diff options
| author | Juju Sung <juju.sung@mediatek.com> | 2020-02-24 15:51:56 +0800 |
|---|---|---|
| committer | Juju Sung <juju.sung@mediatek.com> | 2020-02-24 15:51:56 +0800 |
| commit | e08ff1d4f34496408e3a3a7a36b8a9b20b85998f (patch) | |
| tree | b9c10184f243c4a662c73d0c7be02bbf6629017b | |
| parent | 7f4f840ea0ffbfad78da13a0c059b0e40145ce61 (diff) | |
| download | device_mediatek_wembley-sepolicy-e08ff1d4f34496408e3a3a7a36b8a9b20b85998f.tar.gz device_mediatek_wembley-sepolicy-e08ff1d4f34496408e3a3a7a36b8a9b20b85998f.tar.bz2 device_mediatek_wembley-sepolicy-e08ff1d4f34496408e3a3a7a36b8a9b20b85998f.zip | |
[ALPS04971420] sepolicy: add inode2filename neverallow rule
[Error]
domain.te violated by allow iorap_inode2filename system_data_file:dir { read open };
domain.te violated by allow iorap_inode2filename system_data_file:lnk_file { read open };
[Detail]
This patch add iorap_inode2filename neverallow rule for system_data access
Change-Id: If7205f19f0d6b18705182eb90036ca7482407157
CR-Id: ALPS04971420
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
| -rw-r--r-- | plat_private/domain.te | 204 | ||||
| -rw-r--r-- | plat_public/domain.te | 274 |
2 files changed, 239 insertions, 239 deletions
diff --git a/plat_private/domain.te b/plat_private/domain.te index 8e246c2..ced61d6 100644 --- a/plat_private/domain.te +++ b/plat_private/domain.te @@ -13,105 +13,105 @@ # allow hal_drm system_data_file:file { getattr read }; # hal_server_domain(merged_hal_service, hal_drm) # -full_treble_only(` - neverallow { - coredomain - -appdomain - -app_zygote - -dumpstate - -init - -installd - -iorap_prefetcherd - -iorap_inode2filename - -logd - -mediadrmserver - -mediaextractor - -mediaserver - -runas - -sdcardd - -simpleperf_app_runner - -storaged - -system_server - -toolbox - -vold - -vold_prepare_subdirs - -zygote - } system_data_file:file *; - - neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; - - neverallow { - dumpstate - logd - runas - sdcardd - simpleperf_app_runner - storaged - zygote - } system_data_file:file ~r_file_perms; - - neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; - - neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; - - neverallow iorap_prefetcherd system_data_file:file ~{ open read }; - neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; - - neverallow { - mediadrmserver - mediaextractor - mediaserver - } system_data_file:file ~{ read getattr }; - - neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; - - neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; - - neverallow vold system_data_file:file ~read; - - neverallow ~{ - appdomain - app_zygote - dexoptanalyzer - init - installd - iorap_prefetcherd - iorap_inode2filename - logd - rs - runas - simpleperf_app_runner - system_server - tee - vold - webview_zygote - zygote - } system_data_file:lnk_file *; - - neverallow { - appdomain - app_zygote - logd - webview_zygote - } system_data_file:lnk_file ~r_file_perms; - - neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr; - - neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; - - neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; - - neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; - - neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; - - neverallow rs system_data_file:lnk_file ~{ read }; - - neverallow { - runas - simpleperf_app_runner - tee - } system_data_file:lnk_file ~{ read getattr }; - - neverallow system_server system_data_file:lnk_file ~create_file_perms; -') +#full_treble_only(` +# neverallow { +# coredomain +# -appdomain +# -app_zygote +# -dumpstate +# -init +# -installd +# -iorap_prefetcherd +# -iorap_inode2filename +# -logd +# -mediadrmserver +# -mediaextractor +# -mediaserver +# -runas +# -sdcardd +# -simpleperf_app_runner +# -storaged +# -system_server +# -toolbox +# -vold +# -vold_prepare_subdirs +# -zygote +# } system_data_file:file *; +# +# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; +# +# neverallow { +# dumpstate +# logd +# runas +# sdcardd +# simpleperf_app_runner +# storaged +# zygote +# } system_data_file:file ~r_file_perms; +# +# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; +# +# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; +# +# neverallow iorap_prefetcherd system_data_file:file ~{ open read }; +# neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; +# +# neverallow { +# mediadrmserver +# mediaextractor +# mediaserver +# } system_data_file:file ~{ read getattr }; +# +# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; +# +# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; +# +# neverallow vold system_data_file:file ~read; +# +# neverallow ~{ +# appdomain +# app_zygote +# dexoptanalyzer +# init +# installd +# iorap_prefetcherd +# iorap_inode2filename +# logd +# rs +# runas +# simpleperf_app_runner +# system_server +# tee +# vold +# webview_zygote +# zygote +# } system_data_file:lnk_file *; +# +# neverallow { +# appdomain +# app_zygote +# logd +# webview_zygote +# } system_data_file:lnk_file ~r_file_perms; +# +# neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr; +# +# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; +# +# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; +# +# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; +# +# neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; +# +# neverallow rs system_data_file:lnk_file ~{ read }; +# +# neverallow { +# runas +# simpleperf_app_runner +# tee +# } system_data_file:lnk_file ~{ read getattr }; +# +# neverallow system_server system_data_file:lnk_file ~create_file_perms; +#') diff --git a/plat_public/domain.te b/plat_public/domain.te index 9adf77e..f01e49d 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -147,143 +147,143 @@ full_treble_only(` # allow hal_drm system_data_file:file { getattr read }; # hal_server_domain(merged_hal_service, hal_drm) # -full_treble_only(` - neverallow ~{ - init - installd - system_server - } system_data_file:{ chr_file blk_file sock_file fifo_file } *; - - neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; - - neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; - - neverallow installd system_data_file:{ chr_file blk_file } *; - - neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; - - neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; - - neverallow { - coredomain - -appdomain - -app_zygote - -init - -installd - -iorap_prefetcherd - -iorap_inode2filename - -system_server - -toolbox - -vold - -vold_prepare_subdirs - } system_data_file:file ~r_file_perms; - - neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; - - neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; - - neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; - - neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; - - neverallow iorap_prefetcherd system_data_file:file ~{ open read }; - - neverallow { - mediadrmserver - mediaextractor - mediaserver - } system_data_file:file ~{ read getattr }; - - neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; - - neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; - - neverallow vold system_data_file:file ~read; - - neverallow ~{ - appdomain - app_zygote - init - installd - iorap_prefetcherd - iorap_inode2filename - logd - rs - runas - simpleperf_app_runner - system_server - tee - vold - webview_zygote - zygote - } system_data_file:lnk_file ~getattr; - - neverallow { - appdomain - app_zygote - logd - webview_zygote - } system_data_file:lnk_file ~r_file_perms; - - neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; - - neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; - - neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; - - neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; - - neverallow rs system_data_file:lnk_file ~{ read }; - - neverallow { - runas - simpleperf_app_runner - tee - } system_data_file:lnk_file ~{ read getattr }; - - neverallow system_server system_data_file:lnk_file ~create_file_perms; - - neverallow ~{ - apexd - init - installd - iorap_prefetcherd - iorap_inode2filename - system_server - toolbox - traced_probes - vold - vold_prepare_subdirs - zygote - } system_data_file:dir ~{ search getattr }; - - neverallow apexd system_data_file:dir ~r_dir_perms; - - neverallow init system_data_file:dir ~{ - create search getattr open read setattr ioctl - mounton - relabelto - write add_name remove_name rmdir relabelfrom - }; - - neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; - - neverallow { - iorap_prefetcherd - iorap_inode2filename - traced_probes - } system_data_file:dir ~{ open read search getattr }; - - neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; - - neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; - - neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; - - neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; - - neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; -') +#full_treble_only(` +# neverallow ~{ +# init +# installd +# system_server +# } system_data_file:{ chr_file blk_file sock_file fifo_file } *; +# +# neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; +# +# neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; +# +# neverallow installd system_data_file:{ chr_file blk_file } *; +# +# neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; +# +# neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; +# +# neverallow { +# coredomain +# -appdomain +# -app_zygote +# -init +# -installd +# -iorap_prefetcherd +# -iorap_inode2filename +# -system_server +# -toolbox +# -vold +# -vold_prepare_subdirs +# } system_data_file:file ~r_file_perms; +# +# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; +# +# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; +# +# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; +# +# neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; +# +# neverallow iorap_prefetcherd system_data_file:file ~{ open read }; +# +# neverallow { +# mediadrmserver +# mediaextractor +# mediaserver +# } system_data_file:file ~{ read getattr }; +# +# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; +# +# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; +# +# neverallow vold system_data_file:file ~read; +# +# neverallow ~{ +# appdomain +# app_zygote +# init +# installd +# iorap_prefetcherd +# iorap_inode2filename +# logd +# rs +# runas +# simpleperf_app_runner +# system_server +# tee +# vold +# webview_zygote +# zygote +# } system_data_file:lnk_file ~getattr; +# +# neverallow { +# appdomain +# app_zygote +# logd +# webview_zygote +# } system_data_file:lnk_file ~r_file_perms; +# +# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; +# +# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; +# +# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; +# +# neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; +# +# neverallow rs system_data_file:lnk_file ~{ read }; +# +# neverallow { +# runas +# simpleperf_app_runner +# tee +# } system_data_file:lnk_file ~{ read getattr }; +# +# neverallow system_server system_data_file:lnk_file ~create_file_perms; +# +# neverallow ~{ +# apexd +# init +# installd +# iorap_prefetcherd +# iorap_inode2filename +# system_server +# toolbox +# traced_probes +# vold +# vold_prepare_subdirs +# zygote +# } system_data_file:dir ~{ search getattr }; +# +# neverallow apexd system_data_file:dir ~r_dir_perms; +# +# neverallow init system_data_file:dir ~{ +# create search getattr open read setattr ioctl +# mounton +# relabelto +# write add_name remove_name rmdir relabelfrom +# }; +# +# neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; +# +# neverallow { +# iorap_prefetcherd +# iorap_inode2filename +# traced_probes +# } system_data_file:dir ~{ open read search getattr }; +# +# neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; +# +# neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; +# +# neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; +# +# neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; +# +# neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; +#') # Do not allow access to the generic vendor_data_file label. This is |