tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/prebuilts/api/31.0/public/uncrypt.te
Inseob Kim 08d4c8fa6e Add fake 31.0 prebuilt 
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP
policy, but slightly modified so the set of types and attributes is a
subset of real 31.0 prebuilt (sc-dev policy).

Steps taken to make the fake prebuilt:

1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target
aosp_arm64-eng.
2) diff both outputs to find out which types and attributes don't exist.
3) remove all relevant files and statements.

As a result, the following types are removed.

artd
artd_exec
artd_service
power_stats_service
transformer_service
virtualizationservice
virtualizationservice_data_file
virtualizationservice_exec

Bug: 189161483
Test: N/A, will do after adding 31.0 mapping files.
Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf
Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
2021-06-15 12:08:00 +00:00

46 lines
1.3 KiB
Text
Raw Blame History

# uncrypt
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, system_file_type, exec_type, file_type;
allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
userdebug_or_eng(`
# For debugging, allow /data/local/tmp access
r_dir_file(uncrypt, shell_data_file)
')
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
# Raw writes to block device
allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
allow uncrypt userdata_block_device:blk_file w_file_perms;
r_dir_file(uncrypt, rootfs)
# Access to bootconfig is needed when calling ReadDefaultFstab.
allow uncrypt {
proc_bootconfig
proc_cmdline
}:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Allow ReadDefaultFstab().
read_fstab(uncrypt)
Reference in a new issue View git blame Copy permalink