829a749351
Recovery uses /cache/recovery. Exclude it from auditallow coverage. Addresses the following SELinux log spam: avc: granted { search } for pid=323 comm="recovery" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir avc: granted { read } for pid=323 comm="recovery" name="block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file avc: granted { getattr } for pid=323 comm="recovery" path="/cache/recovery/block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file Change-Id: Ib6c7b44ac23fccaf2ea506429fb760ee85e87c76
86 lines
3.5 KiB
Text
86 lines
3.5 KiB
Text
# rules removed from the domain attribute
|
|
|
|
# Read access to properties mapping.
|
|
allow domain_deprecated kernel:fd use;
|
|
allow domain_deprecated tmpfs:file { read getattr };
|
|
allow domain_deprecated tmpfs:lnk_file { read getattr };
|
|
|
|
# Search /storage/emulated tmpfs mount.
|
|
allow domain_deprecated tmpfs:dir r_dir_perms;
|
|
|
|
# Inherit or receive open files from others.
|
|
allow domain_deprecated system_server:fd use;
|
|
|
|
# Connect to adbd and use a socket transferred from it.
|
|
# This is used for e.g. adb backup/restore.
|
|
allow domain_deprecated adbd:unix_stream_socket connectto;
|
|
allow domain_deprecated adbd:fd use;
|
|
allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
|
|
|
|
# Root fs.
|
|
allow domain_deprecated rootfs:dir r_dir_perms;
|
|
allow domain_deprecated rootfs:file r_file_perms;
|
|
allow domain_deprecated rootfs:lnk_file r_file_perms;
|
|
|
|
# Device accesses.
|
|
allow domain_deprecated device:file read;
|
|
|
|
# Filesystem accesses.
|
|
allow domain_deprecated fs_type:filesystem getattr;
|
|
allow domain_deprecated fs_type:dir getattr;
|
|
|
|
# System file accesses.
|
|
allow domain_deprecated system_file:dir r_dir_perms;
|
|
allow domain_deprecated system_file:file r_file_perms;
|
|
allow domain_deprecated system_file:lnk_file r_file_perms;
|
|
|
|
# Read files already opened under /data.
|
|
allow domain_deprecated system_data_file:dir { search getattr };
|
|
allow domain_deprecated system_data_file:file { getattr read };
|
|
allow domain_deprecated system_data_file:lnk_file r_file_perms;
|
|
|
|
# Read apk files under /data/app.
|
|
allow domain_deprecated apk_data_file:dir { getattr search };
|
|
allow domain_deprecated apk_data_file:file r_file_perms;
|
|
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
|
|
|
|
# Read /data/dalvik-cache.
|
|
allow domain_deprecated dalvikcache_data_file:dir { search getattr };
|
|
allow domain_deprecated dalvikcache_data_file:file r_file_perms;
|
|
|
|
# Read already opened /cache files.
|
|
allow domain_deprecated { cache_file cache_recovery_file }:dir r_dir_perms;
|
|
allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read };
|
|
allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
|
|
|
|
# Likely not needed. auditallow to be sure
|
|
auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:dir r_dir_perms;
|
|
auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:file { getattr read };
|
|
auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
|
|
|
|
# For /acct/uid/*/tasks.
|
|
allow domain_deprecated cgroup:dir { search write };
|
|
allow domain_deprecated cgroup:file w_file_perms;
|
|
|
|
#Allow access to ion memory allocation device
|
|
allow domain_deprecated ion_device:chr_file rw_file_perms;
|
|
|
|
# Read access to pseudo filesystems.
|
|
r_dir_file(domain_deprecated, proc)
|
|
r_dir_file(domain_deprecated, sysfs)
|
|
r_dir_file(domain_deprecated, inotify)
|
|
r_dir_file(domain_deprecated, cgroup)
|
|
r_dir_file(domain_deprecated, proc_net)
|
|
|
|
# Get SELinux enforcing status.
|
|
allow domain_deprecated selinuxfs:dir r_dir_perms;
|
|
allow domain_deprecated selinuxfs:file r_file_perms;
|
|
|
|
# /data/security files
|
|
allow domain_deprecated security_file:dir { search getattr };
|
|
allow domain_deprecated security_file:file getattr;
|
|
allow domain_deprecated security_file:lnk_file r_file_perms;
|
|
|
|
# World readable asec image contents
|
|
allow domain_deprecated asec_public_file:file r_file_perms;
|
|
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
|