Remove policy for non-existent devices am: 4f92d5bd99 am: 1d33d118a5
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506240 Change-Id: If1742a881b7f0efcc75673ae2ea3c1e5e598180a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Alan Stokes
Automerger Merge Worker
commit
cd10974d13
9 changed files with 0 additions and 88 deletions
|
|
@ -1,35 +0,0 @@
|
|||
dnsmasq netd fifo_file b/77868789
|
||||
dnsmasq netd unix_stream_socket b/77868789
|
||||
gmscore_app system_data_file dir b/146166941
|
||||
init app_data_file file b/77873135
|
||||
init cache_file blk_file b/77873135
|
||||
init logpersist file b/77873135
|
||||
init nativetest_data_file dir b/77873135
|
||||
init pstorefs dir b/77873135
|
||||
init shell_data_file dir b/77873135
|
||||
init shell_data_file file b/77873135
|
||||
init shell_data_file lnk_file b/77873135
|
||||
init shell_data_file sock_file b/77873135
|
||||
init system_data_file chr_file b/77873135
|
||||
isolated_app privapp_data_file dir b/119596573
|
||||
isolated_app app_data_file dir b/120394782
|
||||
mediaextractor app_data_file file b/77923736
|
||||
mediaextractor radio_data_file file b/77923736
|
||||
mediaprovider cache_file blk_file b/77925342
|
||||
mediaprovider mnt_media_rw_file dir b/77925342
|
||||
mediaprovider shell_data_file dir b/77925342
|
||||
mediaswcodec ashmem_device chr_file b/142679232
|
||||
netd priv_app unix_stream_socket b/77870037
|
||||
netd untrusted_app unix_stream_socket b/77870037
|
||||
netd untrusted_app_25 unix_stream_socket b/77870037
|
||||
netd untrusted_app_27 unix_stream_socket b/77870037
|
||||
netd untrusted_app_29 unix_stream_socket b/77870037
|
||||
platform_app nfc_data_file dir b/74331887
|
||||
system_server crash_dump process b/73128755
|
||||
system_server overlayfs_file file b/142390309
|
||||
system_server sdcardfs file b/77856826
|
||||
system_server zygote process b/77856826
|
||||
untrusted_app untrusted_app netlink_route_socket b/155595000
|
||||
vold system_data_file file b/124108085
|
||||
zygote untrusted_app_25 process b/77925912
|
||||
zygote labeledfs filesystem b/170748799
|
||||
|
|
@ -185,10 +185,6 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
|||
# named pipes, and named sockets). We start off with a safe set.
|
||||
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
|
||||
|
||||
# If a domain has ioctl access to tun_device, it must clearly enumerate the
|
||||
# ioctls used. Safe defaults are listed below.
|
||||
allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
|
||||
|
||||
# Allow a process to make a determination whether a file descriptor
|
||||
# for a plain file or pipe (fifo_file) is a tty. Note that granting
|
||||
# this allowlist to domain does not grant the ioctl permission to
|
||||
|
|
@ -229,8 +225,6 @@ allow domain cgroup_v2:dir search;
|
|||
allow { domain } cgroup_v2:dir w_dir_perms;
|
||||
allow { domain } cgroup_v2:file w_file_perms;
|
||||
|
||||
allow domain cgroup_rc_file:dir search;
|
||||
allow domain cgroup_rc_file:file r_file_perms;
|
||||
allow domain task_profiles_file:file r_file_perms;
|
||||
allow domain task_profiles_api_file:file r_file_perms;
|
||||
|
||||
|
|
@ -533,12 +527,6 @@ neverallow domain {
|
|||
neverallow domain cgroup:file create;
|
||||
neverallow domain cgroup_v2:file create;
|
||||
|
||||
# Only apps targetting < Q are allowed to open /dev/ashmem directly.
|
||||
# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
|
||||
neverallow {
|
||||
domain
|
||||
} ashmem_device:chr_file open;
|
||||
|
||||
neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
|
||||
|
||||
# Linux lockdown "integrity" level is enforced for user builds.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
allow fs_type self:filesystem associate;
|
||||
allow cgroup tmpfs:filesystem associate;
|
||||
allow cgroup_v2 tmpfs:filesystem associate;
|
||||
allow cgroup_rc_file tmpfs:filesystem associate;
|
||||
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
|
||||
allow dev_type tmpfs:filesystem associate;
|
||||
allow encryptedstore_file encryptedstore_fs:filesystem associate;
|
||||
|
|
|
|||
|
|
@ -32,8 +32,6 @@
|
|||
# Devices
|
||||
#
|
||||
/dev(/.*)? u:object_r:device:s0
|
||||
/dev/ashmem u:object_r:ashmem_device:s0
|
||||
/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
|
||||
/dev/block(/.*)? u:object_r:block_device:s0
|
||||
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
|
||||
/dev/block/loop[0-9]* u:object_r:loop_device:s0
|
||||
|
|
@ -41,14 +39,8 @@
|
|||
/dev/block/ram[0-9]* u:object_r:ram_device:s0
|
||||
/dev/block/zram[0-9]* u:object_r:ram_device:s0
|
||||
/dev/console u:object_r:console_device:s0
|
||||
/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
|
||||
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
|
||||
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
|
||||
/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
|
||||
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
|
||||
/dev/device-mapper u:object_r:dm_device:s0
|
||||
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
|
||||
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
|
||||
/dev/fuse u:object_r:fuse_device:s0
|
||||
/dev/hvc0 u:object_r:serial_device:s0
|
||||
/dev/hvc1 u:object_r:serial_device:s0
|
||||
|
|
@ -59,7 +51,6 @@
|
|||
/dev/ptmx u:object_r:ptmx_device:s0
|
||||
/dev/kmsg u:object_r:kmsg_device:s0
|
||||
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
|
||||
/dev/kvm u:object_r:kvm_device:s0
|
||||
/dev/null u:object_r:null_device:s0
|
||||
/dev/open-dice0 u:object_r:open_dice_device:s0
|
||||
/dev/random u:object_r:random_device:s0
|
||||
|
|
@ -73,17 +64,10 @@
|
|||
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
|
||||
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
|
||||
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
|
||||
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
|
||||
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
|
||||
/dev/tty u:object_r:owntty_device:s0
|
||||
/dev/tty[0-9]* u:object_r:tty_device:s0
|
||||
/dev/ttyS[0-9]* u:object_r:serial_device:s0
|
||||
/dev/tun u:object_r:tun_device:s0
|
||||
/dev/uhid u:object_r:uhid_device:s0
|
||||
/dev/uinput u:object_r:uhid_device:s0
|
||||
/dev/uio[0-9]* u:object_r:uio_device:s0
|
||||
/dev/urandom u:object_r:random_device:s0
|
||||
/dev/vhost-vsock u:object_r:kvm_device:s0
|
||||
/dev/vsock u:object_r:vsock_device:s0
|
||||
/dev/zero u:object_r:zero_device:s0
|
||||
/dev/__properties__ u:object_r:properties_device:s0
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@ allow init vd_device:blk_file relabelto;
|
|||
allow init {
|
||||
dev_type
|
||||
-hw_random_device
|
||||
-kvm_device
|
||||
}:chr_file setattr;
|
||||
|
||||
# /dev/__null__ node created by init.
|
||||
|
|
@ -40,9 +39,6 @@ allow init property_type:file { append create getattr map open read relabelto re
|
|||
# /dev/__properties__/property_info
|
||||
allow init properties_device:file create_file_perms;
|
||||
allow init property_info:file relabelto;
|
||||
# /dev/event-log-tags
|
||||
allow init device:file relabelfrom;
|
||||
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
|
||||
# /dev/socket
|
||||
allow init { device socket_device dm_user_device }:dir relabelto;
|
||||
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
|
||||
|
|
@ -114,7 +110,6 @@ allow init tmpfs:dir create_dir_perms;
|
|||
allow init tmpfs:dir mounton;
|
||||
allow init cgroup:dir create_dir_perms;
|
||||
allow init cgroup:file rw_file_perms;
|
||||
allow init cgroup_rc_file:file rw_file_perms;
|
||||
allow init cgroup_desc_file:file r_file_perms;
|
||||
allow init cgroup_desc_api_file:file r_file_perms;
|
||||
allow init cgroup_v2:dir { mounton create_dir_perms};
|
||||
|
|
@ -181,7 +176,6 @@ allow init {
|
|||
file_type
|
||||
-apex_info_file
|
||||
-exec_type
|
||||
-runtime_event_log_tags_file
|
||||
-shell_data_file
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
|
|
|
|||
|
|
@ -1,8 +1,5 @@
|
|||
typeattribute shell coredomain;
|
||||
|
||||
# allow shell input injection
|
||||
allow shell uhid_device:chr_file rw_file_perms;
|
||||
|
||||
# Perform SELinux access checks, needed for CTS
|
||||
selinux_check_access(shell)
|
||||
selinux_check_context(shell)
|
||||
|
|
|
|||
|
|
@ -1,24 +1,17 @@
|
|||
type ashmem_device, dev_type;
|
||||
type ashmem_libcutils_device, dev_type;
|
||||
type block_device, dev_type;
|
||||
type console_device, dev_type;
|
||||
type device, dev_type, fs_type;
|
||||
type dm_device, dev_type;
|
||||
type dm_user_device, dev_type;
|
||||
type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
|
||||
type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
|
||||
type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
|
||||
type fuse_device, dev_type;
|
||||
type hw_random_device, dev_type;
|
||||
type kmsg_debug_device, dev_type;
|
||||
type kmsg_device, dev_type;
|
||||
type kvm_device, dev_type;
|
||||
type loop_control_device, dev_type;
|
||||
type loop_device, dev_type;
|
||||
type null_device, dev_type;
|
||||
type open_dice_device, dev_type;
|
||||
type owntty_device, dev_type;
|
||||
type ppp_device, dev_type;
|
||||
type properties_device, dev_type;
|
||||
type properties_serial, dev_type;
|
||||
type property_info, dev_type;
|
||||
|
|
@ -30,10 +23,6 @@ type serial_device, dev_type;
|
|||
type log_device, dev_type;
|
||||
type socket_device, dev_type;
|
||||
type tty_device, dev_type;
|
||||
type tun_device, dev_type;
|
||||
type uhid_device, dev_type;
|
||||
type uio_device, dev_type;
|
||||
type userdata_sysdev, dev_type;
|
||||
type vd_device, dev_type;
|
||||
type vsock_device, dev_type;
|
||||
type zero_device, dev_type;
|
||||
|
|
|
|||
|
|
@ -8,14 +8,12 @@ type authfs_data_file, file_type, data_file_type, core_data_file_type;
|
|||
type authfs_service_socket, file_type, coredomain_socket;
|
||||
type cgroup_desc_api_file, file_type, system_file_type;
|
||||
type cgroup_desc_file, file_type, system_file_type;
|
||||
type cgroup_rc_file, file_type;
|
||||
type extra_apk_file, file_type;
|
||||
type file_contexts_file, file_type, system_file_type;
|
||||
type linkerconfig_file, file_type;
|
||||
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type property_contexts_file, file_type, system_file_type;
|
||||
type property_socket, file_type, coredomain_socket;
|
||||
type runtime_event_log_tags_file, file_type;
|
||||
type sepolicy_file, file_type, system_file_type;
|
||||
type service_contexts_file, file_type, system_file_type;
|
||||
type shell_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
|
|
|||
|
|
@ -49,7 +49,6 @@ allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom }
|
|||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-runtime_event_log_tags_file
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
|
|
@ -144,6 +143,5 @@ allow vendor_init self:capability sys_nice;
|
|||
# chown/chmod on devices, e.g. /dev/ttyHS0
|
||||
allow vendor_init {
|
||||
dev_type
|
||||
-kvm_device
|
||||
-hw_random_device
|
||||
}:chr_file setattr;
|
||||
|
|
|
|||
Loading…
Reference in a new issue