75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
31 lines
925 B
Text
31 lines
925 B
Text
typeattribute recovery_refresh coredomain;
|
|
|
|
init_daemon_domain(recovery_refresh)
|
|
|
|
allow recovery_refresh pstorefs:dir search;
|
|
allow recovery_refresh pstorefs:file r_file_perms;
|
|
# NB: domain inherits write_logd which hands us write to pmsg_device
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### recovery_refresh should NEVER do any of this
|
|
|
|
# Block device access.
|
|
neverallow recovery_refresh dev_type:blk_file { read write };
|
|
|
|
# ptrace any other app
|
|
neverallow recovery_refresh domain:process ptrace;
|
|
|
|
# Write to /system.
|
|
neverallow recovery_refresh system_file_type:dir_file_class_set write;
|
|
|
|
# Write to files in /data/data or system files on /data
|
|
neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
|
|
|
|
# recovery_refresh is not allowed to write anywhere
|
|
neverallow recovery_refresh {
|
|
file_type
|
|
userdebug_or_eng(`-coredump_file')
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file write;
|