tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/prebuilts/api/31.0/public/asan_extract.te
Inseob Kim 08d4c8fa6e Add fake 31.0 prebuilt 
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP
policy, but slightly modified so the set of types and attributes is a
subset of real 31.0 prebuilt (sc-dev policy).

Steps taken to make the fake prebuilt:

1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target
aosp_arm64-eng.
2) diff both outputs to find out which types and attributes don't exist.
3) remove all relevant files and statements.

As a result, the following types are removed.

artd
artd_exec
artd_service
power_stats_service
transformer_service
virtualizationservice
virtualizationservice_data_file
virtualizationservice_exec

Bug: 189161483
Test: N/A, will do after adding 31.0 mapping files.
Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf
Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
2021-06-15 12:08:00 +00:00

33 lines
1.3 KiB
Text
Raw Blame History

# asan_extract
#
# This command set moves the artifact corresponding to the current slot
# from /data/ota to /data/dalvik-cache.
with_asan(`
type asan_extract, domain, coredomain;
type asan_extract_exec, exec_type, file_type, system_file_type;
# Allow asan_extract to execute itself using #!/system/bin/sh
allow asan_extract shell_exec:file rx_file_perms;
# We execute log, rm, gzip and tar.
allow asan_extract toolbox_exec:file rx_file_perms;
allow asan_extract system_file:file execute_no_trans;
# asan_extract deletes old /data/lib.
allow asan_extract system_file:dir { open read remove_name rmdir write };
allow asan_extract system_file:file unlink;
# asan_extract untars ASAN libraries into /data.
allow asan_extract system_data_file:dir create_dir_perms ;
allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
# Relabel the libraries with restorecon.
allow asan_extract file_contexts_file:file r_file_perms;
allow asan_extract system_data_file:{ dir file } relabelfrom;
allow asan_extract system_file:dir { relabelto setattr };
allow asan_extract system_file:file relabelto;
# Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
allow asan_extract system_data_file:file execute;
')
Reference in a new issue View git blame Copy permalink