tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/stats.te
Nick Kralevich 5e37271df8 Introduce system_file_type 
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00

51 lines
1.3 KiB
Text
Raw Blame History

type stats, domain;
typeattribute stats coredomain;
type stats_exec, system_file_type, exec_type, file_type;
# switch to stats domain for stats command
domain_auto_trans(shell, stats_exec, stats)
# allow stats access to stdout from its parent shell.
allow stats shell:fd use;
# allow stats to communicate use, read and write over the adb
# connection.
allow stats adbd:fd use;
allow stats adbd:unix_stream_socket { read write };
# allow adbd to reap stats
allow stats adbd:process { sigchld };
# Allow the stats command to talk to the statsd over the binder, and get
# back the stats report data from a ParcelFileDescriptor.
binder_use(stats)
allow stats stats_service:service_manager find;
binder_call(stats, statsd)
allow stats statsd:fifo_file write;
# Only statsd can publish the binder service.
add_service(statsd, stats_service)
# Allow pipes from (and only from) stats.
allow statsd stats:fd use;
allow statsd stats:fifo_file write;
# Allow statsd to call back to stats with status updates.
binder_call(statsd, stats)
###
### neverallow rules
###
# Only system_server, system_app, traceur_app, and stats command can find the stats service.
neverallow {
domain
-dumpstate
-priv_app
-shell
-stats
-statsd
-system_app
-system_server
-traceur_app
} stats_service:service_manager find;
Reference in a new issue View git blame Copy permalink