tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/su.te
Alan Stokes 7bde36e94e Remove redundant sepolicy 
We don't use MLS in Microdroid, so we don't need MLS rules, nor
mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy
checkpolicy.)

A lot of attributes are unused in Microdroid, so we can remove their
declarations and any references to them. (That may not make the
compiled policy smaller, since hopefully they get optimised out
anyway, but it means there is less policy for humans to deal with.)

Remove labels that relate only to apps, which we don't have - MAC
permissions, run-as, seapp_contexts.

In passing, fix a comment snafu in both system & microdroid policy.

Bug: 223596375
Test: Run staged-apex-compile & compos_verify, no denials
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
2022-03-15 15:43:50 +00:00

108 lines
4.1 KiB
Text
Raw Blame History

# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command.
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
typeattribute su mlstrustedsubject;
# Add su to various domains
net_domain(su)
# grant su access to vndbinder
vndbinder_use(su)
dontaudit su self:capability_class_set *;
dontaudit su self:capability2 *;
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
dontaudit su domain:{ process process2 } *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
dontaudit su domain:lnk_file *;
dontaudit su domain:{ fifo_file file } *;
dontaudit su domain:socket_class_set *;
dontaudit su domain:ipc_class_set *;
dontaudit su domain:key *;
dontaudit su fs_type:filesystem *;
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit su node_type:node *;
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit su netif_type:netif *;
dontaudit su port_type:socket_class_set *;
dontaudit su port_type:{ tcp_socket dccp_socket } *;
dontaudit su domain:peer *;
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
dontaudit su hwservice_manager_type:hwservice_manager *;
dontaudit su vndservice_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
dontaudit su self:perf_event *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
# su needs to be declared as hal_foo_client to grant hal_foo_server
# permission to interact with it.
typeattribute su halclientdomain;
typeattribute su hal_allocator_client;
typeattribute su hal_atrace_client;
typeattribute su hal_audio_client;
typeattribute su hal_authsecret_client;
typeattribute su hal_bluetooth_client;
typeattribute su hal_bootctl_client;
typeattribute su hal_camera_client;
typeattribute su hal_configstore_client;
typeattribute su hal_confirmationui_client;
typeattribute su hal_contexthub_client;
typeattribute su hal_drm_client;
typeattribute su hal_cas_client;
typeattribute su hal_dumpstate_client;
typeattribute su hal_fingerprint_client;
typeattribute su hal_gatekeeper_client;
typeattribute su hal_gnss_client;
typeattribute su hal_graphics_allocator_client;
typeattribute su hal_graphics_composer_client;
typeattribute su hal_health_client;
typeattribute su hal_input_classifier_client;
typeattribute su hal_ir_client;
typeattribute su hal_keymaster_client;
typeattribute su hal_light_client;
typeattribute su hal_memtrack_client;
typeattribute su hal_neuralnetworks_client;
typeattribute su hal_nfc_client;
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
typeattribute su hal_rebootescrow_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
typeattribute su hal_tv_cec_client;
typeattribute su hal_tv_input_client;
typeattribute su hal_tv_tuner_client;
typeattribute su hal_usb_client;
typeattribute su hal_vibrator_client;
typeattribute su hal_vr_client;
typeattribute su hal_weaver_client;
typeattribute su hal_wifi_client;
typeattribute su hal_wifi_hostapd_client;
typeattribute su hal_wifi_supplicant_client;
')
Reference in a new issue View git blame Copy permalink