platform_system_sepolicy/public/hal_configstore.te
Pirama Arumuga Nainar ce9c0c5a5f In native coverage builds, allow all domains to access /data/misc/trace
Bug: http://b/135139675

Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type).  Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.

Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.

Test: Build 32-bit cuttlefish with coverage:
          m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
      and verify that there are no selinux denials in kernel log and
      logcat.

Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 08:31:51 -07:00

68 lines
2.3 KiB
Text

# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
# hal_configstore runs with a strict seccomp filter. Use crash_dump's
# fallback path to collect crash data.
crash_dump_fallback(hal_configstore_server)
###
### neverallow rules
###
# Should never execute an executable without a domain transition
neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
# Should never need network access. Disallow sockets except for
# for unix stream/dgram sockets used for logging/debugging.
neverallow hal_configstore_server domain:{
rawip_socket tcp_socket udp_socket
netlink_route_socket netlink_selinux_socket
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket
} *;
neverallow hal_configstore_server {
domain
-hal_configstore_server
-logd
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
neverallow hal_configstore_server {
data_file_type
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain
with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
fuse sdcardfs vfat exfat # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
fuse sdcardfs vfat exfat # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;
# No privileged capabilities
neverallow hal_configstore_server self:capability_class_set *;
# No ptracing other processes
neverallow hal_configstore_server *:process ptrace;
# no relabeling
neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };