7bde36e94e
We don't use MLS in Microdroid, so we don't need MLS rules, nor mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy checkpolicy.) A lot of attributes are unused in Microdroid, so we can remove their declarations and any references to them. (That may not make the compiled policy smaller, since hopefully they get optimised out anyway, but it means there is less policy for humans to deal with.) Remove labels that relate only to apps, which we don't have - MAC permissions, run-as, seapp_contexts. In passing, fix a comment snafu in both system & microdroid policy. Bug: 223596375 Test: Run staged-apex-compile & compos_verify, no denials Test: atest MicrodroidTests MicrodroidHostTestCases Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
96 lines
3.5 KiB
Text
96 lines
3.5 KiB
Text
typeattribute kernel coredomain;
|
|
|
|
domain_auto_trans(kernel, init_exec, init)
|
|
|
|
# The following sections are for the transition period during a Virtual A/B
|
|
# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
|
|
# context, and with properly labelled devices. This must be done before
|
|
# enabling enforcement, eg, in permissive mode while still in the kernel
|
|
# context.
|
|
allow kernel tmpfs:blk_file { getattr relabelfrom };
|
|
allow kernel tmpfs:chr_file { getattr relabelfrom };
|
|
allow kernel tmpfs:lnk_file { getattr relabelfrom };
|
|
allow kernel tmpfs:dir { open read relabelfrom };
|
|
|
|
allow kernel block_device:blk_file relabelto;
|
|
allow kernel block_device:lnk_file relabelto;
|
|
allow kernel dm_device:chr_file relabelto;
|
|
allow kernel dm_device:blk_file relabelto;
|
|
allow kernel dm_user_device:dir { read open search relabelto };
|
|
allow kernel dm_user_device:chr_file relabelto;
|
|
allow kernel kmsg_device:chr_file relabelto;
|
|
allow kernel null_device:chr_file relabelto;
|
|
allow kernel random_device:chr_file relabelto;
|
|
allow kernel kmsg_device:chr_file write;
|
|
allow kernel vd_device:blk_file read;
|
|
|
|
allow kernel self:global_capability_class_set sys_nice;
|
|
|
|
# Root fs.
|
|
r_dir_file(kernel, rootfs)
|
|
|
|
# Used to read androidboot.selinux property
|
|
allow kernel {
|
|
proc_bootconfig
|
|
proc_cmdline
|
|
}:file r_file_perms;
|
|
|
|
# Get SELinux enforcing status.
|
|
allow kernel selinuxfs:dir r_dir_perms;
|
|
allow kernel selinuxfs:file r_file_perms;
|
|
|
|
# Get file contexts during first stage
|
|
allow kernel file_contexts_file:file r_file_perms;
|
|
|
|
# Allow init relabel itself.
|
|
allow kernel rootfs:file relabelfrom;
|
|
allow kernel init_exec:file relabelto;
|
|
# TODO: investigate why we need this.
|
|
allow kernel init:process share;
|
|
|
|
# cgroup filesystem initialization prior to setting the cgroup root directory label.
|
|
allow kernel unlabeled:dir search;
|
|
|
|
# Initial setenforce by init prior to switching to init domain.
|
|
# We use dontaudit instead of allow to prevent a kernel spawned userspace
|
|
# process from turning off SELinux once enabled.
|
|
dontaudit kernel self:security setenforce;
|
|
|
|
# Init reboot before switching selinux domains under certain error
|
|
# conditions. Allow it.
|
|
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
|
|
# remount filesystems read-only. /data is not mounted at this point,
|
|
# so we could ignore this. For now, we allow it.
|
|
allow kernel self:global_capability_class_set sys_boot;
|
|
allow kernel proc_sysrq:file w_file_perms;
|
|
|
|
# Allow writing to /dev/kmsg which was created prior to loading policy.
|
|
allow kernel tmpfs:chr_file write;
|
|
|
|
# Set checkreqprot by init.rc prior to switching to init domain.
|
|
allow kernel selinuxfs:file write;
|
|
allow kernel self:security setcheckreqprot;
|
|
|
|
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
|
|
allow kernel { sdcard_type fuse }:file { read write };
|
|
|
|
# Allow the kernel to read APEX file descriptors and (staged) data files;
|
|
# Needed because APEX uses the loopback driver, which issues requests from
|
|
# a kernel thread in earlier kernel version.
|
|
allow kernel apexd:fd use;
|
|
|
|
#-----------------------------------------
|
|
allow kernel apkdmverity:fd use;
|
|
|
|
# Some contexts are changed before the device is flipped into enforcing mode
|
|
# during the setup of Apex sepolicy. These denials can be suppressed since
|
|
# the permissions should not be allowed after the device is flipped into
|
|
# enforcing mode.
|
|
dontaudit kernel device:dir { open read relabelto };
|
|
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
|
|
dontaudit kernel {
|
|
file_contexts_file
|
|
property_contexts_file
|
|
sepolicy_test_file
|
|
service_contexts_file
|
|
}:file relabelto;
|