_composer_server_tmpfs, file_type;
|
||||
attribute hal_graphics_composer_client_tmpfs;
|
||||
expandattribute hal_graphics_composer_client_tmpfs true;
|
||||
|
||||
# HwBinder IPC from client to server, and callbacks
|
||||
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
|
||||
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
|
||||
allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
|
||||
allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
|
||||
|
||||
hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
# surfaceflinger - display compositor service
|
||||
type surfaceflinger, domain;
|
||||
type surfaceflinger_tmpfs, file_type;
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@
|
|||
# Most of the framework services run in this process.
|
||||
#
|
||||
type system_server, domain;
|
||||
type system_server_tmpfs, file_type;
|
||||
type system_server_tmpfs, file_type, mlstrustedobject;
|
||||
|
|
|
|||
|
|
@ -168,10 +168,9 @@ domain_auto_trans(init, $1_exec, $1)
|
|||
# Allow a base set of permissions required for all apps.
|
||||
define(`app_domain', `
|
||||
typeattribute $1 appdomain;
|
||||
# Label ashmem objects with our own unique type.
|
||||
tmpfs_domain($1)
|
||||
# Map with PROT_EXEC.
|
||||
allow $1 $1_tmpfs:file execute;
|
||||
# Label tmpfs objects for all apps.
|
||||
type_transition $1 tmpfs:file appdomain_tmpfs;
|
||||
allow $1 appdomain_tmpfs:file { execute getattr map read write };
|
||||
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
|
||||
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
|
||||
# The Android security model guarantees the confidentiality and integrity
|
||||
|
|
|
|||
2
vendor/hal_graphics_composer_default.te
vendored
2
vendor/hal_graphics_composer_default.te
vendored
|
|
@ -3,6 +3,8 @@ hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
|
|||
|
||||
type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_graphics_composer_default)
|
||||
type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs;
|
||||
allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write };
|
||||
|
||||
# b/68864350
|
||||
dontaudit hal_graphics_composer_default unlabeled:dir search;
|
||||
|
|
|
|||
Loading…
Reference in a new issue