Merge "Create a separate label for sandbox root directory" into tm-dev am: 7accd9ad70
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/18344445 Change-Id: I07313fb72cd13e9ae2ab24e1b72e0b211f353468 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
d8ffd4cdd8
12 changed files with 70 additions and 2 deletions
|
@ -19,6 +19,8 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f
|
|||
# /data/misc/perfetto-configs for perfetto configs
|
||||
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
|
||||
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
|
||||
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
|
||||
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
|
||||
|
||||
|
|
|
@ -691,6 +691,10 @@
|
|||
# Bootchart data
|
||||
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
|
||||
|
||||
# Sandbox sdk data (managed by installd)
|
||||
/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
|
||||
/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
|
||||
|
||||
# App data snapshots (managed by installd).
|
||||
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
|
||||
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
|
||||
|
|
|
@ -48,3 +48,6 @@ allow installd staging_data_file:file unlink;
|
|||
allow installd staging_data_file:dir { open read remove_name rmdir search write };
|
||||
|
||||
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
|
||||
|
||||
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
|
||||
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
|
||||
|
|
|
@ -39,7 +39,10 @@ can_profile_perf(sdk_sandbox)
|
|||
allow sdk_sandbox system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
||||
# allow access to sdksandbox data directory
|
||||
# allow sandbox to search in sdk system server directory
|
||||
# additionally, for webview to work, getattr has been permitted
|
||||
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
|
||||
# allow sandbox to create files and dirs in sdk data directory
|
||||
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
|
||||
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
|
||||
|
||||
|
@ -88,3 +91,20 @@ neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
|
|||
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
|
||||
|
||||
neverallow sdk_sandbox hal_drm_service:service_manager find;
|
||||
|
||||
# Only certain system components should have access to sdk_sandbox_system_data_file
|
||||
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-sdk_sandbox
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
|
||||
|
||||
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
|
||||
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
|
||||
|
||||
# Only dirs should be created at sdk_sandbox_system_data_file level
|
||||
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
|
||||
|
|
|
@ -72,6 +72,9 @@ allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
|
|||
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
|
||||
allow system_server sysfs_fs_f2fs:file r_file_perms;
|
||||
|
||||
# For SdkSandboxManagerService
|
||||
allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
|
||||
|
||||
# For art.
|
||||
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
|
||||
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
|
||||
|
|
|
@ -12,6 +12,7 @@ allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
|
|||
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
|
||||
allow vold_prepare_subdirs self:process setfscreate;
|
||||
allow vold_prepare_subdirs {
|
||||
sdk_sandbox_system_data_file
|
||||
system_data_file
|
||||
vendor_data_file
|
||||
}:dir { open read write add_name remove_name rmdir relabelfrom };
|
||||
|
@ -27,6 +28,7 @@ allow vold_prepare_subdirs {
|
|||
rollback_data_file
|
||||
storaged_data_file
|
||||
sdk_sandbox_data_file
|
||||
sdk_sandbox_system_data_file
|
||||
system_data_file
|
||||
vold_data_file
|
||||
}:dir { create_dir_perms relabelto };
|
||||
|
|
|
@ -19,6 +19,8 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f
|
|||
# /data/misc/perfetto-configs for perfetto configs
|
||||
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
|
||||
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
|
||||
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
|
||||
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
|
||||
|
||||
|
|
|
@ -696,6 +696,10 @@
|
|||
# Bootchart data
|
||||
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
|
||||
|
||||
# Sandbox sdk data (managed by installd)
|
||||
/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
|
||||
/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
|
||||
|
||||
# App data snapshots (managed by installd).
|
||||
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
|
||||
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
|
||||
|
|
|
@ -48,3 +48,6 @@ allow installd staging_data_file:file unlink;
|
|||
allow installd staging_data_file:dir { open read remove_name rmdir search write };
|
||||
|
||||
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
|
||||
|
||||
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
|
||||
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
|
||||
|
|
|
@ -105,7 +105,10 @@ can_profile_perf(sdk_sandbox)
|
|||
allow sdk_sandbox system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
||||
# allow access to sdksandbox data directory
|
||||
# allow sandbox to search in sdk system server directory
|
||||
# additionally, for webview to work, getattr has been permitted
|
||||
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
|
||||
# allow sandbox to create files and dirs in sdk data directory
|
||||
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
|
||||
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
|
||||
|
||||
|
@ -154,3 +157,20 @@ neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
|
|||
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
|
||||
|
||||
neverallow sdk_sandbox hal_drm_service:service_manager find;
|
||||
|
||||
# Only certain system components should have access to sdk_sandbox_system_data_file
|
||||
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-sdk_sandbox
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
|
||||
|
||||
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
|
||||
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
|
||||
|
||||
# Only dirs should be created at sdk_sandbox_system_data_file level
|
||||
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
|
||||
|
|
|
@ -72,6 +72,9 @@ allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
|
|||
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
|
||||
allow system_server sysfs_fs_f2fs:file r_file_perms;
|
||||
|
||||
# For SdkSandboxManagerService
|
||||
allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
|
||||
|
||||
# For art.
|
||||
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
|
||||
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
|
||||
|
|
|
@ -12,6 +12,7 @@ allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
|
|||
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
|
||||
allow vold_prepare_subdirs self:process setfscreate;
|
||||
allow vold_prepare_subdirs {
|
||||
sdk_sandbox_system_data_file
|
||||
system_data_file
|
||||
vendor_data_file
|
||||
}:dir { open read write add_name remove_name rmdir relabelfrom };
|
||||
|
@ -27,6 +28,7 @@ allow vold_prepare_subdirs {
|
|||
rollback_data_file
|
||||
storaged_data_file
|
||||
sdk_sandbox_data_file
|
||||
sdk_sandbox_system_data_file
|
||||
system_data_file
|
||||
vold_data_file
|
||||
}:dir { create_dir_perms relabelto };
|
||||
|
|
Loading…
Reference in a new issue