tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/prebuilts/api/31.0/private/llkd.te
Inseob Kim 08d4c8fa6e Add fake 31.0 prebuilt 
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP
policy, but slightly modified so the set of types and attributes is a
subset of real 31.0 prebuilt (sc-dev policy).

Steps taken to make the fake prebuilt:

1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target
aosp_arm64-eng.
2) diff both outputs to find out which types and attributes don't exist.
3) remove all relevant files and statements.

As a result, the following types are removed.

artd
artd_exec
artd_service
power_stats_service
transformer_service
virtualizationservice
virtualizationservice_data_file
virtualizationservice_exec

Bug: 189161483
Test: N/A, will do after adding 31.0 mapping files.
Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf
Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
2021-06-15 12:08:00 +00:00

53 lines
1.5 KiB
Text
Raw Blame History

# llkd Live LocK Daemon
typeattribute llkd coredomain;
init_daemon_domain(llkd)
get_prop(llkd, llkd_prop)
allow llkd self:global_capability_class_set kill;
userdebug_or_eng(`
allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
allow llkd self:global_capability_class_set { dac_override dac_read_search };
')
# llkd optionally locks itself in memory, to prevent it from being
# swapped out and unable to discover a kernel in live-lock state.
allow llkd self:global_capability_class_set ipc_lock;
# Send kill signals to _anyone_ suffering from Live Lock
allow llkd domain:process sigkill;
# read stack to check for Live Lock
userdebug_or_eng(`
allow llkd {
domain
-apexd
-kernel
-keystore
-init
-llkd
-ueventd
-vendor_init
}:process ptrace;
')
# live lock watchdog process allowed to look through /proc/
allow llkd domain:dir r_dir_perms;
allow llkd domain:file r_file_perms;
allow llkd domain:lnk_file read;
# Set /proc/sys/kernel/hung_task_*
allow llkd proc_hung_task:file rw_file_perms;
# live lock watchdog process allowed to dump process trace and
# reboot because orderly shutdown may not be possible.
allow llkd proc_sysrq:file w_file_perms;
allow llkd kmsg_device:chr_file w_file_perms;
### neverallow rules
neverallow { domain -init } llkd:process { dyntransition transition };
neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
# never honor LD_PRELOAD
neverallow * llkd:process noatsecure;
Reference in a new issue View git blame Copy permalink