From b07c12c39df776666dff1adec6ad55e2e4d12b74 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Wed, 18 May 2022 07:53:00 +0200 Subject: [PATCH] Iorapd and friends have been removed Remove references in sepolicy. Leave a few of the types defined since they're public and may be used in device-specific policy. Bug: 211461392 Test: build/boot cuttlefish Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169 --- private/atrace.te | 1 - private/compat/33.0/33.0.cil | 13 +++++ private/coredomain.te | 4 -- private/domain.te | 13 ----- private/file_contexts | 7 --- private/iorap_inode2filename.te | 11 ---- private/iorap_prefecherd.te | 4 -- private/iorapd.te | 10 ---- private/mlstrustedsubject.te | 6 --- private/service_contexts | 1 - private/system_app.te | 2 - private/system_server.te | 2 - private/traced.te | 8 --- public/domain.te | 4 -- public/dumpstate.te | 3 -- public/file.te | 1 - public/init.te | 4 -- public/iorap.te | 4 ++ public/iorap_inode2filename.te | 70 ------------------------ public/iorap_prefetcherd.te | 55 ------------------- public/iorapd.te | 94 --------------------------------- public/service.te | 1 - public/shell.te | 1 - public/traced.te | 1 + public/traceur_app.te | 1 - public/vold.te | 1 - 26 files changed, 18 insertions(+), 304 deletions(-) delete mode 100644 private/iorap_inode2filename.te delete mode 100644 private/iorap_prefecherd.te delete mode 100644 private/iorapd.te create mode 100644 public/iorap.te delete mode 100644 public/iorap_inode2filename.te delete mode 100644 public/iorap_prefetcherd.te delete mode 100644 public/iorapd.te diff --git a/private/atrace.te b/private/atrace.te index ca0e52789..50ab392bf 100644 --- a/private/atrace.te +++ b/private/atrace.te @@ -31,7 +31,6 @@ allow atrace { -dumpstate_service -incident_service -installd_service - -iorapd_service -lpdump_service -mdns_service -netd_service diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil index 443927780..3a096beae 100644 --- a/private/compat/33.0/33.0.cil +++ b/private/compat/33.0/33.0.cil @@ -1,3 +1,16 @@ +;; types removed from current policy +(type iorap_inode2filename) +(type iorap_inode2filename_exec) +(type iorap_inode2filename_tmpfs) +(type iorap_prefetcherd) +(type iorap_prefetcherd_exec) +(type iorap_prefetcherd_tmpfs) +(type iorapd) +(type iorapd_data_file) +(type iorapd_exec) +(type iorapd_service) +(type iorapd_tmpfs) + (expandtypeattribute (DockObserver_service_33_0) true) (expandtypeattribute (IProxyService_service_33_0) true) (expandtypeattribute (aac_drc_prop_33_0) true) diff --git a/private/coredomain.te b/private/coredomain.te index e4c9a5218..56e1730a9 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -91,8 +91,6 @@ full_treble_only(` -idmap -init -installd - -iorap_inode2filename - -iorap_prefetcherd -postinstall_dexopt -rs # spawned by appdomain, so carryover the exception above -system_server @@ -111,8 +109,6 @@ full_treble_only(` -idmap -init -installd - -iorap_inode2filename - -iorap_prefetcherd -postinstall_dexopt -rs # spawned by appdomain, so carryover the exception above -system_server diff --git a/private/domain.te b/private/domain.te index f95df3434..5f369e307 100644 --- a/private/domain.te +++ b/private/domain.te @@ -181,8 +181,6 @@ neverallow { -app_zygote -dexoptanalyzer -installd - -iorap_inode2filename - -iorap_prefetcherd -profman -rs # spawned by appdomain, so carryover the exception above -runas @@ -205,7 +203,6 @@ neverallow { -appdomain -app_zygote -installd - -iorap_prefetcherd -rs # spawned by appdomain, so carryover the exception above } { privapp_data_file app_data_file }:file_class_set open; @@ -230,7 +227,6 @@ neverallow { -system_server -apexd -installd - -iorap_inode2filename -priv_app -virtualizationservice } staging_data_file:dir *; @@ -243,7 +239,6 @@ neverallow { -adbd -kernel -installd - -iorap_inode2filename -priv_app -shell -virtualizationservice @@ -273,7 +268,6 @@ neverallow { domain -appdomain with_asan(`-asan_extract') - -iorap_prefetcherd -shell userdebug_or_eng(`-su') -system_server_startup # for memfd backed executable regions @@ -394,8 +388,6 @@ neverallow ~dac_override_allowed self:global_capability_class_set dac_override; # this list should be a superset of the one above. neverallow ~{ dac_override_allowed - iorap_inode2filename - iorap_prefetcherd traced_perf traced_probes heapprofd @@ -475,8 +467,6 @@ full_treble_only(` -heapprofd userdebug_or_eng(`-profcollectd') -init - -iorap_inode2filename - -iorap_prefetcherd -kernel userdebug_or_eng(`-simpleperf_boot') -traced_perf @@ -514,8 +504,6 @@ full_treble_only(` -crash_dump -crosvm # loads vendor-specific disk images -init # starts vendor executables - -iorap_inode2filename - -iorap_prefetcherd -kernel # loads /vendor/firmware -heapprofd userdebug_or_eng(`-profcollectd') @@ -619,7 +607,6 @@ neverallow { -appdomain # finer-grained rules for appdomain are listed below -system_server #populate com.android.providers.settings/databases/settings.db. -installd # creation of app sandbox - -iorap_inode2filename -traced_probes # resolve inodes for i/o tracing. # only needs open and read, the rest is neverallow in # traced_probes.te. diff --git a/private/file_contexts b/private/file_contexts index 0c45a88ce..addbb1372 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -323,9 +323,6 @@ /system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0 /system/bin/viewcompiler u:object_r:viewcompiler_exec:s0 -/system/bin/iorapd u:object_r:iorapd_exec:s0 -/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0 -/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0 /system/bin/sgdisk u:object_r:sgdisk_exec:s0 /system/bin/blkid u:object_r:blkid_exec:s0 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0 @@ -658,7 +655,6 @@ /data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0 /data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0 /data/misc/vold(/.*)? u:object_r:vold_data_file:s0 -/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0 /data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0 /data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0 /data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0 @@ -779,9 +775,6 @@ /data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 /data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 -# iorapd per-user data -/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0 - # Backup service persistent per-user bookkeeping /data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0 # Backup service temporary per-user data for inter-change with apps diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te deleted file mode 100644 index 5acb26212..000000000 --- a/private/iorap_inode2filename.te +++ /dev/null @@ -1,11 +0,0 @@ -typeattribute iorap_inode2filename coredomain; - -# Grant access to open most of the files under / -allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms; -allow iorap_inode2filename apex_data_file:file { getattr }; -allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search }; -allow iorap_inode2filename dalvikcache_data_file:file { getattr }; -allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read }; -allow iorap_inode2filename dexoptanalyzer_exec:file { getattr }; -allow iorap_inode2filename storaged_data_file:dir { getattr open read search }; -allow iorap_inode2filename storaged_data_file:file { getattr }; diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te deleted file mode 100644 index 9ddb512c9..000000000 --- a/private/iorap_prefecherd.te +++ /dev/null @@ -1,4 +0,0 @@ -typeattribute iorap_prefetcherd coredomain; - -init_daemon_domain(iorap_prefetcherd) -tmpfs_domain(iorap_prefetcherd) diff --git a/private/iorapd.te b/private/iorapd.te deleted file mode 100644 index 73acec9c9..000000000 --- a/private/iorapd.te +++ /dev/null @@ -1,10 +0,0 @@ -typeattribute iorapd coredomain; - -init_daemon_domain(iorapd) -tmpfs_domain(iorapd) - -domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd) -domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename) - -# Allow iorapd to access the runtime native boot feature flag properties. -get_prop(iorapd, device_config_runtime_native_boot_prop) diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te index 22482d9b7..0aed4d303 100644 --- a/private/mlstrustedsubject.te +++ b/private/mlstrustedsubject.te @@ -7,22 +7,16 @@ neverallow { mlstrustedsubject -installd - -iorap_prefetcherd - -iorap_inode2filename } { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append }; neverallow { mlstrustedsubject -installd - -iorap_prefetcherd - -iorap_inode2filename } { app_data_file privapp_data_file }:dir ~{ read getattr search }; neverallow { mlstrustedsubject -installd - -iorap_prefetcherd - -iorap_inode2filename -system_server -adbd -runas diff --git a/private/service_contexts b/private/service_contexts index 0869b0ffe..109415161 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -197,7 +197,6 @@ inputflinger u:object_r:inputflinger_service:s0 input_method u:object_r:input_method_service:s0 input u:object_r:input_service:s0 installd u:object_r:installd_service:s0 -iorapd u:object_r:iorapd_service:s0 iphonesubinfo_msim u:object_r:radio_service:s0 iphonesubinfo2 u:object_r:radio_service:s0 iphonesubinfo u:object_r:radio_service:s0 diff --git a/private/system_app.te b/private/system_app.te index 01956f4ab..48880722e 100644 --- a/private/system_app.te +++ b/private/system_app.te @@ -87,7 +87,6 @@ allow system_app { -dnsresolver_service -dumpstate_service -installd_service - -iorapd_service -lpdump_service -mdns_service -netd_service @@ -103,7 +102,6 @@ dontaudit system_app { dnsresolver_service dumpstate_service installd_service - iorapd_service mdns_service netd_service virtual_touchpad_service diff --git a/private/system_server.te b/private/system_server.te index e77ba5da4..78817b10c 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -287,7 +287,6 @@ binder_call(system_server, gpuservice) binder_call(system_server, idmap) binder_call(system_server, installd) binder_call(system_server, incidentd) -binder_call(system_server, iorapd) binder_call(system_server, netd) userdebug_or_eng(`binder_call(system_server, profcollectd)') binder_call(system_server, statsd) @@ -903,7 +902,6 @@ allow system_server idmap_service:service_manager find; allow system_server incident_service:service_manager find; allow system_server incremental_service:service_manager find; allow system_server installd_service:service_manager find; -allow system_server iorapd_service:service_manager find; allow system_server keystore_maintenance_service:service_manager find; allow system_server keystore_metrics_service:service_manager find; allow system_server keystore_service:service_manager find; diff --git a/private/traced.te b/private/traced.te index ec31a20f1..6810c359f 100644 --- a/private/traced.te +++ b/private/traced.te @@ -1,7 +1,4 @@ # Perfetto user-space tracing daemon (unprivileged) - -# type traced is defined under /public (because iorapd rules -# under public/ need to refer to it). type traced_exec, system_file_type, exec_type, file_type; # Allow init to exec the daemon. @@ -41,11 +38,6 @@ allow traced tracingproxy_service:service_manager find; binder_use(traced); binder_call(traced, system_server); -# Allow iorapd to pass memfd descriptors to traced, so traced can directly -# write into the shmem buffer file without doing roundtrips over IPC. -allow traced iorapd:fd use; -allow traced iorapd_tmpfs:file { read write }; - # Allow traced to use shared memory supplied by producers. Typically, traced # (i.e. the tracing service) creates the shared memory used for data transfer # from the producer. This rule allows an alternative scheme, where the producer diff --git a/public/domain.te b/public/domain.te index bc3f373bd..4f60d9d28 100644 --- a/public/domain.te +++ b/public/domain.te @@ -950,8 +950,6 @@ full_treble_only(` -system_lib_file -system_linker_exec -crash_dump_exec - -iorap_prefetcherd_exec - -iorap_inode2filename_exec -netutils_wrapper_exec userdebug_or_eng(`-tcpdump_exec') }:file { entrypoint execute execute_no_trans }; @@ -1019,7 +1017,6 @@ full_treble_only(` system_file_type -crash_dump_exec -file_contexts_file - -iorap_inode2filename_exec -netutils_wrapper_exec -property_contexts_file -system_event_log_tags_file @@ -1192,7 +1189,6 @@ neverallow { -dumpstate -init -installd - -iorap_inode2filename -simpleperf_app_runner -system_server # why? userdebug_or_eng(`-uncrypt') diff --git a/public/dumpstate.te b/public/dumpstate.te index 2c75f3048..52eb3ff11 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -309,9 +309,6 @@ allow dumpstate proc_pid_max:file r_file_perms; # Allow dumpstate to talk to installd over binder binder_call(dumpstate, installd); -# Allow dumpstate to talk to iorapd over binder. -binder_call(dumpstate, iorapd) - # Allow dumpstate to run ip xfrm policy allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read }; diff --git a/public/file.te b/public/file.te index 009e86d5f..f0ddb3764 100644 --- a/public/file.te +++ b/public/file.te @@ -452,7 +452,6 @@ type vpn_data_file, file_type, data_file_type, core_data_file_type; type wifi_data_file, file_type, data_file_type, core_data_file_type; type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; type vold_data_file, file_type, data_file_type, core_data_file_type; -type iorapd_data_file, file_type, data_file_type, core_data_file_type; type tee_data_file, file_type, data_file_type; type update_engine_data_file, file_type, data_file_type, core_data_file_type; type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; diff --git a/public/init.te b/public/init.te index cc2809862..d99172ff1 100644 --- a/public/init.te +++ b/public/init.te @@ -214,7 +214,6 @@ allow init { -app_data_file -credstore_data_file -exec_type - -iorapd_data_file -keystore_data_file -media_userdir_file -misc_logd_file @@ -236,7 +235,6 @@ allow init { -app_data_file -exec_type -gsi_data_file - -iorapd_data_file -credstore_data_file -keystore_data_file -misc_logd_file @@ -263,7 +261,6 @@ allow init { -app_data_file -exec_type -gsi_data_file - -iorapd_data_file -credstore_data_file -keystore_data_file -misc_logd_file @@ -283,7 +280,6 @@ allow init { -app_data_file -exec_type -gsi_data_file - -iorapd_data_file -credstore_data_file -keystore_data_file -misc_logd_file diff --git a/public/iorap.te b/public/iorap.te new file mode 100644 index 000000000..0671c3434 --- /dev/null +++ b/public/iorap.te @@ -0,0 +1,4 @@ +# Define these types for now, as they may be used in device-specific policy. +type iorapd; +type iorap_inode2filename; +type iorap_prefetcherd; diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te deleted file mode 100644 index 6f119eedf..000000000 --- a/public/iorap_inode2filename.te +++ /dev/null @@ -1,70 +0,0 @@ -# iorap.inode2filename -> look up file paths from an inode -type iorap_inode2filename, domain; -type iorap_inode2filename_exec, exec_type, file_type, system_file_type; -type iorap_inode2filename_tmpfs, file_type; - -r_dir_file(iorap_inode2filename, rootfs) - -# Allow usage of pipes (child stdout -> parent pipe). -allow iorap_inode2filename iorapd:fd use; -allow iorap_inode2filename iorapd:fifo_file { read write getattr }; - -# Allow reading most files under / ignoring usual access controls. -allow iorap_inode2filename self:capability dac_read_search; - -typeattribute iorap_inode2filename mlstrustedsubject; - -# Grant access to open most of the files under / -allow iorap_inode2filename apex_data_file:dir { getattr open read search }; -allow iorap_inode2filename apex_data_file:file { getattr }; -allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search }; -allow iorap_inode2filename apex_mnt_dir:file { getattr }; -allow iorap_inode2filename apk_data_file:dir { getattr open read search }; -allow iorap_inode2filename apk_data_file:file { getattr }; -allow iorap_inode2filename app_data_file_type:dir { getattr open read search }; -allow iorap_inode2filename app_data_file_type:file { getattr }; -allow iorap_inode2filename backup_data_file:dir { getattr open read search }; -allow iorap_inode2filename backup_data_file:file { getattr }; -allow iorap_inode2filename bootchart_data_file:dir { getattr open read search }; -allow iorap_inode2filename bootchart_data_file:file { getattr }; -allow iorap_inode2filename metadata_file:dir { getattr open read search search }; -allow iorap_inode2filename metadata_file:file { getattr }; -allow iorap_inode2filename packages_list_file:dir { getattr open read search }; -allow iorap_inode2filename packages_list_file:file { getattr }; -allow iorap_inode2filename property_data_file:dir { getattr open read search }; -allow iorap_inode2filename property_data_file:file { getattr }; -allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search }; -allow iorap_inode2filename resourcecache_data_file:file { getattr }; -allow iorap_inode2filename recovery_data_file:dir { getattr open read search }; -allow iorap_inode2filename ringtone_file:dir { getattr open read search }; -allow iorap_inode2filename ringtone_file:file { getattr }; -allow iorap_inode2filename same_process_hal_file:dir { getattr open read search }; -allow iorap_inode2filename same_process_hal_file:file { getattr }; -allow iorap_inode2filename sepolicy_file:file { getattr }; -allow iorap_inode2filename staging_data_file:dir { getattr open read search }; -allow iorap_inode2filename staging_data_file:file { getattr }; -allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search }; -allow iorap_inode2filename system_bootstrap_lib_file:file { getattr }; -allow iorap_inode2filename system_data_file:dir { getattr open read search }; -allow iorap_inode2filename system_data_file:file { getattr }; -allow iorap_inode2filename system_data_file:lnk_file { getattr open read }; -allow iorap_inode2filename system_data_root_file:dir { getattr open read search }; -allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search }; -allow iorap_inode2filename textclassifier_data_file:file { getattr }; -allow iorap_inode2filename toolbox_exec:file getattr; -allow iorap_inode2filename user_profile_root_file:dir { getattr open read search }; -allow iorap_inode2filename user_profile_data_file:dir { getattr open read search }; -allow iorap_inode2filename user_profile_data_file:file { getattr }; -allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search }; -allow iorap_inode2filename unlabeled:file { getattr }; -allow iorap_inode2filename vendor_file:dir { getattr open read search }; -allow iorap_inode2filename vendor_file:file { getattr }; -allow iorap_inode2filename vendor_overlay_file:file { getattr }; -allow iorap_inode2filename zygote_exec:file { getattr }; - -### -### neverallow rules -### - -neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition }; -neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te deleted file mode 100644 index 4b218fbbb..000000000 --- a/public/iorap_prefetcherd.te +++ /dev/null @@ -1,55 +0,0 @@ -# volume manager -type iorap_prefetcherd, domain; -type iorap_prefetcherd_exec, exec_type, file_type, system_file_type; -type iorap_prefetcherd_tmpfs, file_type; - -r_dir_file(iorap_prefetcherd, rootfs) - -# Allow read/write /proc/sys/vm/drop/caches -allow iorap_prefetcherd proc_drop_caches:file rw_file_perms; - -# iorap_prefetcherd temporarily changes its priority when running benchmarks -allow iorap_prefetcherd self:global_capability_class_set sys_nice; - -# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters). -allow iorap_prefetcherd iorapd:fd use; -allow iorap_prefetcherd iorapd:fifo_file { read write }; - -# Allow reading most files under / ignoring usual access controls. -allow iorap_prefetcherd self:capability dac_read_search; - -typeattribute iorap_prefetcherd mlstrustedsubject; - -# Grant logcat access -allow iorap_prefetcherd logcat_exec:file { open read }; - -# Grant access to open most of the files under / -allow iorap_prefetcherd apk_data_file:dir { open read search }; -allow iorap_prefetcherd apk_data_file:file { open read }; -allow iorap_prefetcherd app_data_file:dir { open read search }; -allow iorap_prefetcherd app_data_file:file { open read }; -allow iorap_prefetcherd dalvikcache_data_file:dir { open read search }; -allow iorap_prefetcherd dalvikcache_data_file:file{ open read }; -allow iorap_prefetcherd packages_list_file:dir { open read search }; -allow iorap_prefetcherd packages_list_file:file { open read }; -allow iorap_prefetcherd privapp_data_file:dir { open read search }; -allow iorap_prefetcherd privapp_data_file:file { open read }; -allow iorap_prefetcherd same_process_hal_file:dir{ open read search }; -allow iorap_prefetcherd same_process_hal_file:file { open read }; -allow iorap_prefetcherd system_data_file:dir { open read search }; -allow iorap_prefetcherd system_data_file:file { open read }; -allow iorap_prefetcherd system_data_file:lnk_file { open read }; -allow iorap_prefetcherd user_profile_root_file:dir { open read search }; -allow iorap_prefetcherd user_profile_data_file:dir { open read search }; -allow iorap_prefetcherd user_profile_data_file:file { open read }; -allow iorap_prefetcherd vendor_overlay_file:dir { open read search }; -allow iorap_prefetcherd vendor_overlay_file:file { open read }; -# Note: Do not add any /vendor labels because they can be customized -# by the vendor and we won't know about them beforehand. - -### -### neverallow rules -### - -neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition }; -neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/public/iorapd.te b/public/iorapd.te deleted file mode 100644 index 8fded0cbc..000000000 --- a/public/iorapd.te +++ /dev/null @@ -1,94 +0,0 @@ -# volume manager -type iorapd, domain; -type iorapd_exec, exec_type, file_type, system_file_type; -type iorapd_tmpfs, file_type; - -r_dir_file(iorapd, rootfs) - -# Allow read/write /proc/sys/vm/drop/caches -allow iorapd proc_drop_caches:file rw_file_perms; - -# Give iorapd a place where only iorapd can store files; everyone else is off limits -allow iorapd iorapd_data_file:dir create_dir_perms; -allow iorapd iorapd_data_file:file create_file_perms; - -# Allow iorapd to publish a binder service and make binder calls. -binder_use(iorapd) -add_service(iorapd, iorapd_service) - -# Allow iorapd to call into the system server so it can check permissions. -binder_call(iorapd, system_server) -allow iorapd permission_service:service_manager find; -# IUserManager -allow iorapd user_service:service_manager find; -# IPackageManagerNative -allow iorapd package_native_service:service_manager find; -# Allow dumpstate (bugreport) to call into iorapd. -allow iorapd dumpstate:fd use; -allow iorapd dumpstate:fifo_file write; - -# TODO: does each of the service_manager allow finds above need the binder_call? - -# iorapd temporarily changes its priority when running benchmarks -allow iorapd self:global_capability_class_set sys_nice; - -# Allow to access Perfetto traced's privileged consumer socket to start/stop -# tracing sessions and read trace data. -unix_socket_connect(iorapd, traced_consumer, traced) - -# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time. -allow iorapd system_file:file rx_file_perms; - -# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd. -allow iorapd iorap_inode2filename:process signull; -allow iorapd iorap_prefetcherd:process signull; - -# Allowing system_server to check for the existence and size of files under iorapd -# dir without collecting any sensitive app data. -# This is used to predict if iorapd is doing prefetching or not. -allow system_server iorapd_data_file:dir { getattr open read search }; -allow system_server iorapd_data_file:file getattr; - -### -### neverallow rules -### - -neverallow { - domain - -iorapd -} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; - -neverallow { - domain - -init - -iorapd - -system_server -} iorapd_data_file:dir *; - -neverallow { - domain - -kernel - -iorapd -} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr }; - -neverallow { - domain - -init - -kernel - -vendor_init - -iorapd - -system_server -} { iorapd_data_file }:notdevfile_class_set *; - -# Only system_server and shell (for dumpsys) can interact with iorapd over binder -neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find; -neverallow iorapd { - domain - -servicemanager - -system_server - userdebug_or_eng(`-su') -}:binder call; - -neverallow { domain -init } iorapd:process { transition dyntransition }; -neverallow iorapd domain:{ udp_socket rawip_socket } *; -neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *; diff --git a/public/service.te b/public/service.te index 0fd23600f..8dc3e04d0 100644 --- a/public/service.te +++ b/public/service.te @@ -19,7 +19,6 @@ type fwk_automotive_display_service, service_manager_type; type gatekeeper_service, app_api_service, service_manager_type; type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type; type idmap_service, service_manager_type; -type iorapd_service, service_manager_type; type incident_service, service_manager_type; type installd_service, service_manager_type; type credstore_service, app_api_service, service_manager_type; diff --git a/public/shell.te b/public/shell.te index 4175c86bb..8570260a7 100644 --- a/public/shell.te +++ b/public/shell.te @@ -84,7 +84,6 @@ allow shell { -gatekeeper_service -incident_service -installd_service - -iorapd_service -mdns_service -netd_service -system_suspend_control_internal_service diff --git a/public/traced.te b/public/traced.te index 922d46e08..48da0d838 100644 --- a/public/traced.te +++ b/public/traced.te @@ -1,3 +1,4 @@ type traced, domain, coredomain, mlstrustedsubject; type traced_tmpfs, file_type; + diff --git a/public/traceur_app.te b/public/traceur_app.te index 1ab150db8..22f6c3b45 100644 --- a/public/traceur_app.te +++ b/public/traceur_app.te @@ -10,7 +10,6 @@ allow traceur_app { -gatekeeper_service -incident_service -installd_service - -iorapd_service -lpdump_service -mdns_service -netd_service diff --git a/public/vold.te b/public/vold.te index 07f0fd32e..6b32f9af9 100644 --- a/public/vold.te +++ b/public/vold.te @@ -334,7 +334,6 @@ neverallow vold { -system_suspend_server -hal_bootctl_server -hwservicemanager - -iorapd_service -keystore -servicemanager -system_server