Merge "sepolicy: allow system server for BINDER_GET_FROZEN_INFO" am: 7be9e9e372
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1426049 Change-Id: I95d9f703df8b5f76b0b64fb0407f8833d9d3c0d2
This commit is contained in:
commit
c6f93be51b
2 changed files with 6 additions and 3 deletions
|
@ -1012,8 +1012,8 @@ get_prop(system_server, system_lmk_prop)
|
|||
|
||||
get_prop(system_server, wifi_config_prop)
|
||||
|
||||
# Only system server can access BINDER_FREEZE
|
||||
allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE };
|
||||
# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
|
||||
allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
@ -1236,4 +1236,6 @@ neverallow {
|
|||
|
||||
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
|
||||
# can be accessed by system_server only (b/143717177)
|
||||
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE };
|
||||
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
|
||||
# interface
|
||||
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
|
||||
|
|
|
@ -133,6 +133,7 @@ define(`BC_REPLY', `0x40406301')
|
|||
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
|
||||
define(`BC_TRANSACTION', `0x40406300')
|
||||
define(`BINDER_FREEZE', `0x400c620e')
|
||||
define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
|
||||
define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
|
||||
define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
|
||||
define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
|
||||
|
|
Loading…
Reference in a new issue