08d4c8fa6e
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP policy, but slightly modified so the set of types and attributes is a subset of real 31.0 prebuilt (sc-dev policy). Steps taken to make the fake prebuilt: 1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target aosp_arm64-eng. 2) diff both outputs to find out which types and attributes don't exist. 3) remove all relevant files and statements. As a result, the following types are removed. artd artd_exec artd_service power_stats_service transformer_service virtualizationservice virtualizationservice_data_file virtualizationservice_exec Bug: 189161483 Test: N/A, will do after adding 31.0 mapping files. Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
22 lines
721 B
Text
22 lines
721 B
Text
# blkid called from vold
|
|
|
|
typeattribute blkid coredomain;
|
|
|
|
type blkid_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Allowed read-only access to encrypted devices to extract UUID/label
|
|
allow blkid block_device:dir search;
|
|
allow blkid userdata_block_device:blk_file r_file_perms;
|
|
allow blkid dm_device:blk_file r_file_perms;
|
|
|
|
# Allow stdin/out back to vold
|
|
allow blkid vold:fd use;
|
|
allow blkid vold:fifo_file { read write getattr };
|
|
|
|
# For blkid launched through popen()
|
|
allow blkid blkid_exec:file rx_file_perms;
|
|
|
|
# Only allow entry from vold
|
|
neverallow { domain -vold } blkid:process transition;
|
|
neverallow * blkid:process dyntransition;
|
|
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
|