blob: 3091c3c19d5bbb13d94b638cc94a52c4b0c3415b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
# ==============================================
# MTK Policy Rule
# ==============================================
# Rules for all domains.
# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
# allow hal_drm system_data_file:file { getattr read };
# hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
neverallow {
coredomain
-appdomain
-app_zygote
-dumpstate
-init
-installd
-iorap_prefetcherd
-logd
-mediadrmserver
-mediaextractor
-mediaserver
-runas
-sdcardd
-simpleperf_app_runner
-storaged
-system_server
-toolbox
-vold
-vold_prepare_subdirs
-zygote
} system_data_file:file *;
neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
neverallow {
dumpstate
logd
runas
sdcardd
simpleperf_app_runner
storaged
zygote
} system_data_file:file ~r_file_perms;
neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
neverallow iorap_prefetcherd system_data_file:file ~{ open read };
neverallow {
mediadrmserver
mediaextractor
mediaserver
} system_data_file:file ~{ read getattr };
neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
neverallow vold system_data_file:file ~read;
neverallow ~{
appdomain
app_zygote
dexoptanalyzer
init
installd
iorap_prefetcherd
logd
rs
runas
simpleperf_app_runner
system_server
tee
vold
webview_zygote
zygote
} system_data_file:lnk_file *;
neverallow {
appdomain
app_zygote
logd
webview_zygote
} system_data_file:lnk_file ~r_file_perms;
neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr;
neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
neverallow rs system_data_file:lnk_file ~{ read };
neverallow {
runas
simpleperf_app_runner
tee
} system_data_file:lnk_file ~{ read getattr };
neverallow system_server system_data_file:lnk_file ~create_file_perms;
')
|
