277a20ebec
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.
Following directories will remain world readable
/vendor/etc
/vendor/lib(64)/hw/
Following are currently world readable but their scope
will be minimized to platform processes that require access
/vendor/app
/vendor/framework/
/vendor/overlay
Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.
Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803
All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
current location, take pictures and record video in camera,
playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass
Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
60 lines
1.7 KiB
Text
60 lines
1.7 KiB
Text
type crash_dump, domain;
|
|
type crash_dump_exec, exec_type, file_type;
|
|
|
|
allow crash_dump {
|
|
domain
|
|
-init
|
|
-crash_dump
|
|
-keystore
|
|
-logd
|
|
}:process { ptrace signal sigchld sigstop sigkill };
|
|
|
|
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
|
|
# which will result in an audit log even when it's allowed to trace.
|
|
dontaudit crash_dump self:capability { sys_ptrace };
|
|
|
|
userdebug_or_eng(`
|
|
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
|
|
')
|
|
|
|
# Use inherited file descriptors
|
|
allow crash_dump domain:fd use;
|
|
|
|
# Write to the IPC pipe inherited from crashing processes.
|
|
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
|
|
allow crash_dump domain:fifo_file { write append };
|
|
|
|
r_dir_file(crash_dump, domain)
|
|
allow crash_dump exec_type:file r_file_perms;
|
|
|
|
# Read /data/dalvik-cache.
|
|
allow crash_dump dalvikcache_data_file:dir { search getattr };
|
|
allow crash_dump dalvikcache_data_file:file r_file_perms;
|
|
|
|
# Read APK files.
|
|
r_dir_file(crash_dump, apk_data_file);
|
|
|
|
# Read all /vendor
|
|
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
|
|
|
|
# Talk to tombstoned
|
|
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
|
|
|
|
# Talk to ActivityManager.
|
|
unix_socket_connect(crash_dump, system_ndebug, system_server)
|
|
|
|
# Append to ANR files.
|
|
allow crash_dump anr_data_file:file { append getattr };
|
|
|
|
# Append to tombstone files.
|
|
allow crash_dump tombstone_data_file:file { append getattr };
|
|
|
|
read_logd(crash_dump)
|
|
|
|
###
|
|
### neverallow assertions
|
|
###
|
|
|
|
# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
|
|
# Do not allow the execution of crash_dump without a domain transition.
|
|
neverallow domain crash_dump_exec:file execute_no_trans;
|