tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/microdroid/system/private/property.te
Inseob Kim 5ee61a7628 microdroid: Narrow property permissions 
microdroid's domains have been able to read/write any properties. That's
just for convenience while bringing up microdroid. This cleans up such
global permission and grants minimal access.

Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Test: run microdroid demo app
Change-Id: I09ce1174d4af9c228b788a522a6ab845cafd4505
2021-09-23 17:23:28 +09:00

39 lines
812 B
Text
Raw Blame History

# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
dontaudit domain {
ctl_console_prop
ctl_default_prop
ctl_fuse_prop
}:property_service set;
###
### Neverallow rules
###
neverallow {
domain
-init
-microdroid_manager
} vmsecret_keymint_prop:property_service set;
neverallow {
domain
-init
-microdroid_manager
-hal_keymint_server
} vmsecret_keymint_prop:file no_rw_file_perms;
# microdroid_manager_roothash_prop can only be set by microdroid_manager
# and read by apkdmverity
neverallow {
domain
-init
-microdroid_manager
} microdroid_manager_roothash_prop:property_service set;
neverallow {
domain
-init
-microdroid_manager
-apkdmverity
} microdroid_manager_roothash_prop:file no_rw_file_perms;
Reference in a new issue View git blame Copy permalink