Merge "selinux: Allow system_server to access files in iorapd dir." into rvc-dev am: 50f13cfc82
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/11796673 Change-Id: Ie2d5522c31371541c35601b6138727569553dec0
This commit is contained in:
TreeHugger Robot
Automerger Merge Worker
commit
d0e2d47162
2 changed files with 16 additions and 0 deletions
|
|
@ -46,6 +46,12 @@ allow iorapd system_file:file rx_file_perms;
|
|||
allow iorapd iorap_inode2filename:process signull;
|
||||
allow iorapd iorap_prefetcherd:process signull;
|
||||
|
||||
# Allowing system_server to check for the existence and size of files under iorapd
|
||||
# dir without collecting any sensitive app data.
|
||||
# This is used to predict if iorapd is doing prefetching or not.
|
||||
allow system_server iorapd_data_file:dir { getattr open read search };
|
||||
allow system_server iorapd_data_file:file getattr;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
@ -59,6 +65,7 @@ neverallow {
|
|||
domain
|
||||
-init
|
||||
-iorapd
|
||||
-system_server
|
||||
} iorapd_data_file:dir *;
|
||||
|
||||
neverallow {
|
||||
|
|
@ -73,6 +80,7 @@ neverallow {
|
|||
-kernel
|
||||
-vendor_init
|
||||
-iorapd
|
||||
-system_server
|
||||
} { iorapd_data_file }:notdevfile_class_set *;
|
||||
|
||||
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
||||
|
|
|
|||
|
|
@ -46,6 +46,12 @@ allow iorapd system_file:file rx_file_perms;
|
|||
allow iorapd iorap_inode2filename:process signull;
|
||||
allow iorapd iorap_prefetcherd:process signull;
|
||||
|
||||
# Allowing system_server to check for the existence and size of files under iorapd
|
||||
# dir without collecting any sensitive app data.
|
||||
# This is used to predict if iorapd is doing prefetching or not.
|
||||
allow system_server iorapd_data_file:dir { getattr open read search };
|
||||
allow system_server iorapd_data_file:file getattr;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
@ -59,6 +65,7 @@ neverallow {
|
|||
domain
|
||||
-init
|
||||
-iorapd
|
||||
-system_server
|
||||
} iorapd_data_file:dir *;
|
||||
|
||||
neverallow {
|
||||
|
|
@ -73,6 +80,7 @@ neverallow {
|
|||
-kernel
|
||||
-vendor_init
|
||||
-iorapd
|
||||
-system_server
|
||||
} { iorapd_data_file }:notdevfile_class_set *;
|
||||
|
||||
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
||||
|
|
|
|||
Loading…
Reference in a new issue