Merge changes from topic "revert-1668411-MWQWEZISXF" am: 7362f58895 am: b4fe53980f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1685768 Change-Id: Id0ab0a649a6441df87156d16816522c7a5cd7a64
This commit is contained in:
Hridya Valsaraju
Automerger Merge Worker
commit
cb7c75c028
21 changed files with 29 additions and 143 deletions
15
Android.mk
15
Android.mk
|
|
@ -301,11 +301,6 @@ ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
|
|||
enforce_sysprop_owner := false
|
||||
endif
|
||||
|
||||
enforce_debugfs_restriction := false
|
||||
ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
|
||||
enforce_debugfs_restriction := true
|
||||
endif
|
||||
|
||||
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
|
||||
#$(warning no product shipping level defined)
|
||||
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
|
||||
|
|
@ -626,7 +621,6 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
|||
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(sepolicy_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
|
@ -644,7 +638,6 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
|||
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
|
@ -703,7 +696,6 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
|||
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(sepolicy_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
|
@ -721,7 +713,6 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
|||
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
|
@ -893,7 +884,6 @@ $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
|||
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(vendor_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
|
@ -957,7 +947,6 @@ $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
|||
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(odm_policy.conf): $(policy_files) $(M4)
|
||||
|
|
@ -1224,7 +1213,6 @@ $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
|||
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
|
||||
$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(sepolicy.recovery.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
|
@ -1462,7 +1450,6 @@ $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
|
|||
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(base_plat_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
|
@ -1495,7 +1482,6 @@ $(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
|
|||
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
|
||||
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
|
@ -1614,7 +1600,6 @@ built_vendor_svc :=
|
|||
built_plat_sepolicy :=
|
||||
treble_sysprop_neverallow :=
|
||||
enforce_sysprop_owner :=
|
||||
enforce_debugfs_restriction :=
|
||||
mapping_policy :=
|
||||
my_target_arch :=
|
||||
pub_policy.cil :=
|
||||
|
|
|
|||
|
|
@ -135,13 +135,6 @@ func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string {
|
|||
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
|
||||
}
|
||||
|
||||
func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
|
||||
if c.cts() {
|
||||
return "cts"
|
||||
}
|
||||
return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
|
||||
}
|
||||
|
||||
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
|
||||
conf := android.PathForModuleOut(ctx, "conf").OutputPath
|
||||
rule := android.NewRuleBuilder(pctx, ctx)
|
||||
|
|
@ -161,7 +154,6 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
|
|||
FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
|
||||
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
|
||||
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
|
||||
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
|
||||
Flag("-s").
|
||||
Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
|
||||
Text("> ").Output(conf)
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ $(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
|
|||
-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
|
||||
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
|
||||
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
|
||||
-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
|
||||
$(PRIVATE_TGT_RECOVERY) \
|
||||
-s $(PRIVATE_POLICY_FILES) > $@
|
||||
endef
|
||||
|
|
|
|||
|
|
@ -61,7 +61,6 @@ $(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
|
|||
$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
|
||||
$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
|
||||
$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
|
||||
$(1): PRIVATE_POLICY_FILES := $$(policy_files)
|
||||
$(1): $$(policy_files) $$(M4)
|
||||
$$(transform-policy-to-conf)
|
||||
|
|
|
|||
|
|
@ -135,7 +135,6 @@
|
|||
vcn_management_service
|
||||
vd_device
|
||||
vendor_kernel_modules
|
||||
vendor_modprobe
|
||||
vibrator_manager_service
|
||||
virtualization_service
|
||||
vpn_management_service
|
||||
|
|
|
|||
|
|
@ -153,11 +153,9 @@ full_treble_only(`
|
|||
# debugfs
|
||||
neverallow {
|
||||
coredomain
|
||||
no_debugfs_restriction(`
|
||||
-dumpstate
|
||||
-init
|
||||
-system_server
|
||||
')
|
||||
-dumpstate
|
||||
-init
|
||||
-system_server
|
||||
} debugfs:file no_rw_file_perms;
|
||||
|
||||
# tracefs
|
||||
|
|
|
|||
|
|
@ -364,15 +364,7 @@ neverallow {
|
|||
-update_engine
|
||||
-vold
|
||||
-zygote
|
||||
} { fs_type
|
||||
-sdcard_type
|
||||
}:filesystem { mount remount relabelfrom relabelto };
|
||||
|
||||
enforce_debugfs_restriction(`
|
||||
neverallow {
|
||||
domain userdebug_or_eng(`-init')
|
||||
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
|
||||
')
|
||||
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
||||
|
||||
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
||||
neverallow {
|
||||
|
|
@ -518,21 +510,3 @@ neverallow {
|
|||
-traced_probes
|
||||
-traced_perf
|
||||
} proc_kallsyms:file { open read };
|
||||
|
||||
# debugfs_kcov type is not included in this neverallow statement since the KCOV
|
||||
# tool uses it for kernel fuzzing.
|
||||
# vendor_modprobe is also exempted since the kernel modules it loads may create
|
||||
# debugfs files in its context.
|
||||
enforce_debugfs_restriction(`
|
||||
neverallow {
|
||||
domain
|
||||
-vendor_modprobe
|
||||
userdebug_or_eng(`
|
||||
-init
|
||||
-hal_dumpstate
|
||||
')
|
||||
} { debugfs_type
|
||||
userdebug_or_eng(`-debugfs_kcov')
|
||||
-tracefs_type
|
||||
}:file no_rw_file_perms;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -54,10 +54,7 @@ allow dumpstate {
|
|||
}:process signal;
|
||||
|
||||
# For collecting bugreports.
|
||||
no_debugfs_restriction(`
|
||||
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
|
||||
')
|
||||
|
||||
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
|
||||
allow dumpstate dev_type:blk_file getattr;
|
||||
allow dumpstate webview_zygote:process signal;
|
||||
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -29,9 +29,7 @@ unix_socket_send(incidentd, statsdw, statsd)
|
|||
allow incidentd proc_pagetypeinfo:file r_file_perms;
|
||||
|
||||
# section id 2002, allow reading /d/wakeup_sources
|
||||
no_debugfs_restriction(`
|
||||
allow incidentd debugfs_wakeup_sources:file r_file_perms;
|
||||
')
|
||||
allow incidentd debugfs_wakeup_sources:file r_file_perms;
|
||||
|
||||
# section id 2003, allow executing top
|
||||
allow incidentd proc_meminfo:file { open read };
|
||||
|
|
|
|||
|
|
@ -18,12 +18,10 @@ allow storaged packages_list_file:file r_file_perms;
|
|||
allow storaged storaged_data_file:dir rw_dir_perms;
|
||||
allow storaged storaged_data_file:file create_file_perms;
|
||||
|
||||
no_debugfs_restriction(`
|
||||
userdebug_or_eng(`
|
||||
# Read access to debugfs
|
||||
allow storaged debugfs_mmc:dir search;
|
||||
allow storaged debugfs_mmc:file r_file_perms;
|
||||
')
|
||||
userdebug_or_eng(`
|
||||
# Read access to debugfs
|
||||
allow storaged debugfs_mmc:dir search;
|
||||
allow storaged debugfs_mmc:file r_file_perms;
|
||||
')
|
||||
|
||||
# Needed to provide debug dump output via dumpsys pipes.
|
||||
|
|
|
|||
|
|
@ -186,9 +186,7 @@ allow system_server stats_data_file:dir { open read remove_name search write };
|
|||
allow system_server stats_data_file:file unlink;
|
||||
|
||||
# Read /sys/kernel/debug/wakeup_sources.
|
||||
no_debugfs_restriction(`
|
||||
allow system_server debugfs_wakeup_sources:file r_file_perms;
|
||||
')
|
||||
allow system_server debugfs_wakeup_sources:file r_file_perms;
|
||||
|
||||
# Read /sys/kernel/ion/*.
|
||||
allow system_server sysfs_ion:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -62,9 +62,6 @@ attribute sysfs_type;
|
|||
# All types use for debugfs files.
|
||||
attribute debugfs_type;
|
||||
|
||||
# All types used for tracefs files.
|
||||
attribute tracefs_type;
|
||||
|
||||
# Attribute used for all sdcards
|
||||
attribute sdcard_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -113,12 +113,10 @@ allow dumpstate {
|
|||
}:file r_file_perms;
|
||||
|
||||
# Other random bits of data we want to collect
|
||||
no_debugfs_restriction(`
|
||||
allow dumpstate debugfs:file r_file_perms;
|
||||
auditallow dumpstate debugfs:file r_file_perms;
|
||||
allow dumpstate debugfs:file r_file_perms;
|
||||
auditallow dumpstate debugfs:file r_file_perms;
|
||||
|
||||
allow dumpstate debugfs_mmc:file r_file_perms;
|
||||
')
|
||||
allow dumpstate debugfs_mmc:file r_file_perms;
|
||||
|
||||
# df for
|
||||
allow dumpstate {
|
||||
|
|
|
|||
|
|
@ -144,14 +144,14 @@ type exfat, sdcard_type, fs_type, mlstrustedobject;
|
|||
type debugfs, fs_type, debugfs_type;
|
||||
type debugfs_kprobes, fs_type, debugfs_type;
|
||||
type debugfs_mmc, fs_type, debugfs_type;
|
||||
type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
||||
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
||||
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
||||
type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_mm_events_tracing, fs_type, debugfs_type;
|
||||
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
||||
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
|
||||
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
|
||||
type debugfs_tracing_instances, fs_type, debugfs_type;
|
||||
type debugfs_tracing_printk_formats, fs_type, debugfs_type;
|
||||
type debugfs_wakeup_sources, fs_type, debugfs_type;
|
||||
type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_wifi_tracing, fs_type, debugfs_type;
|
||||
type securityfs, fs_type;
|
||||
|
||||
type pstorefs, fs_type;
|
||||
|
|
@ -562,7 +562,7 @@ type hwservice_contexts_file, system_file_type, file_type;
|
|||
type vndservice_contexts_file, file_type;
|
||||
|
||||
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
|
||||
type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
|
||||
|
||||
# kernel modules
|
||||
type vendor_kernel_modules, vendor_file_type, file_type;
|
||||
|
|
|
|||
|
|
@ -162,19 +162,7 @@ allowxperm init dev_type:blk_file ioctl BLKROSET;
|
|||
# which should all be assigned the contextmount_type attribute.
|
||||
# This can be done in device-specific policy via type or typeattribute
|
||||
# declarations.
|
||||
allow init {
|
||||
fs_type
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:filesystem ~relabelto;
|
||||
|
||||
# Allow init to mount/unmount debugfs in non-user builds.
|
||||
enforce_debugfs_restriction(`
|
||||
userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
|
||||
')
|
||||
|
||||
# Allow init to mount tracefs in /sys/kernel/tracing
|
||||
allow init debugfs_tracing_debug:filesystem mount;
|
||||
|
||||
allow init fs_type:filesystem ~relabelto;
|
||||
allow init unlabeled:filesystem ~relabelto;
|
||||
allow init contextmount_type:filesystem relabelto;
|
||||
|
||||
|
|
@ -240,11 +228,8 @@ allow init {
|
|||
-system_file_type
|
||||
-vendor_file_type
|
||||
-vold_data_file
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { create getattr open read write setattr relabelfrom unlink map };
|
||||
|
||||
allow init tracefs_type:file { create_file_perms relabelfrom };
|
||||
|
||||
allow init {
|
||||
file_type
|
||||
-app_data_file
|
||||
|
|
@ -293,8 +278,8 @@ allow init {
|
|||
-privapp_data_file
|
||||
}:dir_file_class_set relabelto;
|
||||
|
||||
allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
|
||||
allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
|
||||
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
|
||||
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
|
||||
allow init dev_type:dir create_dir_perms;
|
||||
allow init dev_type:lnk_file create;
|
||||
|
||||
|
|
@ -315,7 +300,6 @@ allow init {
|
|||
-sdcard_type
|
||||
-sysfs_type
|
||||
-rootfs
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { open read setattr };
|
||||
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
||||
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ recovery_only(`
|
|||
# Mount filesystems.
|
||||
allow recovery rootfs:dir mounton;
|
||||
allow recovery tmpfs:dir mounton;
|
||||
allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
|
||||
allow recovery fs_type:filesystem ~relabelto;
|
||||
allow recovery unlabeled:filesystem ~relabelto;
|
||||
allow recovery contextmount_type:filesystem relabelto;
|
||||
|
||||
|
|
|
|||
|
|
@ -505,23 +505,6 @@ $1
|
|||
#
|
||||
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
|
||||
|
||||
#####################################
|
||||
# enforce_debugfs_restriction
|
||||
# SELinux rules which apply to devices that enable debugfs restrictions.
|
||||
# The keyword "cts" is used to insert markers to only CTS test the neverallows
|
||||
# added by the macro for S-launch devices and newer.
|
||||
define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
|
||||
ifelse(target_enforce_debugfs_restriction, `cts',
|
||||
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
|
||||
$1
|
||||
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
|
||||
, )))
|
||||
|
||||
#####################################
|
||||
# no_debugfs_restriction
|
||||
# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
|
||||
define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
|
||||
|
||||
#####################################
|
||||
# Compatible property only
|
||||
# SELinux rules which apply only to devices with compatible property
|
||||
|
|
|
|||
|
|
@ -79,7 +79,6 @@ allow vendor_init {
|
|||
-apex_metadata_file
|
||||
-apex_info_file
|
||||
-userspace_reboot_metadata_file
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { create getattr open read write setattr relabelfrom unlink map };
|
||||
|
||||
allow vendor_init {
|
||||
|
|
@ -144,11 +143,8 @@ allow vendor_init {
|
|||
-proc_uid_time_in_state
|
||||
-proc_uid_concurrent_active_time
|
||||
-proc_uid_concurrent_policy_time
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { open read setattr map };
|
||||
|
||||
allow vendor_init tracefs_type:file { open read setattr map };
|
||||
|
||||
allow vendor_init {
|
||||
fs_type
|
||||
-contextmount_type
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
type vendor_modprobe, domain;
|
||||
|
|
@ -40,18 +40,11 @@ def TestSysfsTypeViolations(pol):
|
|||
|
||||
def TestDebugfsTypeViolations(pol):
|
||||
ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
|
||||
ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
|
||||
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
|
||||
"/sys/kernel/tracing"], [], "debugfs_type")
|
||||
return ret
|
||||
|
||||
def TestTracefsTypeViolations(pol):
|
||||
ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
|
||||
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
|
||||
ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
|
||||
["/sys/kernel/debug/tracing"], "tracefs_type",
|
||||
[])
|
||||
return ret
|
||||
|
||||
def TestVendorTypeViolations(pol):
|
||||
partitions = ["/vendor/", "/odm/"]
|
||||
exceptions = [
|
||||
|
|
@ -118,7 +111,6 @@ Tests = [
|
|||
"TestSysfsTypeViolations",
|
||||
"TestSystemTypeViolators",
|
||||
"TestDebugfsTypeViolations",
|
||||
"TestTracefsTypeViolations",
|
||||
"TestVendorTypeViolations",
|
||||
"TestCoreDataTypeViolations",
|
||||
"TestPropertyTypeViolations",
|
||||
|
|
@ -173,8 +165,6 @@ if __name__ == '__main__':
|
|||
results += TestSystemTypeViolations(pol)
|
||||
if options.test is None or "TestDebugfsTypeViolations" in options.test:
|
||||
results += TestDebugfsTypeViolations(pol)
|
||||
if options.test is None or "TestTracefsTypeViolations" in options.test:
|
||||
results += TestTracefsTypeViolations(pol)
|
||||
if options.test is None or "TestVendorTypeViolations" in options.test:
|
||||
results += TestVendorTypeViolations(pol)
|
||||
if options.test is None or "TestCoreDataTypeViolations" in options.test:
|
||||
|
|
|
|||
2
vendor/vendor_modprobe.te
vendored
2
vendor/vendor_modprobe.te
vendored
|
|
@ -1,3 +1,5 @@
|
|||
type vendor_modprobe, domain;
|
||||
|
||||
# For the use of /vendor/bin/modprobe from vendor init.rc fragments
|
||||
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue