c80b024241
This removes bad context names "exported*_prop". Property contexts of following properties are changed. All properties are settable only by vendor-init. - ro.config.per_app_memcg This becomes lmkd_config_prop. - ro.zygote This becomes dalvik_config_prop. - ro.oem_unlock_supported This becomes oem_unlock_prop. It's readable by system_app which includes Settings apps. - ro.storage_manager.enabled This becomes storagemanagr_config_prop. It's readable by coredomain. Various domains in coredomain seem to read it. - sendbug.preferred.domain This bcomes sendbug_config_prop. It's readable by appdomain. There are still 3 more exported3_default_prop, which are going to be tracked individually. Bug: 155844385 Test: selinux denial check on Pixel devices Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05
56 lines
2.5 KiB
Text
56 lines
2.5 KiB
Text
# Allow apps to read the Test Harness Mode property. This property is used in
|
|
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
|
|
get_prop(appdomain, test_harness_prop)
|
|
|
|
get_prop(appdomain, boot_status_prop)
|
|
get_prop(appdomain, dalvik_config_prop)
|
|
get_prop(appdomain, media_config_prop)
|
|
get_prop(appdomain, packagemanager_config_prop)
|
|
get_prop(appdomain, surfaceflinger_color_prop)
|
|
get_prop(appdomain, systemsound_config_prop)
|
|
get_prop(appdomain, telephony_config_prop)
|
|
get_prop(appdomain, userspace_reboot_config_prop)
|
|
get_prop(appdomain, vold_config_prop)
|
|
|
|
userdebug_or_eng(`perfetto_producer({ appdomain })')
|
|
|
|
# Prevent apps from causing presubmit failures.
|
|
# Apps can cause selinux denials by accessing CE storage
|
|
# and/or external storage. In either case, the selinux denial is
|
|
# not the cause of the failure, but just a symptom that
|
|
# storage isn't ready. Many apps handle the failure appropriately.
|
|
#
|
|
# Apps cannot access external storage before it becomes available.
|
|
dontaudit appdomain storage_stub_file:dir getattr;
|
|
# Attempts to write to system_data_file is generally a sign
|
|
# that apps are attempting to access encrypted storage before
|
|
# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
|
|
# allowed to write to CE storage before it's available.
|
|
# Attempting to do so will be blocked by both selinux and unix
|
|
# permissions.
|
|
dontaudit appdomain system_data_file:dir write;
|
|
# Apps should not be reading vendor-defined properties.
|
|
dontaudit appdomain vendor_default_prop:file read;
|
|
|
|
neverallow appdomain system_server:udp_socket {
|
|
accept append bind create ioctl listen lock name_bind
|
|
relabelfrom relabelto setattr shutdown };
|
|
|
|
# Transition to a non-app domain.
|
|
# Exception for the shell and su domains, can transition to runas, etc.
|
|
# Exception for crash_dump to allow for app crash reporting.
|
|
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
|
|
# to allow renderscript to create privileged executable files.
|
|
neverallow { appdomain -shell userdebug_or_eng(`-su') }
|
|
{ domain -appdomain -crash_dump -rs }:process { transition };
|
|
neverallow { appdomain -shell userdebug_or_eng(`-su') }
|
|
{ domain -appdomain }:process { dyntransition };
|
|
|
|
# Don't allow regular apps access to storage configuration properties.
|
|
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
|
|
|
|
# Allow to read sendbug.preferred.domain
|
|
get_prop(appdomain, sendbug_config_prop)
|
|
|
|
# Allow to read graphics related properties.
|
|
get_prop(appdomain, graphics_config_prop)
|