5e37271df8
system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
17 lines
711 B
Text
17 lines
711 B
Text
# debugger interface
|
|
type tombstoned, domain, mlstrustedsubject;
|
|
type tombstoned_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Write to arbitrary pipes given to us.
|
|
allow tombstoned domain:fd use;
|
|
allow tombstoned domain:fifo_file write;
|
|
|
|
allow tombstoned domain:dir r_dir_perms;
|
|
allow tombstoned domain:file r_file_perms;
|
|
allow tombstoned tombstone_data_file:dir rw_dir_perms;
|
|
allow tombstoned tombstone_data_file:file { create_file_perms link };
|
|
|
|
# Changes for the new stack dumping mechanism. Each trace goes into a
|
|
# separate file, and these files are managed by tombstoned.
|
|
allow tombstoned anr_data_file:dir rw_dir_perms;
|
|
allow tombstoned anr_data_file:file { append create getattr open link unlink };
|