file_context: explicitly label all file context files
file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.
Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi \
arm64-v8a --module CtsSecurityHostTestCases -t \
android.security.cts.SELinuxHostTest#testAospFileContexts
Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>
This commit is contained in:
Sandeep Patil
parent
939d16b59f
commit
c9cf7361c1
10 changed files with 27 additions and 3 deletions
|
|
@ -101,6 +101,7 @@ allow adbd selinuxfs:dir r_dir_perms;
|
|||
allow adbd selinuxfs:file r_file_perms;
|
||||
allow adbd kernel:security read_policy;
|
||||
allow adbd service_contexts_file:file r_file_perms;
|
||||
allow adbd file_contexts_file:file r_file_perms;
|
||||
|
||||
allow adbd surfaceflinger_service:service_manager find;
|
||||
allow adbd bootchart_data_file:dir search;
|
||||
|
|
|
|||
|
|
@ -38,9 +38,9 @@
|
|||
/sdcard u:object_r:rootfs:s0
|
||||
|
||||
# SELinux policy files
|
||||
/file_contexts\.bin u:object_r:rootfs:s0
|
||||
/nonplat_file_contexts u:object_r:rootfs:s0
|
||||
/plat_file_contexts u:object_r:rootfs:s0
|
||||
/file_contexts\.bin u:object_r:file_contexts_file:s0
|
||||
/nonplat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/plat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/mapping_sepolicy\.cil u:object_r:rootfs:s0
|
||||
/nonplat_sepolicy\.cil u:object_r:rootfs:s0
|
||||
/plat_sepolicy\.cil u:object_r:rootfs:s0
|
||||
|
|
@ -251,6 +251,7 @@
|
|||
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
|
||||
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
|
||||
|
||||
#############################
|
||||
# Vendor files
|
||||
|
|
@ -258,6 +259,7 @@
|
|||
/vendor(/.*)? u:object_r:system_file:s0
|
||||
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
|
||||
|
||||
#############################
|
||||
# OEM and ODM files
|
||||
|
|
|
|||
|
|
@ -230,6 +230,8 @@ allow system_server mediaserver:udp_socket rw_socket_perms;
|
|||
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
|
||||
allow system_server mediadrmserver:udp_socket rw_socket_perms;
|
||||
|
||||
# Get file context
|
||||
allow system_server file_contexts_file:file r_file_perms;
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(system_server)
|
||||
|
||||
|
|
|
|||
|
|
@ -256,6 +256,9 @@ type sap_uim_socket, file_type;
|
|||
# UART (for GPS) control proc file
|
||||
type gps_control, file_type;
|
||||
|
||||
# file_contexts files
|
||||
type file_contexts_file, file_type;
|
||||
|
||||
# property_contexts file
|
||||
type property_contexts_file, file_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -299,6 +299,9 @@ r_dir_file(init, domain)
|
|||
# setsockcreate is for labeling local/unix domain sockets.
|
||||
allow init self:process { setexec setfscreate setsockcreate };
|
||||
|
||||
# Get file context
|
||||
allow init file_contexts_file:file r_file_perms;
|
||||
|
||||
# Perform SELinux access checks on setting properties.
|
||||
selinux_check_access(init)
|
||||
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ selinux_check_context(installd)
|
|||
r_dir_file(installd, rootfs)
|
||||
# Scan through APKs in /system/app and /system/priv-app
|
||||
r_dir_file(installd, system_file)
|
||||
# Get file context
|
||||
allow installd file_contexts_file:file r_file_perms;
|
||||
|
||||
# Search /data/app-asec and stat files in it.
|
||||
allow installd asec_image_file:dir search;
|
||||
|
|
|
|||
|
|
@ -11,6 +11,9 @@ r_dir_file(kernel, proc)
|
|||
allow kernel selinuxfs:dir r_dir_perms;
|
||||
allow kernel selinuxfs:file r_file_perms;
|
||||
|
||||
# Get file contexts during first stage
|
||||
allow kernel file_contexts_file:file r_file_perms;
|
||||
|
||||
# Allow init relabel itself.
|
||||
allow kernel rootfs:file relabelfrom;
|
||||
allow kernel init_exec:file relabelto;
|
||||
|
|
|
|||
|
|
@ -37,6 +37,8 @@ recovery_only(`
|
|||
# currently loaded policy. Allow it.
|
||||
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
||||
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
|
||||
# Get file contexts
|
||||
allow recovery file_contexts_file:file r_file_perms;
|
||||
|
||||
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
|
||||
# support to OTAs. However, that code has a bug. When an update occurs,
|
||||
|
|
|
|||
|
|
@ -29,6 +29,9 @@ allow ueventd efs_file:file r_file_perms;
|
|||
# Get SELinux enforcing status.
|
||||
r_dir_file(ueventd, selinuxfs)
|
||||
|
||||
# Get file contexts for new device nodes
|
||||
allow ueventd file_contexts_file:file r_file_perms;
|
||||
|
||||
# Use setfscreatecon() to label /dev directories and files.
|
||||
allow ueventd self:process setfscreate;
|
||||
|
||||
|
|
|
|||
|
|
@ -19,6 +19,9 @@ allow vold sysfs_zram_uevent:file w_file_perms;
|
|||
r_dir_file(vold, rootfs)
|
||||
allow vold proc_meminfo:file r_file_perms;
|
||||
|
||||
#Get file contexts
|
||||
allow vold file_contexts_file:file r_file_perms;
|
||||
|
||||
# Allow us to jump into execution domains of above tools
|
||||
allow vold self:process setexec;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue