tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Add tombstone_transmit init property to microdroid"

Browse source
This commit is contained in:
Inseob Kim 2023-01-20 14:41:15 +00:00 committed by Gerrit Code Review
commit fa7661b454
4 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
microdroid/system/private/microdroid_manager.te
View file

@ -123,6 +123,9 @@ allow microdroid_manager extra_apk_file:dir create_dir_perms;
# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
# Read tombstone_transmit_status_prop to wait for initialization of tombstone_transmit
get_prop(microdroid_manager, tombstone_transmit_status_prop)
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;

1
microdroid/system/private/property.te
View file

@ -1,4 +1,5 @@
system_internal_prop(ctl_tombstoned_prop)
system_restricted_prop(tombstone_transmit_status_prop)
system_restricted_prop(boot_status_prop)

2
microdroid/system/private/property_contexts
View file

@ -161,3 +161,5 @@ persist.device_config.runtime_native. u:object_r:device_config_runtime_nat
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
tombstone_transmit.init_done u:object_r:tombstone_transmit_status_prop:s0 exact bool

6
microdroid/system/private/tombstone_transmit.te
View file

@ -8,3 +8,9 @@ allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name
allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
# allow tombstone_transmit to notify its initialization
set_prop(tombstone_transmit, tombstone_transmit_status_prop)
# Only tombstone_transmit can set its status
neverallow { domain -init -tombstone_transmit } tombstone_transmit_status_prop:property_service set;