Sync internal master and AOSP sepolicy.
Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
This commit is contained in:
parent
347e1027cf
commit
df5469d864
41 changed files with 604 additions and 287 deletions
42
Android.mk
42
Android.mk
|
@ -194,12 +194,13 @@ LOCAL_REQUIRED_MODULES += \
|
|||
plat_sepolicy.cil \
|
||||
plat_and_mapping_sepolicy.cil.sha256 \
|
||||
secilc \
|
||||
plat_sepolicy_vers.txt
|
||||
plat_sepolicy_vers.txt \
|
||||
|
||||
ifneq ($(with_asan),true)
|
||||
LOCAL_REQUIRED_MODULES += \
|
||||
treble_sepolicy_tests \
|
||||
sepolicy_tests
|
||||
|
||||
endif
|
||||
|
||||
# Include precompiled policy, unless told otherwise
|
||||
|
@ -223,12 +224,25 @@ LOCAL_REQUIRED_MODULES += \
|
|||
plat_seapp_contexts \
|
||||
plat_service_contexts \
|
||||
plat_hwservice_contexts \
|
||||
searchpolicy \
|
||||
vndservice_contexts \
|
||||
|
||||
ifneq ($(PRODUCT_FULL_TREBLE),true)
|
||||
LOCAL_REQUIRED_MODULES += nonplat_service_contexts
|
||||
endif
|
||||
|
||||
ifneq ($(TARGET_BUILD_VARIANT), user)
|
||||
LOCAL_REQUIRED_MODULES += \
|
||||
selinux_denial_metadata \
|
||||
|
||||
endif
|
||||
|
||||
ifneq ($(with_asan),true)
|
||||
LOCAL_REQUIRED_MODULES += \
|
||||
sepolicy_tests \
|
||||
|
||||
endif
|
||||
|
||||
include $(BUILD_PHONY_PACKAGE)
|
||||
|
||||
##################################
|
||||
|
@ -665,6 +679,24 @@ file_contexts.device.sorted.tmp :=
|
|||
file_contexts.device.tmp :=
|
||||
file_contexts.local.tmp :=
|
||||
|
||||
##################################
|
||||
ifneq ($(TARGET_BUILD_VARIANT), user)
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := selinux_denial_metadata
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
|
||||
|
||||
$(LOCAL_BUILT_MODULE) : $(bug_files)
|
||||
@mkdir -p $(dir $@)
|
||||
cat $^ > $@
|
||||
|
||||
bug_files :=
|
||||
endif
|
||||
##################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
|
@ -1262,6 +1294,11 @@ $(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
|
|||
$(treble_sepolicy_tests): PRIVATE_SEPOLICY_OLD := $(built_26.0_plat_sepolicy)
|
||||
$(treble_sepolicy_tests): PRIVATE_COMBINED_MAPPING := $(26.0_mapping.combined.cil)
|
||||
$(treble_sepolicy_tests): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
|
||||
ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
|
||||
$(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE := --fake-treble
|
||||
else
|
||||
$(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE :=
|
||||
endif
|
||||
$(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
|
||||
$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) $(built_plat_sepolicy) \
|
||||
$(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
|
||||
|
@ -1269,7 +1306,8 @@ $(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
|
|||
$(hide) python $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
|
||||
$(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
|
||||
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
|
||||
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY)
|
||||
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
|
||||
$(PRIVATE_FAKE_TREBLE)
|
||||
$(hide) touch $@
|
||||
|
||||
26.0_PLAT_PUBLIC_POLICY :=
|
||||
|
|
|
@ -108,11 +108,25 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
|
|||
|
||||
# Avoid reads from generically labeled /proc files
|
||||
# Create a more specific label if needed
|
||||
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
|
||||
neverallow all_untrusted_apps {
|
||||
proc
|
||||
proc_asound_cards
|
||||
proc_filesystems
|
||||
proc_kmsg
|
||||
proc_loadavg
|
||||
proc_mounts
|
||||
proc_pagetypeinfo
|
||||
proc_swaps
|
||||
proc_version
|
||||
proc_vmallocinfo
|
||||
}:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Avoid all access to kernel configuration
|
||||
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Only system_server can access proc_uid_time_in_state
|
||||
neverallow { domain -init -system_server } proc_uid_time_in_state:file *;
|
||||
|
||||
# Do not allow untrusted apps access to preloads data files
|
||||
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
|
||||
|
||||
|
|
|
@ -446,7 +446,7 @@
|
|||
(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
|
||||
(typeattributeset print_service_26_0 (print_service))
|
||||
(typeattributeset priv_app_26_0 (mediaprovider priv_app))
|
||||
(typeattributeset proc_26_0 (proc proc_uid_time_in_state proc_kmsg))
|
||||
(typeattributeset proc_26_0 (proc proc_asound_cards proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
|
||||
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
|
||||
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
|
||||
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
e2fs_exec
|
||||
hal_broadcastradio_hwservice
|
||||
hal_cas_hwservice
|
||||
hal_lowpan_hwservice
|
||||
hal_neuralnetworks_hwservice
|
||||
hal_tetheroffload_hwservice
|
||||
hal_wifi_offload_hwservice
|
||||
|
@ -18,6 +19,13 @@
|
|||
mediaprovider_tmpfs
|
||||
netd_stable_secret_prop
|
||||
package_native_service
|
||||
lowpan_device
|
||||
lowpan_prop
|
||||
lowpan_service
|
||||
mediaprovider_tmpfs
|
||||
netd_stable_secret_prop
|
||||
package_native_service
|
||||
storaged_data_file
|
||||
sysfs_fs_ext4_features
|
||||
system_boot_reason_prop
|
||||
system_net_netd_hwservice
|
||||
|
@ -27,7 +35,9 @@
|
|||
thermalserviced_exec
|
||||
thermalserviced_tmpfs
|
||||
timezone_service
|
||||
tombstoned_java_trace_socket))
|
||||
tombstoned_java_trace_socket
|
||||
tombstoned_java_trace_socket
|
||||
vold_service))
|
||||
|
||||
;; private_objects - a collection of types that were labeled differently in
|
||||
;; older policy, but that should not remain accessible to vendor policy.
|
||||
|
|
|
@ -5,3 +5,6 @@ typealias app_data_file alias download_file;
|
|||
|
||||
# /proc/config.gz
|
||||
type config_gz, fs_type;
|
||||
|
||||
# /data/misc/storaged
|
||||
type storaged_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
|
|
@ -28,7 +28,6 @@
|
|||
/mnt u:object_r:tmpfs:s0
|
||||
/postinstall u:object_r:postinstall_mnt_dir:s0
|
||||
/proc u:object_r:rootfs:s0
|
||||
/root u:object_r:rootfs:s0
|
||||
/sys u:object_r:sysfs:s0
|
||||
|
||||
# Symlinks
|
||||
|
@ -375,6 +374,7 @@
|
|||
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
|
||||
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
|
||||
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
|
||||
/data/misc/storaged(/.*)? u:object_r:storaged_data_file:s0
|
||||
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
|
||||
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
|
||||
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
|
||||
|
|
|
@ -2,18 +2,25 @@
|
|||
genfscon rootfs / u:object_r:rootfs:s0
|
||||
# proc labeling can be further refined (longest matching prefix).
|
||||
genfscon proc / u:object_r:proc:s0
|
||||
genfscon proc /asound/cards u:object_r:proc_asound_cards:s0
|
||||
genfscon proc /cmdline u:object_r:proc_cmdline:s0
|
||||
genfscon proc /config.gz u:object_r:config_gz:s0
|
||||
genfscon proc /filesystems u:object_r:proc_filesystems:s0
|
||||
genfscon proc /interrupts u:object_r:proc_interrupts:s0
|
||||
genfscon proc /iomem u:object_r:proc_iomem:s0
|
||||
genfscon proc /kmsg u:object_r:proc_kmsg:s0
|
||||
genfscon proc /loadavg u:object_r:proc_loadavg:s0
|
||||
genfscon proc /meminfo u:object_r:proc_meminfo:s0
|
||||
genfscon proc /misc u:object_r:proc_misc:s0
|
||||
genfscon proc /modules u:object_r:proc_modules:s0
|
||||
genfscon proc /mounts u:object_r:proc_mounts:s0
|
||||
genfscon proc /net u:object_r:proc_net:s0
|
||||
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
|
||||
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
|
||||
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
|
||||
genfscon proc /softirqs u:object_r:proc_timer:s0
|
||||
genfscon proc /stat u:object_r:proc_stat:s0
|
||||
genfscon proc /swaps u:object_r:proc_swaps:s0
|
||||
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
|
||||
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
|
||||
|
@ -42,6 +49,8 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
|
|||
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
|
||||
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
|
||||
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
|
||||
genfscon proc /version u:object_r:proc_version:s0
|
||||
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
|
||||
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
|
||||
|
||||
# selinuxfs booleans can be individually labeled.
|
||||
|
|
|
@ -23,6 +23,7 @@ android.hardware.health::IHealth u:object_r:hal_h
|
|||
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
|
||||
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
|
||||
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
|
||||
android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
|
||||
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
|
||||
android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
|
||||
android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
|
||||
|
|
|
@ -113,5 +113,9 @@ ro.dalvik. u:object_r:dalvik_prop:s0
|
|||
# Shared between system server and wificond
|
||||
wlan. u:object_r:wifi_prop:s0
|
||||
|
||||
# Lowpan properties
|
||||
lowpan. u:object_r:lowpan_prop:s0
|
||||
ro.lowpan. u:object_r:lowpan_prop:s0
|
||||
|
||||
# hwservicemanager properties
|
||||
hwservicemanager. u:object_r:hwservicemanager_prop:s0
|
||||
|
|
|
@ -46,6 +46,7 @@ drm.drmManager u:object_r:drmserver_service:s0
|
|||
dropbox u:object_r:dropbox_service:s0
|
||||
dumpstate u:object_r:dumpstate_service:s0
|
||||
econtroller u:object_r:radio_service:s0
|
||||
lowpan u:object_r:lowpan_service:s0
|
||||
ethernet u:object_r:ethernet_service:s0
|
||||
fingerprint u:object_r:fingerprint_service:s0
|
||||
font u:object_r:font_service:s0
|
||||
|
@ -160,6 +161,7 @@ user u:object_r:user_service:s0
|
|||
vibrator u:object_r:vibrator_service:s0
|
||||
virtual_touchpad u:object_r:virtual_touchpad_service:s0
|
||||
voiceinteraction u:object_r:voiceinteraction_service:s0
|
||||
vold u:object_r:vold_service:s0
|
||||
vr_hwc u:object_r:vr_hwc_service:s0
|
||||
vrmanager u:object_r:vr_manager_service:s0
|
||||
wallpaper u:object_r:wallpaper_service:s0
|
||||
|
|
|
@ -15,6 +15,10 @@ allow storaged proc_uid_io_stats:file r_file_perms;
|
|||
# Read /data/system/packages.list
|
||||
allow storaged system_data_file:file r_file_perms;
|
||||
|
||||
# Store storaged proto file
|
||||
allow storaged storaged_data_file:dir rw_dir_perms;
|
||||
allow storaged storaged_data_file:file create_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
# Read access to debugfs
|
||||
allow storaged debugfs_mmc:dir search;
|
||||
|
|
|
@ -58,7 +58,15 @@ binder_call(system_app, incidentd)
|
|||
|
||||
allow system_app servicemanager:service_manager list;
|
||||
# TODO: scope this down? Too broad?
|
||||
allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
|
||||
allow system_app {
|
||||
service_manager_type
|
||||
-dumpstate_service
|
||||
-installd_service
|
||||
-netd_service
|
||||
-virtual_touchpad_service
|
||||
-vold_service
|
||||
-vr_hwc_service
|
||||
}:service_manager find;
|
||||
|
||||
allow system_app keystore:keystore_key {
|
||||
get_state
|
||||
|
|
|
@ -178,6 +178,7 @@ binder_call(system_server, gatekeeperd)
|
|||
binder_call(system_server, installd)
|
||||
binder_call(system_server, incidentd)
|
||||
binder_call(system_server, netd)
|
||||
binder_call(system_server, vold)
|
||||
binder_call(system_server, wificond)
|
||||
binder_service(system_server)
|
||||
|
||||
|
@ -574,6 +575,7 @@ allow system_server netd_service:service_manager find;
|
|||
allow system_server nfc_service:service_manager find;
|
||||
allow system_server radio_service:service_manager find;
|
||||
allow system_server surfaceflinger_service:service_manager find;
|
||||
allow system_server vold_service:service_manager find;
|
||||
allow system_server wificond_service:service_manager find;
|
||||
|
||||
allow system_server keystore:keystore_key {
|
||||
|
@ -673,9 +675,13 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi
|
|||
r_dir_file(system_server, cgroup)
|
||||
allow system_server ion_device:chr_file r_file_perms;
|
||||
|
||||
r_dir_file(system_server, proc)
|
||||
r_dir_file(system_server, proc_asound_cards)
|
||||
r_dir_file(system_server, proc_loadavg)
|
||||
r_dir_file(system_server, proc_meminfo)
|
||||
r_dir_file(system_server, proc_net)
|
||||
r_dir_file(system_server, proc_pagetypeinfo)
|
||||
r_dir_file(system_server, proc_version)
|
||||
r_dir_file(system_server, proc_vmallocinfo)
|
||||
r_dir_file(system_server, rootfs)
|
||||
r_dir_file(system_server, sysfs_type)
|
||||
|
||||
|
|
|
@ -190,234 +190,45 @@ attribute halclientdomain;
|
|||
expandattribute halclientdomain true;
|
||||
|
||||
# HALs
|
||||
attribute hal_allocator;
|
||||
expandattribute hal_allocator true;
|
||||
attribute hal_allocator_client;
|
||||
expandattribute hal_allocator_client true;
|
||||
attribute hal_allocator_server;
|
||||
expandattribute hal_allocator_server false;
|
||||
attribute hal_audio;
|
||||
expandattribute hal_audio false;
|
||||
attribute hal_audio_client;
|
||||
expandattribute hal_audio_client true;
|
||||
attribute hal_audio_server;
|
||||
expandattribute hal_audio_server false;
|
||||
attribute hal_bluetooth;
|
||||
expandattribute hal_bluetooth true;
|
||||
attribute hal_bluetooth_client;
|
||||
expandattribute hal_bluetooth_client true;
|
||||
attribute hal_bluetooth_server;
|
||||
expandattribute hal_bluetooth_server false;
|
||||
attribute hal_bootctl;
|
||||
expandattribute hal_bootctl false;
|
||||
attribute hal_bootctl_client;
|
||||
expandattribute hal_bootctl_client true;
|
||||
attribute hal_bootctl_server;
|
||||
expandattribute hal_bootctl_server false;
|
||||
attribute hal_broadcastradio;
|
||||
expandattribute hal_broadcastradio true;
|
||||
attribute hal_broadcastradio_client;
|
||||
expandattribute hal_broadcastradio_client true;
|
||||
attribute hal_broadcastradio_server;
|
||||
expandattribute hal_broadcastradio_server false;
|
||||
attribute hal_camera;
|
||||
expandattribute hal_camera false;
|
||||
attribute hal_camera_client;
|
||||
expandattribute hal_camera_client true;
|
||||
attribute hal_camera_server;
|
||||
expandattribute hal_camera_server false;
|
||||
attribute hal_configstore;
|
||||
expandattribute hal_configstore true;
|
||||
attribute hal_configstore_client;
|
||||
expandattribute hal_configstore_client true;
|
||||
attribute hal_configstore_server;
|
||||
expandattribute hal_configstore_server false;
|
||||
attribute hal_contexthub;
|
||||
expandattribute hal_contexthub true;
|
||||
attribute hal_contexthub_client;
|
||||
expandattribute hal_contexthub_client true;
|
||||
attribute hal_contexthub_server;
|
||||
expandattribute hal_contexthub_server false;
|
||||
attribute hal_drm;
|
||||
expandattribute hal_drm false;
|
||||
attribute hal_drm_client;
|
||||
expandattribute hal_drm_client true;
|
||||
attribute hal_drm_server;
|
||||
expandattribute hal_drm_server true;
|
||||
attribute hal_cas;
|
||||
expandattribute hal_cas false;
|
||||
attribute hal_cas_client;
|
||||
expandattribute hal_cas_client true;
|
||||
attribute hal_cas_server;
|
||||
expandattribute hal_cas_server false;
|
||||
attribute hal_dumpstate;
|
||||
expandattribute hal_dumpstate true;
|
||||
attribute hal_dumpstate_client;
|
||||
expandattribute hal_dumpstate_client true;
|
||||
attribute hal_dumpstate_server;
|
||||
expandattribute hal_dumpstate_server false;
|
||||
attribute hal_fingerprint;
|
||||
expandattribute hal_fingerprint true;
|
||||
attribute hal_fingerprint_client;
|
||||
expandattribute hal_fingerprint_client true;
|
||||
attribute hal_fingerprint_server;
|
||||
expandattribute hal_fingerprint_server false;
|
||||
attribute hal_gatekeeper;
|
||||
expandattribute hal_gatekeeper true;
|
||||
attribute hal_gatekeeper_client;
|
||||
expandattribute hal_gatekeeper_client true;
|
||||
attribute hal_gatekeeper_server;
|
||||
expandattribute hal_gatekeeper_server false;
|
||||
attribute hal_gnss;
|
||||
expandattribute hal_gnss true;
|
||||
attribute hal_gnss_client;
|
||||
expandattribute hal_gnss_client true;
|
||||
attribute hal_gnss_server;
|
||||
expandattribute hal_gnss_server false;
|
||||
attribute hal_graphics_allocator;
|
||||
expandattribute hal_graphics_allocator true;
|
||||
attribute hal_graphics_allocator_client;
|
||||
expandattribute hal_graphics_allocator_client true;
|
||||
attribute hal_graphics_allocator_server;
|
||||
expandattribute hal_graphics_allocator_server false;
|
||||
attribute hal_graphics_composer;
|
||||
expandattribute hal_graphics_composer true;
|
||||
attribute hal_graphics_composer_client;
|
||||
expandattribute hal_graphics_composer_client true;
|
||||
attribute hal_graphics_composer_server;
|
||||
expandattribute hal_graphics_composer_server false;
|
||||
attribute hal_health;
|
||||
expandattribute hal_health true;
|
||||
attribute hal_health_client;
|
||||
expandattribute hal_health_client true;
|
||||
attribute hal_health_server;
|
||||
expandattribute hal_health_server false;
|
||||
attribute hal_ir;
|
||||
expandattribute hal_ir true;
|
||||
attribute hal_ir_client;
|
||||
expandattribute hal_ir_client true;
|
||||
attribute hal_ir_server;
|
||||
expandattribute hal_ir_server false;
|
||||
attribute hal_keymaster;
|
||||
expandattribute hal_keymaster true;
|
||||
attribute hal_keymaster_client;
|
||||
expandattribute hal_keymaster_client true;
|
||||
attribute hal_keymaster_server;
|
||||
expandattribute hal_keymaster_server false;
|
||||
attribute hal_light;
|
||||
expandattribute hal_light true;
|
||||
attribute hal_light_client;
|
||||
expandattribute hal_light_client true;
|
||||
attribute hal_light_server;
|
||||
expandattribute hal_light_server false;
|
||||
attribute hal_memtrack;
|
||||
expandattribute hal_memtrack true;
|
||||
attribute hal_memtrack_client;
|
||||
expandattribute hal_memtrack_client true;
|
||||
attribute hal_memtrack_server;
|
||||
expandattribute hal_memtrack_server false;
|
||||
attribute hal_neuralnetworks;
|
||||
expandattribute hal_neuralnetworks true;
|
||||
attribute hal_neuralnetworks_client;
|
||||
expandattribute hal_neuralnetworks_client true;
|
||||
attribute hal_neuralnetworks_server;
|
||||
expandattribute hal_neuralnetworks_server false;
|
||||
attribute hal_nfc;
|
||||
expandattribute hal_nfc true;
|
||||
attribute hal_nfc_client;
|
||||
expandattribute hal_nfc_client true;
|
||||
attribute hal_nfc_server;
|
||||
expandattribute hal_nfc_server false;
|
||||
attribute hal_oemlock;
|
||||
expandattribute hal_oemlock true;
|
||||
attribute hal_oemlock_client;
|
||||
expandattribute hal_oemlock_client true;
|
||||
attribute hal_oemlock_server;
|
||||
expandattribute hal_oemlock_server false;
|
||||
attribute hal_power;
|
||||
expandattribute hal_power true;
|
||||
attribute hal_power_client;
|
||||
expandattribute hal_power_client true;
|
||||
attribute hal_power_server;
|
||||
expandattribute hal_power_server false;
|
||||
attribute hal_sensors;
|
||||
expandattribute hal_sensors true;
|
||||
attribute hal_sensors_client;
|
||||
expandattribute hal_sensors_client true;
|
||||
attribute hal_sensors_server;
|
||||
expandattribute hal_sensors_server false;
|
||||
attribute hal_telephony;
|
||||
expandattribute hal_telephony true;
|
||||
attribute hal_telephony_client;
|
||||
expandattribute hal_telephony_client true;
|
||||
attribute hal_telephony_server;
|
||||
expandattribute hal_telephony_server false;
|
||||
attribute hal_tetheroffload;
|
||||
expandattribute hal_tetheroffload true;
|
||||
attribute hal_tetheroffload_client;
|
||||
expandattribute hal_tetheroffload_client true;
|
||||
attribute hal_tetheroffload_server;
|
||||
expandattribute hal_tetheroffload_server false;
|
||||
attribute hal_thermal;
|
||||
expandattribute hal_thermal true;
|
||||
attribute hal_thermal_client;
|
||||
expandattribute hal_thermal_client true;
|
||||
attribute hal_thermal_server;
|
||||
expandattribute hal_thermal_server false;
|
||||
attribute hal_tv_cec;
|
||||
expandattribute hal_tv_cec true;
|
||||
attribute hal_tv_cec_client;
|
||||
expandattribute hal_tv_cec_client true;
|
||||
attribute hal_tv_cec_server;
|
||||
expandattribute hal_tv_cec_server false;
|
||||
attribute hal_tv_input;
|
||||
expandattribute hal_tv_input true;
|
||||
attribute hal_tv_input_client;
|
||||
expandattribute hal_tv_input_client true;
|
||||
attribute hal_tv_input_server;
|
||||
expandattribute hal_tv_input_server false;
|
||||
attribute hal_usb;
|
||||
expandattribute hal_usb true;
|
||||
attribute hal_usb_client;
|
||||
expandattribute hal_usb_client true;
|
||||
attribute hal_usb_server;
|
||||
expandattribute hal_usb_server false;
|
||||
attribute hal_vibrator;
|
||||
expandattribute hal_vibrator true;
|
||||
attribute hal_vibrator_client;
|
||||
expandattribute hal_vibrator_client true;
|
||||
attribute hal_vibrator_server;
|
||||
expandattribute hal_vibrator_server false;
|
||||
attribute hal_vr;
|
||||
expandattribute hal_vr true;
|
||||
attribute hal_vr_client;
|
||||
expandattribute hal_vr_client true;
|
||||
attribute hal_vr_server;
|
||||
expandattribute hal_vr_server false;
|
||||
attribute hal_weaver;
|
||||
expandattribute hal_weaver true;
|
||||
attribute hal_weaver_client;
|
||||
expandattribute hal_weaver_client true;
|
||||
attribute hal_weaver_server;
|
||||
expandattribute hal_weaver_server false;
|
||||
attribute hal_wifi;
|
||||
expandattribute hal_wifi true;
|
||||
attribute hal_wifi_client;
|
||||
expandattribute hal_wifi_client true;
|
||||
attribute hal_wifi_server;
|
||||
expandattribute hal_wifi_server false;
|
||||
attribute hal_wifi_offload;
|
||||
expandattribute hal_wifi_offload true;
|
||||
attribute hal_wifi_offload_client;
|
||||
expandattribute hal_wifi_offload_client true;
|
||||
attribute hal_wifi_offload_server;
|
||||
expandattribute hal_wifi_offload_server false;
|
||||
attribute hal_wifi_supplicant;
|
||||
expandattribute hal_wifi_supplicant true;
|
||||
attribute hal_wifi_supplicant_client;
|
||||
expandattribute hal_wifi_supplicant_client true;
|
||||
attribute hal_wifi_supplicant_server;
|
||||
expandattribute hal_wifi_supplicant_server false;
|
||||
hal_attribute(allocator);
|
||||
hal_attribute(audio);
|
||||
hal_attribute(bluetooth);
|
||||
hal_attribute(bootctl);
|
||||
hal_attribute(broadcastradio);
|
||||
hal_attribute(camera);
|
||||
hal_attribute(configstore);
|
||||
hal_attribute(contexthub);
|
||||
hal_attribute(drm);
|
||||
hal_attribute(cas);
|
||||
hal_attribute(dumpstate);
|
||||
hal_attribute(fingerprint);
|
||||
hal_attribute(gatekeeper);
|
||||
hal_attribute(gnss);
|
||||
hal_attribute(graphics_allocator);
|
||||
hal_attribute(graphics_composer);
|
||||
hal_attribute(health);
|
||||
hal_attribute(ir);
|
||||
hal_attribute(keymaster);
|
||||
hal_attribute(light);
|
||||
hal_attribute(lowpan);
|
||||
hal_attribute(memtrack);
|
||||
hal_attribute(neuralnetworks);
|
||||
hal_attribute(nfc);
|
||||
hal_attribute(oemlock);
|
||||
hal_attribute(power);
|
||||
hal_attribute(sensors);
|
||||
hal_attribute(telephony);
|
||||
hal_attribute(tetheroffload);
|
||||
hal_attribute(thermal);
|
||||
hal_attribute(tv_cec);
|
||||
hal_attribute(tv_input);
|
||||
hal_attribute(usb);
|
||||
hal_attribute(vibrator);
|
||||
hal_attribute(vr);
|
||||
hal_attribute(weaver);
|
||||
hal_attribute(wifi);
|
||||
hal_attribute(wifi_offload);
|
||||
hal_attribute(wifi_supplicant);
|
||||
|
||||
# HwBinder services offered across the core-vendor boundary
|
||||
#
|
||||
|
|
|
@ -30,6 +30,7 @@ type hw_random_device, dev_type;
|
|||
type input_device, dev_type;
|
||||
type kmem_device, dev_type;
|
||||
type port_device, dev_type;
|
||||
type lowpan_device, dev_type;
|
||||
type mtd_device, dev_type;
|
||||
type mtp_device, dev_type, mlstrustedobject;
|
||||
type nfc_device, dev_type;
|
||||
|
|
|
@ -153,6 +153,9 @@ read_runtime_log_tags(dumpstate)
|
|||
# Read files in /proc
|
||||
allow dumpstate proc_meminfo:file r_file_perms;
|
||||
allow dumpstate proc_net:file r_file_perms;
|
||||
allow dumpstate proc_pagetypeinfo:file r_file_perms;
|
||||
allow dumpstate proc_version:file r_file_perms;
|
||||
allow dumpstate proc_vmallocinfo:file r_file_perms;
|
||||
r_dir_file(dumpstate, proc)
|
||||
|
||||
# Read network state info files.
|
||||
|
@ -186,7 +189,15 @@ userdebug_or_eng(`
|
|||
allow dumpstate misc_logd_file:file r_file_perms;
|
||||
')
|
||||
|
||||
allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
|
||||
allow dumpstate {
|
||||
service_manager_type
|
||||
-dumpstate_service
|
||||
-gatekeeper_service
|
||||
-incident_service
|
||||
-virtual_touchpad_service
|
||||
-vold_service
|
||||
-vr_hwc_service
|
||||
}:service_manager find;
|
||||
allow dumpstate servicemanager:service_manager list;
|
||||
allow dumpstate hwservicemanager:hwservice_manager list;
|
||||
|
||||
|
|
|
@ -5,8 +5,11 @@ allow e2fs block_device:blk_file getattr;
|
|||
allow e2fs block_device:dir search;
|
||||
allow e2fs userdata_block_device:blk_file rw_file_perms;
|
||||
|
||||
# access /proc/filesystems
|
||||
allow e2fs proc:file r_file_perms;
|
||||
allow e2fs {
|
||||
proc_filesystems
|
||||
proc_mounts
|
||||
proc_swaps
|
||||
}:file r_file_perms;
|
||||
|
||||
# access /sys/fs/ext4/features
|
||||
allow e2fs sysfs_fs_ext4_features:file r_file_perms;
|
||||
|
|
|
@ -13,16 +13,23 @@ type usermodehelper, fs_type;
|
|||
type sysfs_usermodehelper, fs_type, sysfs_type;
|
||||
type qtaguid_proc, fs_type, mlstrustedobject;
|
||||
type proc_bluetooth_writable, fs_type;
|
||||
type proc_asound_cards, fs_type;
|
||||
type proc_cmdline, fs_type;
|
||||
type proc_cpuinfo, fs_type;
|
||||
type proc_filesystems, fs_type;
|
||||
type proc_interrupts, fs_type;
|
||||
type proc_iomem, fs_type;
|
||||
type proc_kmsg, fs_type;
|
||||
type proc_loadavg, fs_type;
|
||||
type proc_meminfo, fs_type;
|
||||
type proc_misc, fs_type;
|
||||
type proc_modules, fs_type;
|
||||
type proc_mounts, fs_type;
|
||||
type proc_net, fs_type;
|
||||
type proc_pagetypeinfo, fs_type;
|
||||
type proc_perf, fs_type;
|
||||
type proc_stat, fs_type;
|
||||
type proc_swaps, fs_type;
|
||||
type proc_sysrq, fs_type;
|
||||
type proc_timer, fs_type;
|
||||
type proc_tty_drivers, fs_type;
|
||||
|
@ -31,6 +38,8 @@ type proc_uid_cputime_removeuid, fs_type;
|
|||
type proc_uid_io_stats, fs_type;
|
||||
type proc_uid_procstat_set, fs_type;
|
||||
type proc_uid_time_in_state, fs_type;
|
||||
type proc_version, fs_type;
|
||||
type proc_vmallocinfo, fs_type;
|
||||
type proc_zoneinfo, fs_type;
|
||||
type selinuxfs, fs_type, mlstrustedobject;
|
||||
type cgroup, fs_type, mlstrustedobject;
|
||||
|
|
|
@ -30,7 +30,10 @@ allow fsck dm_device:blk_file rw_file_perms;
|
|||
# major/minor values.
|
||||
allow fsck dev_type:blk_file getattr;
|
||||
|
||||
r_dir_file(fsck, proc)
|
||||
allow fsck {
|
||||
proc_mounts
|
||||
proc_swaps
|
||||
}:file r_file_perms;
|
||||
allow fsck rootfs:dir r_dir_perms;
|
||||
|
||||
###
|
||||
|
|
|
@ -12,7 +12,7 @@ allow fsck_untrusted vold:fifo_file { read write getattr };
|
|||
allow fsck_untrusted block_device:dir search;
|
||||
allow fsck_untrusted vold_device:blk_file rw_file_perms;
|
||||
|
||||
r_dir_file(fsck_untrusted, proc)
|
||||
allow fsck_untrusted proc_mounts:file r_file_perms;
|
||||
|
||||
# To determine if it is safe to run fsck on a filesystem, e2fsck
|
||||
# must first determine if the filesystem is mounted. To do that,
|
||||
|
|
|
@ -14,6 +14,7 @@ userdebug_or_eng(`
|
|||
')
|
||||
|
||||
r_dir_file(hal_audio, proc)
|
||||
r_dir_file(hal_audio, proc_asound_cards)
|
||||
allow hal_audio audio_device:dir r_dir_perms;
|
||||
allow hal_audio audio_device:chr_file rw_file_perms;
|
||||
|
||||
|
|
21
public/hal_lowpan.te
Normal file
21
public/hal_lowpan.te
Normal file
|
@ -0,0 +1,21 @@
|
|||
# HwBinder IPC from client to server, and callbacks
|
||||
binder_call(hal_lowpan_client, hal_lowpan_server)
|
||||
binder_call(hal_lowpan_server, hal_lowpan_client)
|
||||
|
||||
add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
|
||||
|
||||
# Allow hal_lowpan_client to be able to find the hal_lowpan_server
|
||||
allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
|
||||
|
||||
# hal_lowpan domain can write/read to/from lowpan_prop
|
||||
set_prop(hal_lowpan_server, lowpan_prop)
|
||||
|
||||
# Allow hal_lowpan_server to open lowpan_devices
|
||||
allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# Only LoWPAN HAL may directly access LoWPAN hardware
|
||||
neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
|
|
@ -22,6 +22,7 @@ type hal_health_hwservice, hwservice_manager_type;
|
|||
type hal_ir_hwservice, hwservice_manager_type;
|
||||
type hal_keymaster_hwservice, hwservice_manager_type;
|
||||
type hal_light_hwservice, hwservice_manager_type;
|
||||
type hal_lowpan_hwservice, hwservice_manager_type;
|
||||
type hal_memtrack_hwservice, hwservice_manager_type;
|
||||
type hal_neuralnetworks_hwservice, hwservice_manager_type;
|
||||
type hal_nfc_hwservice, hwservice_manager_type;
|
||||
|
|
|
@ -271,6 +271,12 @@ allow init proc_sysrq:file w_file_perms;
|
|||
# Read /proc/stat for bootchart.
|
||||
allow init proc_stat:file r_file_perms;
|
||||
|
||||
# Read /proc/version.
|
||||
allow init proc_version:file r_file_perms;
|
||||
|
||||
# Read /proc/cmdline
|
||||
allow init proc_cmdline:file r_file_perms;
|
||||
|
||||
# Reboot.
|
||||
allow init self:capability sys_boot;
|
||||
|
||||
|
|
|
@ -6,6 +6,7 @@ allow kernel self:capability sys_nice;
|
|||
# Root fs.
|
||||
r_dir_file(kernel, rootfs)
|
||||
r_dir_file(kernel, proc)
|
||||
allow kernel proc_cmdline:file r_file_perms;
|
||||
|
||||
# Get SELinux enforcing status.
|
||||
allow kernel selinuxfs:dir r_dir_perms;
|
||||
|
|
|
@ -29,6 +29,7 @@ type logd_prop, property_type, core_property_type;
|
|||
type logpersistd_logging_prop, property_type;
|
||||
type log_prop, property_type, log_property_type;
|
||||
type log_tag_prop, property_type, log_property_type;
|
||||
type lowpan_prop, property_type;
|
||||
type mmc_prop, property_type;
|
||||
type net_dns_prop, property_type;
|
||||
type net_radio_prop, property_type, core_property_type;
|
||||
|
|
|
@ -32,7 +32,7 @@ allow sdcardd vold:fifo_file { read write getattr };
|
|||
allow sdcardd mnt_expand_file:dir search;
|
||||
|
||||
# access /proc/filesystems
|
||||
allow sdcardd proc:file r_file_perms;
|
||||
allow sdcardd proc_filesystems:file r_file_perms;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
|
|
|
@ -27,6 +27,7 @@ type system_app_service, service_manager_type;
|
|||
type thermal_service, service_manager_type;
|
||||
type update_engine_service, service_manager_type;
|
||||
type virtual_touchpad_service, service_manager_type;
|
||||
type vold_service, service_manager_type;
|
||||
type vr_hwc_service, service_manager_type;
|
||||
|
||||
# system_server_services broken down
|
||||
|
@ -71,6 +72,7 @@ type netd_listener_service, system_server_service, service_manager_type;
|
|||
type DockObserver_service, system_server_service, service_manager_type;
|
||||
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type lowpan_service, system_api_service, system_server_service, service_manager_type;
|
||||
type ethernet_service, app_api_service, system_server_service, service_manager_type;
|
||||
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
|
||||
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
|
||||
|
|
|
@ -89,7 +89,16 @@ allow shell servicemanager:service_manager list;
|
|||
# don't allow shell to access GateKeeper service
|
||||
# TODO: why is this so broad? Tightening candidate? It needs at list:
|
||||
# - dumpstate_service (so it can receive dumpstate progress updates)
|
||||
allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
|
||||
allow shell {
|
||||
service_manager_type
|
||||
-gatekeeper_service
|
||||
-incident_service
|
||||
-installd_service
|
||||
-netd_service
|
||||
-virtual_touchpad_service
|
||||
-vold_service
|
||||
-vr_hwc_service
|
||||
}:service_manager find;
|
||||
allow shell dumpstate:binder call;
|
||||
|
||||
# allow shell to get information from hwservicemanager
|
||||
|
|
43
public/su.te
43
public/su.te
|
@ -50,4 +50,47 @@ userdebug_or_eng(`
|
|||
dontaudit su domain:drmservice *;
|
||||
dontaudit su unlabeled:filesystem *;
|
||||
dontaudit su postinstall_file:filesystem *;
|
||||
|
||||
# VTS tests run in the permissive su domain on debug builds, but the HALs
|
||||
# being tested run in enforcing mode. Because hal_foo_server is enforcing
|
||||
# su needs to be declared as hal_foo_client to grant hal_foo_server
|
||||
# permission to interact with it.
|
||||
typeattribute su halclientdomain;
|
||||
typeattribute su hal_allocator_client;
|
||||
typeattribute su hal_audio_client;
|
||||
typeattribute su hal_bluetooth_client;
|
||||
typeattribute su hal_bootctl_client;
|
||||
typeattribute su hal_camera_client;
|
||||
typeattribute su hal_configstore_client;
|
||||
typeattribute su hal_contexthub_client;
|
||||
typeattribute su hal_drm_client;
|
||||
typeattribute su hal_cas_client;
|
||||
typeattribute su hal_dumpstate_client;
|
||||
typeattribute su hal_fingerprint_client;
|
||||
typeattribute su hal_gatekeeper_client;
|
||||
typeattribute su hal_gnss_client;
|
||||
typeattribute su hal_graphics_allocator_client;
|
||||
typeattribute su hal_graphics_composer_client;
|
||||
typeattribute su hal_health_client;
|
||||
typeattribute su hal_ir_client;
|
||||
typeattribute su hal_keymaster_client;
|
||||
typeattribute su hal_light_client;
|
||||
typeattribute su hal_memtrack_client;
|
||||
typeattribute su hal_neuralnetworks_client;
|
||||
typeattribute su hal_nfc_client;
|
||||
typeattribute su hal_oemlock_client;
|
||||
typeattribute su hal_power_client;
|
||||
typeattribute su hal_sensors_client;
|
||||
typeattribute su hal_telephony_client;
|
||||
typeattribute su hal_tetheroffload_client;
|
||||
typeattribute su hal_thermal_client;
|
||||
typeattribute su hal_tv_cec_client;
|
||||
typeattribute su hal_tv_input_client;
|
||||
typeattribute su hal_usb_client;
|
||||
typeattribute su hal_vibrator_client;
|
||||
typeattribute su hal_vr_client;
|
||||
typeattribute su hal_weaver_client;
|
||||
typeattribute su hal_wifi_client;
|
||||
typeattribute su hal_wifi_offload_client;
|
||||
typeattribute su hal_wifi_supplicant_client;
|
||||
')
|
||||
|
|
|
@ -201,6 +201,22 @@ define(`bluetooth_domain', `
|
|||
typeattribute $1 bluetoothdomain;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# hal_attribute(hal_name)
|
||||
# Add an attribute for hal implementations along with necessary
|
||||
# restrictions.
|
||||
define(`hal_attribute', `
|
||||
attribute hal_$1;
|
||||
expandattribute hal_$1 true;
|
||||
attribute hal_$1_client;
|
||||
expandattribute hal_$1_client true;
|
||||
attribute hal_$1_server;
|
||||
expandattribute hal_$1_server false;
|
||||
|
||||
neverallow { hal_$1_client -halclientdomain } domain:process fork;
|
||||
neverallow { hal_$1_server -halserverdomain } domain:process fork;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# hal_server_domain(domain, hal_type)
|
||||
# Allow a base set of permissions required for a domain to offer a
|
||||
|
|
|
@ -8,16 +8,20 @@
|
|||
type vdc, domain;
|
||||
type vdc_exec, exec_type, file_type;
|
||||
|
||||
# TODO: remove as part of 13758960
|
||||
unix_socket_connect(vdc, vold, vold)
|
||||
|
||||
# vdc sends information back to dumpstate when "adb bugreport" is used
|
||||
# TODO: remove as part of 13758960
|
||||
allow vdc dumpstate:fd use;
|
||||
allow vdc dumpstate:unix_stream_socket { read write getattr };
|
||||
|
||||
# vdc information is written to shell owned bugreport files
|
||||
# TODO: remove as part of 13758960
|
||||
allow vdc shell_data_file:file { write getattr };
|
||||
|
||||
# Why?
|
||||
# TODO: remove as part of 13758960
|
||||
allow vdc dumpstate:unix_dgram_socket { read write };
|
||||
|
||||
# vdc can be invoked with logwrapper, so let it write to pty
|
||||
|
@ -25,3 +29,8 @@ allow vdc devpts:chr_file rw_file_perms;
|
|||
|
||||
# vdc writes directly to kmsg during the boot process
|
||||
allow vdc kmsg_device:chr_file w_file_perms;
|
||||
|
||||
# vdc talks to vold over Binder
|
||||
binder_use(vdc)
|
||||
binder_call(vdc, vold)
|
||||
allow vdc vold_service:service_manager find;
|
||||
|
|
|
@ -8,7 +8,6 @@ allow vold cache_file:file { getattr read };
|
|||
allow vold cache_file:lnk_file r_file_perms;
|
||||
|
||||
# Read access to pseudo filesystems.
|
||||
r_dir_file(vold, proc)
|
||||
r_dir_file(vold, proc_net)
|
||||
r_dir_file(vold, sysfs_type)
|
||||
# XXX Label sysfs files with a specific type?
|
||||
|
@ -17,7 +16,13 @@ allow vold sysfs_usb:file w_file_perms;
|
|||
allow vold sysfs_zram_uevent:file w_file_perms;
|
||||
|
||||
r_dir_file(vold, rootfs)
|
||||
allow vold proc_meminfo:file r_file_perms;
|
||||
allow vold {
|
||||
proc_cmdline
|
||||
proc_drop_caches
|
||||
proc_filesystems
|
||||
proc_meminfo
|
||||
proc_mounts
|
||||
}:file r_file_perms;
|
||||
|
||||
#Get file contexts
|
||||
allow vold file_contexts_file:file r_file_perms;
|
||||
|
@ -135,8 +140,15 @@ allow vold unlabeled:file { r_file_perms setattr relabelfrom };
|
|||
# Handle wake locks (used for device encryption)
|
||||
wakelock_use(vold)
|
||||
|
||||
# talk to batteryservice
|
||||
# Allow vold to publish a binder service and make binder calls.
|
||||
binder_use(vold)
|
||||
add_service(vold, vold_service)
|
||||
|
||||
# Allow vold to call into the system server so it can check permissions.
|
||||
binder_call(vold, system_server)
|
||||
allow vold permission_service:service_manager find;
|
||||
|
||||
# talk to batteryservice
|
||||
binder_call(vold, healthd)
|
||||
|
||||
# talk to keymaster
|
||||
|
@ -191,6 +203,18 @@ neverallow { domain -vold -init } vold_data_file:dir *;
|
|||
neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
|
||||
neverallow { domain -vold -init } restorecon_prop:property_service set;
|
||||
|
||||
# Only system_server and vdc can interact with vold over binder
|
||||
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
|
||||
neverallow vold {
|
||||
domain
|
||||
-hal_keymaster
|
||||
-healthd
|
||||
-hwservicemanager
|
||||
-servicemanager
|
||||
-system_server
|
||||
userdebug_or_eng(`-su')
|
||||
}:binder call;
|
||||
|
||||
neverallow vold fsck_exec:file execute_no_trans;
|
||||
neverallow { domain -init } vold:process { transition dyntransition };
|
||||
neverallow vold *:process ptrace;
|
||||
|
|
|
@ -47,3 +47,13 @@ python_binary_host {
|
|||
required: ["libsepolwrap"],
|
||||
defaults: ["py2_only"],
|
||||
}
|
||||
|
||||
python_binary_host {
|
||||
name: "searchpolicy",
|
||||
srcs: [
|
||||
"searchpolicy.py",
|
||||
"policy.py",
|
||||
],
|
||||
required: ["libsepolwrap"],
|
||||
defaults: ["py2_only"],
|
||||
}
|
||||
|
|
|
@ -9,6 +9,9 @@ void destroy_policy(void *policydbp);
|
|||
void *init_avtab(void *policydbp);
|
||||
void *init_cond_avtab(void *policydbp);
|
||||
void destroy_avtab(void *avtab_iterp);
|
||||
void *init_expanded_avtab(void *policydbp);
|
||||
void *init_expanded_cond_avtab(void *policydbp);
|
||||
void destroy_expanded_avtab(void *avtab_iterp);
|
||||
int get_type(char *out, size_t max_size, void *policydbp, void *type_iterp);
|
||||
void *init_type_iter(void *policydbp, const char *type, bool is_attr);
|
||||
void destroy_type_iter(void *type_iterp);
|
||||
|
|
114
tests/policy.py
114
tests/policy.py
|
@ -41,7 +41,8 @@ class TERule:
|
|||
self.rule = rule
|
||||
|
||||
class Policy:
|
||||
__Rules = None
|
||||
__ExpandedRules = set()
|
||||
__Rules = set()
|
||||
__FcDict = None
|
||||
__libsepolwrap = None
|
||||
__policydbP = None
|
||||
|
@ -97,6 +98,50 @@ class Policy:
|
|||
self.__libsepolwrap.destroy_type_iter(TypeIterP)
|
||||
return TypeAttr
|
||||
|
||||
def __TERuleMatch(self, Rule, **kwargs):
|
||||
# Match source type
|
||||
if ("scontext" in kwargs and
|
||||
len(kwargs['scontext']) > 0 and
|
||||
Rule.sctx not in kwargs['scontext']):
|
||||
return False
|
||||
# Match target type
|
||||
if ("tcontext" in kwargs and
|
||||
len(kwargs['tcontext']) > 0 and
|
||||
Rule.tctx not in kwargs['tcontext']):
|
||||
return False
|
||||
# Match target class
|
||||
if ("tclass" in kwargs and
|
||||
len(kwargs['tclass']) > 0 and
|
||||
not bool(set([Rule.tclass]) & kwargs['tclass'])):
|
||||
return False
|
||||
# Match any perms
|
||||
if ("perms" in kwargs and
|
||||
len(kwargs['perms']) > 0 and
|
||||
not bool(Rule.perms & kwargs['perms'])):
|
||||
return False
|
||||
return True
|
||||
|
||||
# resolve a type to its attributes or
|
||||
# resolve an attribute to its types and attributes
|
||||
# For example if scontext is the domain attribute, then we need to
|
||||
# include all types with the domain attribute such as untrusted_app and
|
||||
# priv_app and all the attributes of those types such as appdomain.
|
||||
def ResolveTypeAttribute(self, Type):
|
||||
types = self.GetAllTypes(False)
|
||||
attributes = self.GetAllTypes(True)
|
||||
|
||||
if Type in types:
|
||||
return self.QueryTypeAttribute(Type, False)
|
||||
elif Type in attributes:
|
||||
TypesAndAttributes = set()
|
||||
Types = self.QueryTypeAttribute(Type, True)
|
||||
TypesAndAttributes |= Types
|
||||
for T in Types:
|
||||
TypesAndAttributes |= self.QueryTypeAttribute(T, False)
|
||||
return TypesAndAttributes
|
||||
else:
|
||||
return set()
|
||||
|
||||
# Return all TERules that match:
|
||||
# (any scontext) or (any tcontext) or (any tclass) or (any perms),
|
||||
# perms.
|
||||
|
@ -106,23 +151,32 @@ class Policy:
|
|||
# Will return any rule with:
|
||||
# (tcontext="foo" or tcontext="bar") and ("entrypoint" in perms)
|
||||
def QueryTERule(self, **kwargs):
|
||||
if self.__Rules is None:
|
||||
if len(self.__Rules) == 0:
|
||||
self.__InitTERules()
|
||||
|
||||
# add any matching types and attributes for scontext and tcontext
|
||||
if ("scontext" in kwargs and len(kwargs['scontext']) > 0):
|
||||
scontext = set()
|
||||
for sctx in kwargs['scontext']:
|
||||
scontext |= self.ResolveTypeAttribute(sctx)
|
||||
kwargs['scontext'] = scontext
|
||||
if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0):
|
||||
tcontext = set()
|
||||
for tctx in kwargs['tcontext']:
|
||||
tcontext |= self.ResolveTypeAttribute(tctx)
|
||||
kwargs['tcontext'] = tcontext
|
||||
for Rule in self.__Rules:
|
||||
# Match source type
|
||||
if "scontext" in kwargs and Rule.sctx not in kwargs['scontext']:
|
||||
continue
|
||||
# Match target type
|
||||
if "tcontext" in kwargs and Rule.tctx not in kwargs['tcontext']:
|
||||
continue
|
||||
# Match target class
|
||||
if "tclass" in kwargs and Rule.tclass not in kwargs['tclass']:
|
||||
continue
|
||||
# Match any perms
|
||||
if "perms" in kwargs and not bool(Rule.perms & set(kwargs['perms'])):
|
||||
continue
|
||||
if self.__TERuleMatch(Rule, **kwargs):
|
||||
yield Rule
|
||||
|
||||
# Same as QueryTERule but only using the expanded ruleset.
|
||||
# i.e. all attributes have been expanded to their various types.
|
||||
def QueryExpandedTERule(self, **kwargs):
|
||||
if len(self.__ExpandedRules) == 0:
|
||||
self.__InitExpandedTERules()
|
||||
for Rule in self.__ExpandedRules:
|
||||
if self.__TERuleMatch(Rule, **kwargs):
|
||||
yield Rule
|
||||
|
||||
def GetAllTypes(self, isAttr):
|
||||
TypeIterP = self.__libsepolwrap.init_type_iter(self.__policydbP, None, isAttr)
|
||||
|
@ -155,9 +209,9 @@ class Policy:
|
|||
return Types
|
||||
|
||||
|
||||
def __GetTERules(self, policydbP, avtabIterP):
|
||||
if self.__Rules is None:
|
||||
self.__Rules = set()
|
||||
def __GetTERules(self, policydbP, avtabIterP, Rules):
|
||||
if Rules is None:
|
||||
Rules = set()
|
||||
buf = create_string_buffer(self.__BUFSIZE)
|
||||
ret = 0
|
||||
while True:
|
||||
|
@ -165,7 +219,7 @@ class Policy:
|
|||
policydbP, avtabIterP)
|
||||
if ret == 0:
|
||||
Rule = TERule(buf.value)
|
||||
self.__Rules.add(Rule)
|
||||
Rules.add(Rule)
|
||||
continue
|
||||
if ret == 1:
|
||||
break;
|
||||
|
@ -176,14 +230,26 @@ class Policy:
|
|||
avtabIterP = self.__libsepolwrap.init_avtab(self.__policydbP)
|
||||
if (avtabIterP == None):
|
||||
sys.exit("Failed to initialize avtab")
|
||||
self.__GetTERules(self.__policydbP, avtabIterP)
|
||||
self.__GetTERules(self.__policydbP, avtabIterP, self.__Rules)
|
||||
self.__libsepolwrap.destroy_avtab(avtabIterP)
|
||||
avtabIterP = self.__libsepolwrap.init_cond_avtab(self.__policydbP)
|
||||
if (avtabIterP == None):
|
||||
sys.exit("Failed to initialize conditional avtab")
|
||||
self.__GetTERules(self.__policydbP, avtabIterP)
|
||||
self.__GetTERules(self.__policydbP, avtabIterP, self.__Rules)
|
||||
self.__libsepolwrap.destroy_avtab(avtabIterP)
|
||||
|
||||
def __InitExpandedTERules(self):
|
||||
avtabIterP = self.__libsepolwrap.init_expanded_avtab(self.__policydbP)
|
||||
if (avtabIterP == None):
|
||||
sys.exit("Failed to initialize avtab")
|
||||
self.__GetTERules(self.__policydbP, avtabIterP, self.__ExpandedRules)
|
||||
self.__libsepolwrap.destroy_expanded_avtab(avtabIterP)
|
||||
avtabIterP = self.__libsepolwrap.init_expanded_cond_avtab(self.__policydbP)
|
||||
if (avtabIterP == None):
|
||||
sys.exit("Failed to initialize conditional avtab")
|
||||
self.__GetTERules(self.__policydbP, avtabIterP, self.__ExpandedRules)
|
||||
self.__libsepolwrap.destroy_expanded_avtab(avtabIterP)
|
||||
|
||||
# load ctypes-ified libsepol wrapper
|
||||
def __InitLibsepolwrap(self, LibPath):
|
||||
if "linux" in sys.platform:
|
||||
|
@ -201,6 +267,14 @@ class Policy:
|
|||
lib.load_policy.argtypes = [c_char_p]
|
||||
# void destroy_policy(void *policydbp);
|
||||
lib.destroy_policy.argtypes = [c_void_p]
|
||||
# void *init_expanded_avtab(void *policydbp);
|
||||
lib.init_expanded_avtab.restype = c_void_p
|
||||
lib.init_expanded_avtab.argtypes = [c_void_p]
|
||||
# void *init_expanded_cond_avtab(void *policydbp);
|
||||
lib.init_expanded_cond_avtab.restype = c_void_p
|
||||
lib.init_expanded_cond_avtab.argtypes = [c_void_p]
|
||||
# void destroy_expanded_avtab(void *avtab_iterp);
|
||||
lib.destroy_expanded_avtab.argtypes = [c_void_p]
|
||||
# void *init_avtab(void *policydbp);
|
||||
lib.init_avtab.restype = c_void_p
|
||||
lib.init_avtab.argtypes = [c_void_p]
|
||||
|
|
73
tests/searchpolicy.py
Normal file
73
tests/searchpolicy.py
Normal file
|
@ -0,0 +1,73 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
import argparse
|
||||
import policy
|
||||
|
||||
parser = argparse.ArgumentParser(
|
||||
description="SELinux policy rule search tool. Intended to have a similar "
|
||||
+ "API as sesearch, but simplified to use only code availabe in AOSP")
|
||||
parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
|
||||
parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")
|
||||
tertypes = parser.add_argument_group("TE Rule Types")
|
||||
tertypes.add_argument("--allow", action="append_const",
|
||||
const="allow", dest="tertypes",
|
||||
help="Search allow rules.")
|
||||
expr = parser.add_argument_group("Expressions")
|
||||
expr.add_argument("-s", "--source",
|
||||
help="Source type/role of the TE/RBAC rule.")
|
||||
expr.add_argument("-t", "--target",
|
||||
help="Target type/role of the TE/RBAC rule.")
|
||||
expr.add_argument("-c", "--class", dest="tclass",
|
||||
help="Comma separated list of object classes")
|
||||
expr.add_argument("-p", "--perms", metavar="PERMS",
|
||||
help="Comma separated list of permissions.")
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if not args.tertypes:
|
||||
parser.error("Must specify \"--allow\"")
|
||||
|
||||
if not args.policy:
|
||||
parser.error("Must include path to policy")
|
||||
if not args.libpath:
|
||||
parser.error("Must include path to libsepolwrap library")
|
||||
|
||||
if not (args.source or args.target or args.tclass or args.perms):
|
||||
parser.error("Must something to filter on, e.g. --source, --target, etc.")
|
||||
|
||||
pol = policy.Policy(args.policy, None, args.libpath)
|
||||
|
||||
if args.source:
|
||||
scontext = {args.source}
|
||||
else:
|
||||
scontext = set()
|
||||
if args.target:
|
||||
tcontext = {args.target}
|
||||
else:
|
||||
tcontext = set()
|
||||
if args.tclass:
|
||||
tclass = set(args.tclass.split(","))
|
||||
else:
|
||||
tclass = set()
|
||||
if args.perms:
|
||||
perms = set(args.perms.split(","))
|
||||
else:
|
||||
perms = set()
|
||||
|
||||
TERules = pol.QueryTERule(scontext=scontext,
|
||||
tcontext=tcontext,
|
||||
tclass=tclass,
|
||||
perms=perms)
|
||||
|
||||
# format rules for printing
|
||||
rules = []
|
||||
for r in TERules:
|
||||
if len(r.perms) > 1:
|
||||
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
|
||||
" ".join(r.perms) + " };")
|
||||
else:
|
||||
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
|
||||
" ".join(r.perms) + ";")
|
||||
|
||||
for r in sorted(rules):
|
||||
print r
|
|
@ -181,7 +181,7 @@ void *load_policy(const char *policy_path)
|
|||
|
||||
/* items needed to iterate over the avtab */
|
||||
struct avtab_iter {
|
||||
avtab_t avtab;
|
||||
avtab_t *avtab;
|
||||
uint32_t i;
|
||||
avtab_ptr_t cur;
|
||||
};
|
||||
|
@ -198,9 +198,9 @@ static int get_avtab_allow_rule(char *out, size_t max_size, policydb_t *db,
|
|||
{
|
||||
size_t len;
|
||||
|
||||
for (; avtab_i->i < avtab_i->avtab.nslot; (avtab_i->i)++) {
|
||||
for (; avtab_i->i < avtab_i->avtab->nslot; (avtab_i->i)++) {
|
||||
if (avtab_i->cur == NULL) {
|
||||
avtab_i->cur = avtab_i->avtab.htable[avtab_i->i];
|
||||
avtab_i->cur = avtab_i->avtab->htable[avtab_i->i];
|
||||
}
|
||||
for (; avtab_i->cur; avtab_i->cur = (avtab_i->cur)->next) {
|
||||
if (!((avtab_i->cur)->key.specified & AVTAB_ALLOWED)) continue;
|
||||
|
@ -233,6 +233,37 @@ int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp)
|
|||
return get_avtab_allow_rule(out, len, db, avtab_i);
|
||||
}
|
||||
|
||||
static avtab_iter *init_avtab_common(avtab_t *in)
|
||||
{
|
||||
struct avtab_iter *out = (struct avtab_iter *)
|
||||
calloc(1, sizeof(struct avtab_iter));
|
||||
if (!out) {
|
||||
std::cerr << "Failed to allocate avtab iterator" << std::endl;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
out->avtab = in;
|
||||
return out;
|
||||
}
|
||||
|
||||
void *init_avtab(void *policydbp)
|
||||
{
|
||||
policydb_t *p = static_cast<policydb_t *>(policydbp);
|
||||
return static_cast<void *>(init_avtab_common(&p->te_avtab));
|
||||
}
|
||||
|
||||
void *init_cond_avtab(void *policydbp)
|
||||
{
|
||||
policydb_t *p = static_cast<policydb_t *>(policydbp);
|
||||
return static_cast<void *>(init_avtab_common(&p->te_cond_avtab));
|
||||
}
|
||||
|
||||
void destroy_avtab(void *avtab_iterp)
|
||||
{
|
||||
struct avtab_iter *avtab_i = static_cast<struct avtab_iter *>(avtab_iterp);
|
||||
free(avtab_i);
|
||||
}
|
||||
|
||||
/*
|
||||
* <sepol/policydb/expand.h->conditional.h> uses 'bool' as a variable name
|
||||
* inside extern "C" { .. } construct, which clang doesn't like.
|
||||
|
@ -240,45 +271,57 @@ int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp)
|
|||
*/
|
||||
extern "C" int expand_avtab(policydb_t *p, avtab_t *a, avtab_t *expa);
|
||||
|
||||
static avtab_iter *init_avtab_common(avtab_t *in, policydb_t *p)
|
||||
static avtab_iter *init_expanded_avtab_common(avtab_t *in, policydb_t *p)
|
||||
{
|
||||
struct avtab_iter *out = (struct avtab_iter *)
|
||||
calloc(1, sizeof(struct avtab_iter));
|
||||
if (!out) {
|
||||
std::cerr << "Failed to allocate avtab" << std::endl;
|
||||
std::cerr << "Failed to allocate avtab iterator" << std::endl;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (avtab_init(&out->avtab)) {
|
||||
std::cerr << "Failed to initialize avtab" << std::endl;
|
||||
avtab_t *avtab = (avtab_t *) calloc(1, sizeof(avtab_t));
|
||||
|
||||
if (!avtab) {
|
||||
std::cerr << "Failed to allocate avtab" << std::endl;
|
||||
free(out);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (expand_avtab(p, in, &out->avtab)) {
|
||||
out->avtab = avtab;
|
||||
if (avtab_init(out->avtab)) {
|
||||
std::cerr << "Failed to initialize avtab" << std::endl;
|
||||
free(avtab);
|
||||
free(out);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (expand_avtab(p, in, out->avtab)) {
|
||||
std::cerr << "Failed to expand avtab" << std::endl;
|
||||
free(avtab);
|
||||
free(out);
|
||||
return NULL;
|
||||
}
|
||||
return out;
|
||||
}
|
||||
|
||||
void *init_avtab(void *policydbp)
|
||||
void *init_expanded_avtab(void *policydbp)
|
||||
{
|
||||
policydb_t *p = static_cast<policydb_t *>(policydbp);
|
||||
return static_cast<void *>(init_avtab_common(&p->te_avtab, p));
|
||||
return static_cast<void *>(init_expanded_avtab_common(&p->te_avtab, p));
|
||||
}
|
||||
|
||||
void *init_cond_avtab(void *policydbp)
|
||||
void *init_expanded_cond_avtab(void *policydbp)
|
||||
{
|
||||
policydb_t *p = static_cast<policydb_t *>(policydbp);
|
||||
return static_cast<void *>(init_avtab_common(&p->te_cond_avtab, p));
|
||||
return static_cast<void *>(init_expanded_avtab_common(&p->te_cond_avtab, p));
|
||||
}
|
||||
|
||||
void destroy_avtab(void *avtab_iterp)
|
||||
void destroy_expanded_avtab(void *avtab_iterp)
|
||||
{
|
||||
struct avtab_iter *avtab_i = static_cast<struct avtab_iter *>(avtab_iterp);
|
||||
avtab_destroy(&avtab_i->avtab);
|
||||
avtab_destroy(avtab_i->avtab);
|
||||
free(avtab_i->avtab);
|
||||
free(avtab_i);
|
||||
}
|
||||
|
||||
|
|
|
@ -76,6 +76,9 @@ alltypes = set()
|
|||
oldalltypes = set()
|
||||
compatMapping = None
|
||||
|
||||
# Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
|
||||
FakeTreble = False
|
||||
|
||||
def GetAllDomains(pol):
|
||||
global alldomains
|
||||
for result in pol.QueryTypeAttribute("domain", True):
|
||||
|
@ -129,7 +132,7 @@ def GetCoreDomains():
|
|||
#
|
||||
def GetDomainEntrypoints(pol):
|
||||
global alldomains
|
||||
for x in pol.QueryTERule(tclass="file", perms=["entrypoint"]):
|
||||
for x in pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
|
||||
if not x.sctx in alldomains:
|
||||
continue
|
||||
alldomains[x.sctx].entrypoints.append(str(x.tctx))
|
||||
|
@ -172,6 +175,14 @@ def compatSetup(pol, oldpol, mapping):
|
|||
GetAllTypes(pol, oldpol)
|
||||
compatMapping = mapping
|
||||
|
||||
def DomainsWithAttribute(attr):
|
||||
global alldomains
|
||||
domains = []
|
||||
for domain in alldomains:
|
||||
if attr in alldomains[domain].attributes:
|
||||
domains.append(domain)
|
||||
return domains
|
||||
|
||||
#############################################################
|
||||
# Tests
|
||||
#############################################################
|
||||
|
@ -255,6 +266,26 @@ def TestTrebleCompatMapping():
|
|||
ret = TestNoUnmappedNewTypes()
|
||||
ret += TestNoUnmappedRmTypes()
|
||||
return ret
|
||||
|
||||
def TestViolatorAttribute(attribute):
|
||||
global FakeTreble
|
||||
ret = ""
|
||||
if FakeTreble:
|
||||
return ret
|
||||
|
||||
violators = DomainsWithAttribute(attribute)
|
||||
if len(violators) > 0:
|
||||
ret += "SELinux: The following domains violate the Treble ban "
|
||||
ret += "against use of the " + attribute + " attribute: "
|
||||
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
|
||||
return ret
|
||||
|
||||
def TestViolatorAttributes():
|
||||
ret = TestViolatorAttribute("binder_in_vendor_violators")
|
||||
ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
|
||||
ret += TestViolatorAttribute("vendor_executes_system_violators")
|
||||
return ret
|
||||
|
||||
###
|
||||
# extend OptionParser to allow the same option flag to be used multiple times.
|
||||
# This is used to allow multiple file_contexts files and tests to be
|
||||
|
@ -273,11 +304,13 @@ class MultipleOption(Option):
|
|||
Option.take_action(self, action, dest, opt, value, values, parser)
|
||||
|
||||
Tests = {"CoredomainViolations": TestCoredomainViolations,
|
||||
"TrebleCompatMapping": TestTrebleCompatMapping }
|
||||
"TrebleCompatMapping": TestTrebleCompatMapping,
|
||||
"ViolatorAttributes": TestViolatorAttributes}
|
||||
|
||||
if __name__ == '__main__':
|
||||
usage = "treble_sepolicy_tests.py -f nonplat_file_contexts -f "
|
||||
usage +="plat_file_contexts -p curr_policy -b base_policy -o old_policy "
|
||||
usage = "treble_sepolicy_tests.py -l out/host/linux-x86/lib64 "
|
||||
usage += "-f nonplat_file_contexts -f plat_file_contexts "
|
||||
usage += "-p curr_policy -b base_policy -o old_policy "
|
||||
usage +="-m mapping file [--test test] [--help]"
|
||||
parser = OptionParser(option_class=MultipleOption, usage=usage)
|
||||
parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
|
||||
|
@ -288,8 +321,9 @@ if __name__ == '__main__':
|
|||
parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
|
||||
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
|
||||
parser.add_option("-t", "--test", dest="tests", action="extend",
|
||||
|
||||
help="Test options include "+str(Tests))
|
||||
parser.add_option("--fake-treble", action="store_true", dest="faketreble",
|
||||
default=False)
|
||||
|
||||
(options, args) = parser.parse_args()
|
||||
|
||||
|
@ -317,6 +351,9 @@ if __name__ == '__main__':
|
|||
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
|
||||
parser.usage)
|
||||
|
||||
if options.faketreble:
|
||||
FakeTreble = True
|
||||
|
||||
pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
|
||||
setup(pol)
|
||||
basepol = policy.Policy(options.basepolicy, None, options.libpath)
|
||||
|
|
1
vendor/file_contexts
vendored
1
vendor/file_contexts
vendored
|
@ -20,6 +20,7 @@
|
|||
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
|
||||
|
|
5
vendor/hal_lowpan_default.te
vendored
Normal file
5
vendor/hal_lowpan_default.te
vendored
Normal file
|
@ -0,0 +1,5 @@
|
|||
type hal_lowpan_default, domain;
|
||||
type hal_lowpan_default_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
hal_server_domain(hal_lowpan_default, hal_lowpan)
|
||||
init_daemon_domain(hal_lowpan_default)
|
Loading…
Reference in a new issue