9d9c370f31
Similar to the way we handle /dev/random and /dev/urandom, make
/proc/sys/kernel/random available to everyone.
hostname:/proc/sys/kernel/random # ls -laZ
total 0
dr-xr-xr-x 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 .
dr-xr-xr-x 1 root root u:object_r:proc:s0 0 2017-11-20 18:32 ..
-r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 boot_id
-r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 entropy_avail
-r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 poolsize
-rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 read_wakeup_threshold
-rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 urandom_min_reseed_secs
-r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 uuid
-rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 write_wakeup_threshold
boot_id (unique random number per boot) is commonly used by
applications, as is "uuid". As these are random numbers, no sensitive
data is leaked. The other files are useful to allow processes to
understand the state of the entropy pool, and should be fairly benign.
Addresses the following denial:
type=1400 audit(0.0:207): avc: denied { read } for name="boot_id"
dev="proc" ino=76194 scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:proc:s0 tclass=file permissive=0
Bug: 69294418
Test: policy compiles.
Change-Id: Ieeca1c654ec755123e19b4693555990325bd58cf
45 lines
2 KiB
Text
45 lines
2 KiB
Text
# update_engine payload application permissions. These are shared between the
|
|
# background daemon and the recovery tool to sideload an update.
|
|
|
|
# Allow update_engine to reach block devices in /dev/block.
|
|
allow update_engine_common block_device:dir search;
|
|
|
|
# Allow read/write on system and boot partitions.
|
|
allow update_engine_common boot_block_device:blk_file rw_file_perms;
|
|
allow update_engine_common system_block_device:blk_file rw_file_perms;
|
|
|
|
# Allow to set recovery options in the BCB. Used to trigger factory reset when
|
|
# the update to an older version (channel change) or incompatible version
|
|
# requires it.
|
|
allow update_engine_common misc_block_device:blk_file rw_file_perms;
|
|
|
|
# read fstab
|
|
allow update_engine_common rootfs:dir getattr;
|
|
allow update_engine_common rootfs:file r_file_perms;
|
|
|
|
# Allow update_engine_common to mount on the /postinstall directory and reset the
|
|
# labels on the mounted filesystem to postinstall_file.
|
|
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
|
|
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
|
|
allow update_engine_common labeledfs:filesystem relabelfrom;
|
|
|
|
# Allow update_engine_common to read and execute postinstall_file.
|
|
allow update_engine_common postinstall_file:file rx_file_perms;
|
|
allow update_engine_common postinstall_file:lnk_file r_file_perms;
|
|
allow update_engine_common postinstall_file:dir r_dir_perms;
|
|
|
|
# install update.zip from cache
|
|
r_dir_file(update_engine_common, cache_file)
|
|
|
|
# A postinstall program is typically a shell script (with a #!), so we allow
|
|
# to execute those.
|
|
allow update_engine_common shell_exec:file rx_file_perms;
|
|
|
|
# Allow update_engine_common to suspend, resume and kill the postinstall program.
|
|
allow update_engine_common postinstall:process { signal sigstop sigkill };
|
|
|
|
# access /proc/cmdline
|
|
allow update_engine_common proc_cmdline:file r_file_perms;
|
|
|
|
# Read files in /sys/firmware/devicetree/base/firmware/android/
|
|
r_dir_file(update_engine_common, sysfs_dt_firmware_android)
|