Revert "SELinux policy changes for uprobe."
This reverts commit c69343fea9.
Reason for revert: b/301700965
Change-Id: Id858e82398cb6dc65be355ce27f3c9d56f889cfa
This commit is contained in:
Yu-Ting Tseng
parent
c69343fea9
commit
e2bd44d48d
6 changed files with 2 additions and 36 deletions
|
|
@ -41,8 +41,7 @@ neverallow { domain -bpfloader
|
|||
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
|
||||
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
|
||||
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
|
||||
neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobe_private:file { getattr read };
|
||||
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
|
||||
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
|
||||
|
||||
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
|
||||
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
|
||||
|
|
@ -63,9 +62,8 @@ neverallow {
|
|||
-netutils_wrapper
|
||||
-network_stack
|
||||
-system_server
|
||||
-uprobestats
|
||||
} *:bpf prog_run;
|
||||
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
|
||||
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
|
||||
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
|
||||
|
||||
neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
|
||||
|
|
|
|||
|
|
@ -679,15 +679,6 @@ enforce_debugfs_restriction(`
|
|||
# Restrict write access to etm sysfs interface.
|
||||
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
|
||||
|
||||
# Restrict CAP_PERFMON.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
userdebug_or_eng(`-simpleperf_boot')
|
||||
-kernel
|
||||
-uprobestats
|
||||
} self:capability2 perfmon;
|
||||
|
||||
# Restrict direct access to shell owned files. The /data/local/tmp directory is
|
||||
# untrustworthy, and non-allowed domains should not be trusting any content in
|
||||
# those directories. We allow shell files to be passed around by file
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ type fs_bpf_net_shared, fs_type, bpffs_type;
|
|||
type fs_bpf_netd_readonly, fs_type, bpffs_type;
|
||||
type fs_bpf_netd_shared, fs_type, bpffs_type;
|
||||
type fs_bpf_loader, fs_type, bpffs_type;
|
||||
type fs_bpf_uprobe_private, fs_type, bpffs_type;
|
||||
|
||||
# /data/misc/storaged
|
||||
type storaged_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
|
@ -143,6 +142,3 @@ type sysfs_dt_avf, fs_type, sysfs_type;
|
|||
|
||||
# Type for /system/fonts/font_fallback.xm
|
||||
type system_font_fallback_file, system_file_type, file_type;
|
||||
|
||||
# Type for /sys/devices/uprobe.
|
||||
type sysfs_uprobe, fs_type, sysfs_type;
|
||||
|
|
|
|||
|
|
@ -383,7 +383,6 @@
|
|||
/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
|
||||
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
|
||||
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
|
||||
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
|
||||
|
||||
#############################
|
||||
# Vendor files
|
||||
|
|
|
|||
|
|
@ -177,7 +177,6 @@ genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
|
|||
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
|
||||
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
|
||||
genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
|
||||
genfscon sysfs /devices/uprobe u:object_r:sysfs_uprobe:s0
|
||||
|
||||
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
|
||||
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
|
||||
|
|
@ -412,4 +411,3 @@ genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
|
|||
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
|
||||
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
|
||||
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
|
||||
genfscon bpf /uprobe_private u:object_r:fs_bpf_uprobe_private:s0
|
||||
|
|
|
|||
|
|
@ -1,16 +0,0 @@
|
|||
type uprobestats, domain, coredomain;
|
||||
|
||||
typeattribute uprobestats bpfdomain;
|
||||
|
||||
type uprobestats_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Allow uprobestats to be invoked by statsd.
|
||||
domain_auto_trans(statsd, uprobestats_exec, uprobestats)
|
||||
|
||||
allow uprobestats fs_bpf_uprobe_private:file { read write };
|
||||
allow uprobestats fs_bpf_uprobe_private:dir search;
|
||||
allow uprobestats bpfloader:bpf { map_read map_write prog_run };
|
||||
allow uprobestats self:capability2 perfmon;
|
||||
allow uprobestats self:perf_event { cpu open write };
|
||||
allow uprobestats sysfs_uprobe:file { open read };
|
||||
allow uprobestats sysfs_uprobe:dir { search };
|
||||
Loading…
Reference in a new issue