75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
39 lines
1.2 KiB
Text
39 lines
1.2 KiB
Text
typeattribute recovery_persist coredomain;
|
|
|
|
init_daemon_domain(recovery_persist)
|
|
|
|
allow recovery_persist pstorefs:dir search;
|
|
allow recovery_persist pstorefs:file r_file_perms;
|
|
|
|
allow recovery_persist recovery_data_file:file create_file_perms;
|
|
allow recovery_persist recovery_data_file:dir create_dir_perms;
|
|
|
|
allow recovery_persist cache_file:dir search;
|
|
allow recovery_persist cache_file:lnk_file read;
|
|
allow recovery_persist cache_recovery_file:dir rw_dir_perms;
|
|
allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### recovery_persist should NEVER do any of this
|
|
|
|
# Block device access.
|
|
neverallow recovery_persist dev_type:blk_file { read write };
|
|
|
|
# ptrace any other app
|
|
neverallow recovery_persist domain:process ptrace;
|
|
|
|
# Write to /system.
|
|
neverallow recovery_persist system_file_type:dir_file_class_set write;
|
|
|
|
# Write to files in /data/data
|
|
neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;
|
|
|
|
# recovery_persist is not allowed to write anywhere other than recovery_data_file
|
|
neverallow recovery_persist {
|
|
file_type
|
|
-recovery_data_file
|
|
userdebug_or_eng(`-coredump_file')
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file write;
|