tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/uncrypt.te
Yi-Yo Chiang 806898db48 Split gsi_metadata_file and add gsi_metadata_file_type attribute 
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
2021-03-29 03:09:35 +00:00

43 lines
1.3 KiB
Text
Raw Blame History

# uncrypt
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, system_file_type, exec_type, file_type;
allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
userdebug_or_eng(`
# For debugging, allow /data/local/tmp access
r_dir_file(uncrypt, shell_data_file)
')
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
# Raw writes to block device
allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
allow uncrypt userdata_block_device:blk_file w_file_perms;
r_dir_file(uncrypt, rootfs)
# uncrypt reads /proc/cmdline
allow uncrypt proc_cmdline:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call.
dontaudit uncrypt gsi_metadata_file_type:dir search;
dontaudit uncrypt metadata_file:dir search;
Reference in a new issue View git blame Copy permalink