diff options
| author | Juju Sung <juju.sung@mediatek.com> | 2020-02-24 12:32:47 +0800 |
|---|---|---|
| committer | Juju Sung <juju.sung@mediatek.com> | 2020-02-24 13:02:25 +0800 |
| commit | 7f4f840ea0ffbfad78da13a0c059b0e40145ce61 (patch) | |
| tree | 6fa7ef4c0013be0de9b5e3d28b7c75fe1b04294c | |
| parent | d6ba988219522b525cd9d1768a33815219be81c9 (diff) | |
| download | device_mediatek_wembley-sepolicy-7f4f840ea0ffbfad78da13a0c059b0e40145ce61.tar.gz device_mediatek_wembley-sepolicy-7f4f840ea0ffbfad78da13a0c059b0e40145ce61.tar.bz2 device_mediatek_wembley-sepolicy-7f4f840ea0ffbfad78da13a0c059b0e40145ce61.zip | |
[ALPS04971420] sepolicy: add inode2filename neverallow rule
[Error]
domain.te violated by allow iorap_inode2filename system_data_file:dir { read open };
domain.te violated by allow iorap_inode2filename system_data_file:lnk_file { read open };
[Detail]
This patch add iorap_inode2filename neverallow rule for system_data access
Change-Id: I0456dc3a73459ec45026ca4eec81cc89f636671c
CR-Id: ALPS04971420
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
| -rw-r--r-- | plat_private/domain.te | 5 | ||||
| -rw-r--r-- | plat_public/domain.te | 8 |
2 files changed, 13 insertions, 0 deletions
diff --git a/plat_private/domain.te b/plat_private/domain.te index 3091c3c..8e246c2 100644 --- a/plat_private/domain.te +++ b/plat_private/domain.te @@ -22,6 +22,7 @@ full_treble_only(` -init -installd -iorap_prefetcherd + -iorap_inode2filename -logd -mediadrmserver -mediaextractor @@ -54,6 +55,7 @@ full_treble_only(` neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; neverallow { mediadrmserver @@ -74,6 +76,7 @@ full_treble_only(` init installd iorap_prefetcherd + iorap_inode2filename logd rs runas @@ -100,6 +103,8 @@ full_treble_only(` neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; + neverallow rs system_data_file:lnk_file ~{ read }; neverallow { diff --git a/plat_public/domain.te b/plat_public/domain.te index cd362dd..9adf77e 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -171,6 +171,7 @@ full_treble_only(` -init -installd -iorap_prefetcherd + -iorap_inode2filename -system_server -toolbox -vold @@ -183,6 +184,8 @@ full_treble_only(` neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; neverallow { @@ -203,6 +206,7 @@ full_treble_only(` init installd iorap_prefetcherd + iorap_inode2filename logd rs runas @@ -227,6 +231,8 @@ full_treble_only(` neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; + neverallow rs system_data_file:lnk_file ~{ read }; neverallow { @@ -242,6 +248,7 @@ full_treble_only(` init installd iorap_prefetcherd + iorap_inode2filename system_server toolbox traced_probes @@ -263,6 +270,7 @@ full_treble_only(` neverallow { iorap_prefetcherd + iorap_inode2filename traced_probes } system_data_file:dir ~{ open read search getattr }; |