tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/bootstat.te
Nick Kralevich 5e37271df8 Introduce system_file_type 
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00

57 lines
1.6 KiB
Text
Raw Blame History

# bootstat command
type bootstat, domain;
type bootstat_exec, system_file_type, exec_type, file_type;
read_runtime_log_tags(bootstat)
# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
# Collect metrics on boot time created by init
get_prop(bootstat, boottime_prop)
# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
set_prop(bootstat, bootloader_boot_reason_prop)
set_prop(bootstat, system_boot_reason_prop)
set_prop(bootstat, last_boot_reason_prop)
# ToDo: TBI move access for the following to a system health HAL
# Allow access to /sys/fs/pstore/ and syslog
allow bootstat pstorefs:dir search;
allow bootstat pstorefs:file r_file_perms;
allow bootstat kernel:system syslog_read;
# Allow access to reading the logs to read aspects of system health
read_logd(bootstat)
# ToDo: end
neverallow {
domain
-bootanim
-bootstat
-dumpstate
-init
-recovery
-shell
-system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
# ... and refine, as these components should not set the last boot reason
neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
neverallow {
domain
-bootstat
-init
-system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
# ... and refine ... for a ro propertly no less ... keep this _tight_
neverallow system_server bootloader_boot_reason_prop:property_service set;
neverallow {
domain
-bootstat
-init
} system_boot_reason_prop:property_service set;
Reference in a new issue View git blame Copy permalink