Merge "Add sepolicy for /proc/bootconfig"

This commit is contained in:
Devin Moore 2021-02-24 15:56:48 +00:00 committed by Gerrit Code Review
commit d966b6089f
6 changed files with 9 additions and 1 deletions

View file

@ -1809,7 +1809,9 @@
(typeattributeset print_service_30_0 (print_service)) (typeattributeset print_service_30_0 (print_service))
(typeattributeset priv_app_30_0 (priv_app)) (typeattributeset priv_app_30_0 (priv_app))
(typeattributeset privapp_data_file_30_0 (privapp_data_file)) (typeattributeset privapp_data_file_30_0 (privapp_data_file))
(typeattributeset proc_30_0 (proc)) (typeattributeset proc_30_0
( proc
proc_bootconfig))
(typeattributeset proc_abi_30_0 (proc_abi)) (typeattributeset proc_abi_30_0 (proc_abi))
(typeattributeset proc_asound_30_0 (proc_asound)) (typeattributeset proc_asound_30_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable)) (typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))

View file

@ -3,6 +3,7 @@ genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix). # proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0 genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0 genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0 genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0 genfscon proc /config.gz u:object_r:config_gz:s0

View file

@ -21,6 +21,7 @@ type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
type proc_bluetooth_writable, fs_type, proc_type; type proc_bluetooth_writable, fs_type, proc_type;
type proc_abi, fs_type, proc_type; type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type; type proc_asound, fs_type, proc_type;
type proc_bootconfig, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type; type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type; type proc_cmdline, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type; type proc_cpuinfo, fs_type, proc_type;

View file

@ -3,3 +3,4 @@ binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client) binder_call(hal_bootctl_server, hal_bootctl_client)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice) hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
allow hal_bootctl_server proc_bootconfig:file r_file_perms;

View file

@ -350,6 +350,7 @@ userdebug_or_eng(`
allow init { allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled. proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_bootconfig
proc_cmdline proc_cmdline
proc_diskstats proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service. proc_kmsg # Open /proc/kmsg for logd service.
@ -383,6 +384,7 @@ allow init {
# init chmod/chown access to /proc files. # init chmod/chown access to /proc files.
allow init { allow init {
proc_cmdline proc_cmdline
proc_bootconfig
proc_kmsg proc_kmsg
proc_net proc_net
proc_pagetypeinfo proc_pagetypeinfo

View file

@ -23,6 +23,7 @@ r_dir_file(vold, rootfs)
r_dir_file(vold, metadata_file) r_dir_file(vold, metadata_file)
allow vold { allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled. proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_bootconfig
proc_cmdline proc_cmdline
proc_drop_caches proc_drop_caches
proc_filesystems proc_filesystems