platform_system_sepolicy/private/compat/28.0/28.0.ignore.cil
Yi-Yo Chiang 806898db48 Split gsi_metadata_file and add gsi_metadata_file_type attribute
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
2021-03-29 03:09:35 +00:00

160 lines
3.7 KiB
Text

;; new_objects - a collection of types that have been introduced that have no
;; analogue in older policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
activity_task_service
adb_service
apex_data_file
apex_metadata_file
apex_mnt_dir
apex_service
apexd
apexd_exec
apexd_prop
apexd_tmpfs
appdomain_tmpfs
app_binding_service
app_prediction_service
app_zygote
app_zygote_tmpfs
ashmemd
ashmem_device_service
attention_service
biometric_service
bluetooth_audio_hal_prop
bpf_progs_loaded_prop
bugreport_service
cgroup_desc_file
cgroup_rc_file
charger_exec
content_capture_service
content_suggestions_service
cpu_variant_prop
ctl_apexd_prop
ctl_gsid_prop
dev_cpu_variant
device_config_activity_manager_native_boot_prop
device_config_boot_count_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_reset_performed_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
device_config_service
device_config_sys_traced_prop
dnsresolver_service
dynamic_system_service
dynamic_system_prop
face_service
face_vendor_data_file
sota_prop
fastbootd
flags_health_check
flags_health_check_exec
fwk_bufferhub_hwservice
fwk_camera_hwservice
fwk_stats_hwservice
gpuservice
gsi_data_file
gsi_metadata_file
gsi_public_metadata_file
gsi_service
gsid
gsid_exec
gsid_prop
color_display_service
external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
hal_graphics_composer_server_tmpfs
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice
heapprofd
heapprofd_enabled_prop
heapprofd_exec
heapprofd_prop
heapprofd_socket
idmap_service
iris_service
iris_vendor_data_file
llkd
llkd_exec
llkd_prop
llkd_tmpfs
looper_stats_service
lpdumpd
lpdumpd_exec
lpdumpd_prop
lpdump_service
iorapd
iorapd_exec
iorapd_data_file
iorapd_service
iorapd_tmpfs
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
metadata_bootstat_file
mnt_product_file
network_stack
network_stack_service
network_stack_tmpfs
nnapi_ext_deny_product_prop
overlayfs_file
password_slot_metadata_file
permissionmgr_service
postinstall_apex_mnt_dir
recovery_socket
role_service
rollback_service
rs
rs_exec
rss_hwm_reset
rss_hwm_reset_exec
runas_app
runas_app_tmpfs
art_apex_dir
runtime_service
sdcard_block_device
sensor_privacy_service
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
socket_hook_prop
su_tmpfs
super_block_device
sysfs_fs_f2fs
system_bootstrap_lib_file
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
system_suspend_control_service
system_trace_prop
staging_data_file
task_profiles_file
testharness_service
test_harness_prop
theme_prop
time_prop
timedetector_service
timezonedetector_service
traced_lazy_prop
uri_grants_service
use_memfd_prop
vendor_apex_file
vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
vendor_misc_writer
vendor_misc_writer_exec
vendor_socket_hook_prop
vendor_task_profiles_file
vndk_prop
vrflinger_vsync_service
watchdogd_tmpfs))