a1b4560088
Grant observed uses of permissions being audited in domain_deprecated.
fsck
avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
keystore
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir
sdcardd
avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file
update_engine
avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir
vold
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir
Test: Marlin builds and boots, avc granted messages no longer observed.
Bug: 35197529
Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424
43 lines
1.4 KiB
Text
43 lines
1.4 KiB
Text
type sdcardd, domain, domain_deprecated;
|
|
type sdcardd_exec, exec_type, file_type;
|
|
|
|
allow sdcardd cgroup:dir create_dir_perms;
|
|
allow sdcardd fuse_device:chr_file rw_file_perms;
|
|
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
|
|
allow sdcardd sdcardfs:filesystem remount;
|
|
allow sdcardd tmpfs:dir r_dir_perms;
|
|
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
|
|
allow sdcardd storage_file:dir search;
|
|
allow sdcardd storage_stub_file:dir { search mounton };
|
|
allow sdcardd sdcard_type:filesystem { mount unmount };
|
|
allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
|
|
|
|
allow sdcardd sdcard_type:dir create_dir_perms;
|
|
allow sdcardd sdcard_type:file create_file_perms;
|
|
|
|
allow sdcardd media_rw_data_file:dir create_dir_perms;
|
|
allow sdcardd media_rw_data_file:file create_file_perms;
|
|
|
|
# Read /data/system/packages.list.
|
|
allow sdcardd system_data_file:file r_file_perms;
|
|
|
|
# Read /data/.layout_version
|
|
allow sdcardd install_data_file:file r_file_perms;
|
|
|
|
# Allow stdin/out back to vold
|
|
allow sdcardd vold:fd use;
|
|
allow sdcardd vold:fifo_file { read write getattr };
|
|
|
|
# Allow running on top of expanded storage
|
|
allow sdcardd mnt_expand_file:dir search;
|
|
|
|
# access /proc/filesystems
|
|
allow sdcardd proc:file r_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# The sdcard daemon should no longer be started from init
|
|
neverallow init sdcardd_exec:file execute;
|
|
neverallow init sdcardd:process { transition dyntransition };
|