platform_system_sepolicy/private/kernel.te
Akilesh Kailash 1044702704 Supress permissive audit messages post OTA reboot
For post-OTA boot, we run a userspace block device daemon to mount /system.
However if we let the daemon run while loading sepolicy, it would spam permissive audits.
Since sepolicy is still not enforced yet, we can supress these
audit messages.

Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I0af484f95b6a1deb41498d67de82afd3c6bb29b6
2022-10-10 21:58:41 +00:00

62 lines
2.5 KiB
Text

typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
domain_auto_trans(kernel, snapuserd_exec, snapuserd)
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
allow kernel otapreopt_chroot:fd use;
allow kernel postinstall_file:file read;
# The following sections are for the transition period during a Virtual A/B
# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
# context, and with properly labelled devices. This must be done before
# enabling enforcement, eg, in permissive mode while still in the kernel
# context.
allow kernel tmpfs:blk_file { getattr relabelfrom };
allow kernel tmpfs:chr_file { getattr relabelfrom };
allow kernel tmpfs:lnk_file { getattr relabelfrom };
allow kernel tmpfs:dir { open read relabelfrom };
allow kernel block_device:blk_file relabelto;
allow kernel block_device:lnk_file relabelto;
allow kernel dm_device:chr_file relabelto;
allow kernel dm_device:blk_file relabelto;
allow kernel dm_user_device:dir { read open search relabelto };
allow kernel dm_user_device:chr_file relabelto;
allow kernel kmsg_device:chr_file relabelto;
allow kernel null_device:chr_file relabelto;
allow kernel random_device:chr_file relabelto;
allow kernel snapuserd_exec:file relabelto;
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
dontaudit kernel metadata_file:dir search;
dontaudit kernel ota_metadata_file:dir rw_dir_perms;
dontaudit kernel sysfs:dir r_dir_perms;
dontaudit kernel sysfs:file { open read write };
dontaudit kernel sysfs:chr_file { open read write };
dontaudit kernel dm_device:chr_file ioctl;
dontaudit kernel self:capability { sys_admin setgid mknod };
dontaudit kernel dm_user_device:dir { write add_name };
dontaudit kernel dm_user_device:chr_file { create setattr };
dontaudit kernel tmpfs:lnk_file read;
dontaudit kernel tmpfs:blk_file { open read };
# Some contexts are changed before the device is flipped into enforcing mode
# during the setup of Apex sepolicy. These denials can be suppressed since
# the permissions should not be allowed after the device is flipped into
# enforcing mode.
dontaudit kernel device:dir { open read relabelto };
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
dontaudit kernel {
file_contexts_file
hwservice_contexts_file
mac_perms_file
property_contexts_file
seapp_contexts_file
sepolicy_test_file
service_contexts_file
}:file relabelto;