diff options
| author | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-02-13 11:59:39 +0800 |
|---|---|---|
| committer | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-02-13 11:59:39 +0800 |
| commit | 4c072597d7a0c0decfc3a86126f7570b5e82e761 (patch) | |
| tree | 0b907d1e9311d3151b1b4f773b88fb4e4d146d2a | |
| parent | 4e4ba53b7464c36092ab0ab51ae2e7072529ec58 (diff) | |
| download | device_mediatek_wembley-sepolicy-4c072597d7a0c0decfc3a86126f7570b5e82e761.tar.gz device_mediatek_wembley-sepolicy-4c072597d7a0c0decfc3a86126f7570b5e82e761.tar.bz2 device_mediatek_wembley-sepolicy-4c072597d7a0c0decfc3a86126f7570b5e82e761.zip | |
[ALPS04994589] SEPolicy: Modify neverallow rule for system_data_file
[Detail]
aosp/1217340 add allow rule for apexd which belongs to
init process.
[Solution]
Modify neverallow rule of system_data_file dir to exclude apexd.
Change-Id: I3b57ee2e0a338c6427825467812b767abb696dcd
CR-Id: ALPS04994589
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
| -rw-r--r-- | plat_public/domain.te | 255 |
1 files changed, 129 insertions, 126 deletions
diff --git a/plat_public/domain.te b/plat_public/domain.te index 1478421..cd362dd 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -147,132 +147,135 @@ full_treble_only(` # allow hal_drm system_data_file:file { getattr read }; # hal_server_domain(merged_hal_service, hal_drm) # -# full_treble_only(` -# neverallow ~{ -# init -# installd -# system_server -# } system_data_file:{ chr_file blk_file sock_file fifo_file } *; -# -# neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; -# -# neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; -# -# neverallow installd system_data_file:{ chr_file blk_file } *; -# -# neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; -# -# neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; -# -# neverallow { -# coredomain -# -appdomain -# -app_zygote -# -init -# -installd -# -iorap_prefetcherd -# -system_server -# -toolbox -# -vold -# -vold_prepare_subdirs -# } system_data_file:file ~r_file_perms; -# -# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; -# -# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; -# -# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; -# -# neverallow iorap_prefetcherd system_data_file:file ~{ open read }; -# -# neverallow { -# mediadrmserver -# mediaextractor -# mediaserver -# } system_data_file:file ~{ read getattr }; -# -# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; -# -# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; -# -# neverallow vold system_data_file:file ~read; -# -# neverallow ~{ -# appdomain -# app_zygote -# init -# installd -# iorap_prefetcherd -# logd -# rs -# runas -# simpleperf_app_runner -# system_server -# tee -# vold -# webview_zygote -# zygote -# } system_data_file:lnk_file ~getattr; -# -# neverallow { -# appdomain -# app_zygote -# logd -# webview_zygote -# } system_data_file:lnk_file ~r_file_perms; -# -# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; -# -# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; -# -# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; -# -# neverallow rs system_data_file:lnk_file ~{ read }; -# -# neverallow { -# runas -# simpleperf_app_runner -# tee -# } system_data_file:lnk_file ~{ read getattr }; -# -# neverallow system_server system_data_file:lnk_file ~create_file_perms; -# -# neverallow ~{ -# init -# installd -# iorap_prefetcherd -# system_server -# toolbox -# traced_probes -# vold -# vold_prepare_subdirs -# zygote -# } system_data_file:dir ~{ search getattr }; -# -# neverallow init system_data_file:dir ~{ -# create search getattr open read setattr ioctl -# mounton -# relabelto -# write add_name remove_name rmdir relabelfrom -# }; -# -# neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; -# -# neverallow { -# iorap_prefetcherd -# traced_probes -# } system_data_file:dir ~{ open read search getattr }; -# -# neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; -# -# neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; -# -# neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; -# -# neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; -# -# neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; -# ') +full_treble_only(` + neverallow ~{ + init + installd + system_server + } system_data_file:{ chr_file blk_file sock_file fifo_file } *; + + neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; + + neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; + + neverallow installd system_data_file:{ chr_file blk_file } *; + + neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; + + neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; + + neverallow { + coredomain + -appdomain + -app_zygote + -init + -installd + -iorap_prefetcherd + -system_server + -toolbox + -vold + -vold_prepare_subdirs + } system_data_file:file ~r_file_perms; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + + neverallow { + mediadrmserver + mediaextractor + mediaserver + } system_data_file:file ~{ read getattr }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; + + neverallow ~{ + appdomain + app_zygote + init + installd + iorap_prefetcherd + logd + rs + runas + simpleperf_app_runner + system_server + tee + vold + webview_zygote + zygote + } system_data_file:lnk_file ~getattr; + + neverallow { + appdomain + app_zygote + logd + webview_zygote + } system_data_file:lnk_file ~r_file_perms; + + neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; + + neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; + + neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + + neverallow rs system_data_file:lnk_file ~{ read }; + + neverallow { + runas + simpleperf_app_runner + tee + } system_data_file:lnk_file ~{ read getattr }; + + neverallow system_server system_data_file:lnk_file ~create_file_perms; + + neverallow ~{ + apexd + init + installd + iorap_prefetcherd + system_server + toolbox + traced_probes + vold + vold_prepare_subdirs + zygote + } system_data_file:dir ~{ search getattr }; + + neverallow apexd system_data_file:dir ~r_dir_perms; + + neverallow init system_data_file:dir ~{ + create search getattr open read setattr ioctl + mounton + relabelto + write add_name remove_name rmdir relabelfrom + }; + + neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; + + neverallow { + iorap_prefetcherd + traced_probes + } system_data_file:dir ~{ open read search getattr }; + + neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; + + neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; + + neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; + + neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; + + neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; +') # Do not allow access to the generic vendor_data_file label. This is |