tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/prebuilts/api/31.0/public/sgdisk.te
Inseob Kim 08d4c8fa6e Add fake 31.0 prebuilt 
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP
policy, but slightly modified so the set of types and attributes is a
subset of real 31.0 prebuilt (sc-dev policy).

Steps taken to make the fake prebuilt:

1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target
aosp_arm64-eng.
2) diff both outputs to find out which types and attributes don't exist.
3) remove all relevant files and statements.

As a result, the following types are removed.

artd
artd_exec
artd_service
power_stats_service
transformer_service
virtualizationservice
virtualizationservice_data_file
virtualizationservice_exec

Bug: 189161483
Test: N/A, will do after adding 31.0 mapping files.
Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf
Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
2021-06-15 12:08:00 +00:00

36 lines
1.5 KiB
Text
Raw Blame History

# sgdisk called from vold
type sgdisk, domain;
type sgdisk_exec, system_file_type, exec_type, file_type;
# Allowed to read/write low-level partition tables
allow sgdisk block_device:dir search;
allow sgdisk vold_device:blk_file rw_file_perms;
# HDIO_GETGEO needed to get the number of disk heads
# on vold_device. How quaint.
allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
# is granted to all block device users in domain.te, so
# no need to mention it here. sgdisk should not be
# using the BLKGETSIZE ioctl as it is useless for devices over
# 2T in size, but we allow it for now and hope that sgdisk
# will fix their bug.
allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
# Force a re-read of the partition table.
allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
# Allow reading of the physical block size.
allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
# Inherit and use pty created by android_fork_execvp()
allow sgdisk devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow sgdisk vold:fd use;
allow sgdisk vold:fifo_file { read write getattr };
# Used to probe kernel to reload partition tables
allow sgdisk self:global_capability_class_set sys_admin;
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
neverallow * sgdisk:process dyntransition;
neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
Reference in a new issue View git blame Copy permalink