tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/domain_deprecated.te
Jeff Sharkey 72f4c61979 Allow installd to delete files via sdcardfs. 
When installd clears cached files on external storage, the sdcardfs
kernel filesystem needs to be kept in the loop to release any cached
dentries that it's holding onto.  (Otherwise the underlying disk
space isn't actually released.)

installd can already delete the underlying files directly (via the
media_rw_data_file rules), so this technically isn't expanding its
capabilities.

avc: granted { search } for name="/" dev="tmpfs" ino=6897 scontext=u:r:installd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
avc: denied { open } for path="/mnt/runtime/default/emulated/0/Android/data" dev="sdcardfs" ino=589830 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
avc: denied { write } for name="com.google.android.inputmethod.japanese" dev="sdcardfs" ino=590040 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { remove_name } for name="cache_r.m" dev="sdcardfs" ino=589868 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/runtime/default/emulated/0/Android/data/.nomedia" dev="sdcardfs" ino=589831 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.StorageHostTest
Bug: 37486230
Change-Id: Icfd00a9ba379b1f50c48fe85849304cf9859bcb2
2017-05-05 16:10:06 -06:00

319 lines
6.2 KiB
Text
Raw Blame History

# rules removed from the domain attribute
# Search /storage/emulated tmpfs mount.
allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-installd
-sdcardd
-surfaceflinger
-system_server
-vold
-zygote
} tmpfs:dir r_dir_perms;
')
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
userdebug_or_eng(`
auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
')
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:fd use;
userdebug_or_eng(`
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
')
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
-healthd
-installd
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-healthd
-installd
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:file r_file_perms;
auditallow {
domain_deprecated
-appdomain
-healthd
-installd
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
')
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-fingerprintd
-installd
-keystore
-rild
-surfaceflinger
-system_server
-update_engine
-vold
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
')
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-sdcardd
-system_server
-tee
} system_data_file:file { getattr read };
auditallow {
domain_deprecated
-appdomain
-system_server
-tee
} system_data_file:lnk_file r_file_perms;
')
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:dir { getattr search };
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:file r_file_perms;
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:lnk_file r_file_perms;
')
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-system_server
-vold
} cache_file:dir { open read search ioctl lock };
auditallow {
domain_deprecated
-appdomain
-system_server
-vold
} cache_file:dir getattr;
auditallow {
domain_deprecated
-system_server
-vold
} cache_file:file { getattr read };
auditallow {
domain_deprecated
-system_server
-vold
} cache_file:lnk_file r_file_perms;
')
# Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
# split this auditallow into read and write perms since most domains seem to
# only require read
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-fingerprintd
-keystore
-surfaceflinger
-system_server
-tee
-vold
-zygote
} ion_device:chr_file r_file_perms;
auditallow domain_deprecated ion_device:chr_file { write append };
')
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
-fsck_untrusted
-rild
-sdcardd
-system_server
-update_engine
-vold
} proc:file r_file_perms;
auditallow {
domain_deprecated
-fsck
-fsck_untrusted
-rild
-system_server
-vold
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
-bluetooth
-fingerprintd
-healthd
-netd
-rild
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-bluetooth
-fingerprintd
-healthd
-netd
-rild
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:file r_file_perms;
auditallow {
domain_deprecated
-bluetooth
-fingerprintd
-healthd
-netd
-rild
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
-inputflinger
-installd
-keystore
-netd
-rild
-surfaceflinger
-system_server
-zygote
} cgroup:dir r_dir_perms;
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
-inputflinger
-installd
-keystore
-netd
-rild
-surfaceflinger
-system_server
-zygote
} cgroup:{ file lnk_file } r_file_perms;
auditallow {
domain_deprecated
-appdomain
-surfaceflinger
-system_server
-vold
} proc_meminfo:file r_file_perms;
')
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-installd
-keystore
-postinstall_dexopt
-runas
-servicemanager
-system_server
-ueventd
-zygote
} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-appdomain
-installd
-keystore
-postinstall_dexopt
-runas
-servicemanager
-system_server
-ueventd
-zygote
} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
')
Reference in a new issue View git blame Copy permalink