tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/prebuilts/api/31.0/public/net.te
Inseob Kim 08d4c8fa6e Add fake 31.0 prebuilt 
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP
policy, but slightly modified so the set of types and attributes is a
subset of real 31.0 prebuilt (sc-dev policy).

Steps taken to make the fake prebuilt:

1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target
aosp_arm64-eng.
2) diff both outputs to find out which types and attributes don't exist.
3) remove all relevant files and statements.

As a result, the following types are removed.

artd
artd_exec
artd_service
power_stats_service
transformer_service
virtualizationservice
virtualizationservice_data_file
virtualizationservice_exec

Bug: 189161483
Test: N/A, will do after adding 31.0 mapping files.
Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf
Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
2021-06-15 12:08:00 +00:00

39 lines
1.4 KiB
Text
Raw Blame History

## Network types
type node, node_type;
type netif, netif_type;
type port, port_type;
###
### Domain with network access
###
# Use network sockets.
allow netdomain self:tcp_socket create_stream_socket_perms;
allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
# to avoid app-compat breakage.
allow {
netdomain
-ephemeral_app
-mediaprovider
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
# Talks to netd via fwmarkd socket.
unix_socket_connect(netdomain, fwmarkd, netd)
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(netdomain, mdnsd, mdnsd)
Reference in a new issue View git blame Copy permalink