tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/microdroid/system/private
History
Alan Stokes 72c0134384 More neverallow rules 
When we cut down microdroid policy we removed a whole lot of
neverallow rules that were in public/domain.te. Many of these are
irrelevant, but there are some that look quite important. So this CL
restores many of them. This makes no immediate difference (none of
these rules are currently violated, except as mentioned below), but it
might catch mistakes, or at least make us stop and think before
introducing potentially risky policy changes.

Process:
- Paste in all the neverallow rules from public/domain.te in Android
  policy.
- Delete all references to non-existent labels.
- Delete everything makred full-trebly-only,

I also deleted some attributes we clearly don't need, and hence
associated neverallows. (I suspect there are more attributes we could
remove.)

And then I fixed a neverallow violation for microdroid_payload - we
were allowing it unrestricted ioctl access.

Bug: 204853211
Test: Policy builds without error
Test: No denials running composd_cmd forced-compile-test
Change-Id: I21035dee93a881b34941338cc7ce82503cc65e59
2021-12-08 14:56:45 +00:00
..
access_vectors Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
adbd.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
apexd.te Microdroid: Allow apexd again to access block device information 2021-10-14 15:38:28 -07:00
apkdmverity.te microdroid: Run apk mount utils from MM 2021-12-01 19:46:33 +09:00
attributes Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
authfs.te Grant authfs_service and authfs CAP_SYS_ADMIN 2021-08-11 15:48:14 +00:00
authfs_service.te authfs - remove getattr perm for fd pass 2021-10-12 21:54:42 +00:00
binderservicedomain.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
bug_map Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
compos.te Allow compsvc to execute odrefresh 2021-12-07 08:08:00 -08:00
crash_dump.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
dex2oat.te Allow compsvc to execute odrefresh 2021-12-07 08:08:00 -08:00
domain.te More neverallow rules 2021-12-08 14:56:45 +00:00
file.te microdroid: Add support for extra apk files 2021-12-08 14:10:28 +09:00
file_contexts microdroid: Add support for extra apk files 2021-12-08 14:10:28 +09:00
fs_use Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
genfs_contexts Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
halclientdomain.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
hwservice_contexts Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
hwservicemanager.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
init.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
initial_sid_contexts Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
initial_sids Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
kernel.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
keys.conf Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
keystore.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
keystore2_key_contexts Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
linkerconfig.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
logcat.te Add logd.ready 2021-11-30 15:10:53 +09:00
logd.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
mac_permissions.xml Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
microdroid_app.te microdroid: Remove microdroid_app dontaudit 2021-10-19 10:46:17 +00:00
microdroid_manager.te microdroid: Add support for extra apk files 2021-12-08 14:10:28 +09:00
microdroid_payload.te More neverallow rules 2021-12-08 14:56:45 +00:00
mls Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
mls_decl Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
mls_macros Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
net.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
odrefresh.te Allow compsvc to execute odrefresh 2021-12-07 08:08:00 -08:00
policy_capabilities Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
port_contexts Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
property.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
property_contexts Add logd.ready 2021-11-30 15:10:53 +09:00
roles_decl Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
seapp_contexts Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
security_classes Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
service_contexts Allow authfs_service to add itself to service manager 2021-08-10 10:55:54 -07:00
servicemanager.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
shell.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
statsd.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
su.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
tombstoned.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
toolbox.te Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
ueventd.te microdroid: Narrow property permissions 2021-09-23 17:23:28 +09:00
users Move microdroid sepolicy to system/sepolicy 2021-07-19 07:48:34 +00:00
zipfuse.te microdroid: Add support for extra apk files 2021-12-08 14:10:28 +09:00