diff options
Diffstat (limited to 'sepolicy')
49 files changed, 382 insertions, 0 deletions
diff --git a/sepolicy/common/OWNERS b/sepolicy/common/OWNERS new file mode 100644 index 0000000..ff29677 --- /dev/null +++ b/sepolicy/common/OWNERS @@ -0,0 +1,8 @@ +alanstokes@google.com +bowgotsai@google.com +jbires@google.com +jeffv@google.com +jgalenson@google.com +sspatil@google.com +tomcherry@google.com +trong@google.com diff --git a/sepolicy/common/adbd.te b/sepolicy/common/adbd.te new file mode 100644 index 0000000..9546c1a --- /dev/null +++ b/sepolicy/common/adbd.te @@ -0,0 +1 @@ +set_prop(adbd, ctl_mdnsd_prop); diff --git a/sepolicy/common/audioserver.te b/sepolicy/common/audioserver.te new file mode 100644 index 0000000..c3c4a3a --- /dev/null +++ b/sepolicy/common/audioserver.te @@ -0,0 +1 @@ +allow audioserver bootanim:binder call; diff --git a/sepolicy/common/bootanim.te b/sepolicy/common/bootanim.te new file mode 100644 index 0000000..bc84ee7 --- /dev/null +++ b/sepolicy/common/bootanim.te @@ -0,0 +1,9 @@ +allow bootanim self:process execmem; +allow bootanim ashmem_device:chr_file execute; +#TODO: This can safely be ignored until b/62954877 is fixed +dontaudit bootanim system_data_file:dir read; + +allow bootanim graphics_device:chr_file { read ioctl open }; + +typeattribute bootanim system_writes_vendor_properties_violators; +set_prop(bootanim, qemu_prop) diff --git a/sepolicy/common/cameraserver.te b/sepolicy/common/cameraserver.te new file mode 100644 index 0000000..6cf5d6a --- /dev/null +++ b/sepolicy/common/cameraserver.te @@ -0,0 +1,2 @@ +allow cameraserver system_file:dir { open read }; +allow cameraserver hal_allocator:fd use; diff --git a/sepolicy/common/createns.te b/sepolicy/common/createns.te new file mode 100644 index 0000000..1eaf9ef --- /dev/null +++ b/sepolicy/common/createns.te @@ -0,0 +1,14 @@ +# Network namespace creation +type createns, domain; +type createns_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(createns) + +allow createns self:capability { sys_admin net_raw setuid setgid }; +allow createns varrun_file:dir { add_name search write }; +allow createns varrun_file:file { create mounton open read write }; + +#Allow createns itself to be run by init in its own domain +domain_auto_trans(goldfish_setup, createns_exec, createns); +allow createns goldfish_setup:fd use; + diff --git a/sepolicy/common/device.te b/sepolicy/common/device.te new file mode 100644 index 0000000..d129441 --- /dev/null +++ b/sepolicy/common/device.te @@ -0,0 +1 @@ +type qemu_device, dev_type, mlstrustedobject; diff --git a/sepolicy/common/dhcpclient.te b/sepolicy/common/dhcpclient.te new file mode 100644 index 0000000..df71fca --- /dev/null +++ b/sepolicy/common/dhcpclient.te @@ -0,0 +1,20 @@ +# DHCP client +type dhcpclient, domain; +type dhcpclient_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(dhcpclient) +net_domain(dhcpclient) + +allow dhcpclient execns:fd use; + +set_prop(dhcpclient, net_eth0_prop); +allow dhcpclient self:capability { net_admin net_raw }; +allow dhcpclient self:udp_socket create; +allow dhcpclient self:netlink_route_socket { write nlmsg_write }; +allow dhcpclient varrun_file:dir search; +allow dhcpclient self:packet_socket { create bind write read }; +allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS + SIOCSIFADDR + SIOCSIFNETMASK + SIOCSIFMTU + SIOCGIFHWADDR }; diff --git a/sepolicy/common/dhcpserver.te b/sepolicy/common/dhcpserver.te new file mode 100644 index 0000000..7e8ba26 --- /dev/null +++ b/sepolicy/common/dhcpserver.te @@ -0,0 +1,12 @@ +# DHCP server +type dhcpserver, domain; +type dhcpserver_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(dhcpserver) +net_domain(dhcpserver) + +allow dhcpserver execns:fd use; + +get_prop(dhcpserver, net_eth0_prop); +allow dhcpserver self:udp_socket { ioctl create setopt bind }; +allow dhcpserver self:capability { net_raw net_bind_service }; diff --git a/sepolicy/common/domain.te b/sepolicy/common/domain.te new file mode 100644 index 0000000..3706dba --- /dev/null +++ b/sepolicy/common/domain.te @@ -0,0 +1,3 @@ +allow domain qemu_device:chr_file rw_file_perms; + +get_prop(domain, qemu_prop) diff --git a/sepolicy/common/execns.te b/sepolicy/common/execns.te new file mode 100644 index 0000000..dc6c424 --- /dev/null +++ b/sepolicy/common/execns.te @@ -0,0 +1,27 @@ +# Network namespace transitions +type execns, domain; +type execns_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(execns) + +allow execns varrun_file:dir search; +allow execns varrun_file:file r_file_perms; +allow execns self:capability { sys_admin setuid setgid }; +allow execns nsfs:file { open read }; + +#Allow execns itself to be run by init in its own domain +domain_auto_trans(init, execns_exec, execns); + +# Allow dhcpclient to be run by execns in its own domain +domain_auto_trans(execns, dhcpclient_exec, dhcpclient); + +# Allow dhcpserver to be run by execns in its own domain +domain_auto_trans(execns, dhcpserver_exec, dhcpserver); + +# Allow hostapd_nohidl to be run by execns in its own domain +domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl); + +# Allow execns to read createns proc file to get the namespace file +allow execns createns:file read; +allow execns createns:dir search; +allow execns createns:lnk_file read; diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te new file mode 100644 index 0000000..b0aa217 --- /dev/null +++ b/sepolicy/common/file.te @@ -0,0 +1,4 @@ +type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; +type varrun_file, file_type, data_file_type, mlstrustedobject; +type mediadrm_vendor_data_file, file_type, data_file_type; +type nsfs, fs_type; diff --git a/sepolicy/common/file_contexts b/sepolicy/common/file_contexts new file mode 100644 index 0000000..3c9df34 --- /dev/null +++ b/sepolicy/common/file_contexts @@ -0,0 +1,52 @@ +# goldfish +/dev/block/mtdblock0 u:object_r:system_block_device:s0 +/dev/block/mtdblock1 u:object_r:userdata_block_device:s0 +/dev/block/mtdblock2 u:object_r:cache_block_device:s0 + +# ranchu +/dev/block/vda u:object_r:system_block_device:s0 +/dev/block/vdb u:object_r:cache_block_device:s0 +/dev/block/vdc u:object_r:userdata_block_device:s0 +/dev/block/vdd u:object_r:metadata_block_device:s0 +/dev/block/vde u:object_r:system_block_device:s0 + +/dev/goldfish_pipe u:object_r:qemu_device:s0 +/dev/goldfish_sync u:object_r:qemu_device:s0 +/dev/qemu_.* u:object_r:qemu_device:s0 +/dev/ttyGF[0-9]* u:object_r:serial_device:s0 +/dev/ttyS2 u:object_r:console_device:s0 +/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 +/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 +/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0 +/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 +/vendor/bin/createns u:object_r:createns_exec:s0 +/vendor/bin/execns u:object_r:execns_exec:s0 +/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 +/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0 +/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0 +/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0 + +/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/vendor/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service u:object_r:hal_keymaster_default_exec:s0 +/vendor/bin/hw/android\.hardware\.health@2\.0-service.goldfish u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/android\.hardware\.power@1\.1-service.ranchu u:object_r:hal_power_default_exec:s0 + +/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/gralloc\.goldfish\.default\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0 + +# data +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0 + diff --git a/sepolicy/common/genfs_contexts b/sepolicy/common/genfs_contexts new file mode 100644 index 0000000..02f08f0 --- /dev/null +++ b/sepolicy/common/genfs_contexts @@ -0,0 +1,23 @@ +# On the emulator, device tree dir is configured to be +# /sys/bus/platform/devices/ANDR0001:00/properties/android/ which is a symlink to +# /sys/devices/platform/ANDR0001:00/properties/android/ +genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0 + +# We expect /sys/class/power_supply/* and everything it links to to be labeled +# as sysfs_batteryinfo. +genfscon sysfs /devices/platform/GFSH0001:00/power_supply u:object_r:sysfs_batteryinfo:s0 + +# /sys/class/rtc +genfscon sysfs /devices/pnp0/00:00/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0 + +# /sys/class/net +genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0 + +# /sys/class/power_supply +genfscon sysfs /devices/platform/9020000.goldfish_battery/power_supply u:object_r:sysfs_batteryinfo:s0 + +# /proc/<pid>/ns +genfscon nsfs / u:object_r:nsfs:s0 diff --git a/sepolicy/common/goldfish_setup.te b/sepolicy/common/goldfish_setup.te new file mode 100644 index 0000000..3041436 --- /dev/null +++ b/sepolicy/common/goldfish_setup.te @@ -0,0 +1,47 @@ +# goldfish-setup service: runs init.goldfish.sh script +type goldfish_setup, domain; +type goldfish_setup_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(goldfish_setup) + +# TODO(b/79502552): Invalid property access from emulator vendor +#set_prop(goldfish_setup, debug_prop); +allow goldfish_setup self:capability { net_admin net_raw }; +allow goldfish_setup self:udp_socket { create ioctl }; +allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; +allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; +wakelock_use(goldfish_setup); +allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; + +# Set system properties to start services +set_prop(goldfish_setup, ctl_default_prop); + +# Set up WiFi +allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; +allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl; +allow goldfish_setup self:capability { sys_module sys_admin }; +allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; +allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; +allow goldfish_setup execns_exec:file rx_file_perms; +allow goldfish_setup proc_net:file rw_file_perms; +allow goldfish_setup proc:file r_file_perms; +allow goldfish_setup nsfs:file r_file_perms; +allow goldfish_setup system_data_file:dir getattr; +allow goldfish_setup kernel:system module_request; +set_prop(goldfish_setup, qemu_prop); +get_prop(goldfish_setup, net_share_prop); +# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw +allow goldfish_setup system_file:file execute_no_trans; +# Allow goldfish_setup to run init.wifi.sh +allow goldfish_setup goldfish_setup_exec:file execute_no_trans; +#Allow goldfish_setup to run createns in its own domain +domain_auto_trans(goldfish_setup, createns_exec, createns); +# iw +allow goldfish_setup sysfs:file { read open }; +# iptables +allow goldfish_setup system_file:file lock; +allow goldfish_setup self:rawip_socket { create getopt setopt }; +# Allow goldfish_setup to read createns proc file to get the namespace file +allow goldfish_setup createns:file { read }; +allow goldfish_setup createns:dir { search }; +allow goldfish_setup createns:lnk_file { read }; diff --git a/sepolicy/common/hal_camera_default.te b/sepolicy/common/hal_camera_default.te new file mode 100644 index 0000000..eb88c36 --- /dev/null +++ b/sepolicy/common/hal_camera_default.te @@ -0,0 +1,3 @@ +vndbinder_use(hal_camera_default); +allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; +hal_client_domain(hal_camera_default, hal_graphics_composer) diff --git a/sepolicy/common/hal_cas_default.te b/sepolicy/common/hal_cas_default.te new file mode 100644 index 0000000..3ed3bee --- /dev/null +++ b/sepolicy/common/hal_cas_default.te @@ -0,0 +1 @@ +vndbinder_use(hal_cas_default); diff --git a/sepolicy/common/hal_drm_clearkey.te b/sepolicy/common/hal_drm_clearkey.te new file mode 100644 index 0000000..976b9fa --- /dev/null +++ b/sepolicy/common/hal_drm_clearkey.te @@ -0,0 +1,11 @@ +# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) + +vndbinder_use(hal_drm_clearkey); + +allow hal_drm_clearkey { appdomain -isolated_app }:fd use; diff --git a/sepolicy/common/hal_drm_default.te b/sepolicy/common/hal_drm_default.te new file mode 100644 index 0000000..5a07433 --- /dev/null +++ b/sepolicy/common/hal_drm_default.te @@ -0,0 +1,2 @@ +vndbinder_use(hal_drm_default); +hal_client_domain(hal_drm_default, hal_graphics_composer) diff --git a/sepolicy/common/hal_drm_widevine.te b/sepolicy/common/hal_drm_widevine.te new file mode 100644 index 0000000..8198410 --- /dev/null +++ b/sepolicy/common/hal_drm_widevine.te @@ -0,0 +1,15 @@ +# define SELinux domain +type hal_drm_widevine, domain; +hal_server_domain(hal_drm_widevine, hal_drm) + +type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_drm_widevine) + +allow hal_drm mediacodec:fd use; +allow hal_drm { appdomain -isolated_app }:fd use; + +vndbinder_use(hal_drm_widevine); +hal_client_domain(hal_drm_widevine, hal_graphics_composer); +allow hal_drm_widevine hal_allocator_server:fd use; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; diff --git a/sepolicy/common/hal_gnss_default.te b/sepolicy/common/hal_gnss_default.te new file mode 100644 index 0000000..0dd3d03 --- /dev/null +++ b/sepolicy/common/hal_gnss_default.te @@ -0,0 +1,3 @@ +#============= hal_gnss_default ============== +allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write }; + diff --git a/sepolicy/common/hal_graphics_allocator_default.te b/sepolicy/common/hal_graphics_allocator_default.te new file mode 100644 index 0000000..0c8e27d --- /dev/null +++ b/sepolicy/common/hal_graphics_allocator_default.te @@ -0,0 +1,2 @@ +allow hal_graphics_allocator_default graphics_device:dir search; +allow hal_graphics_allocator_default graphics_device:chr_file { ioctl open read write }; diff --git a/sepolicy/common/hal_graphics_composer_default.te b/sepolicy/common/hal_graphics_composer_default.te new file mode 100644 index 0000000..034bdef --- /dev/null +++ b/sepolicy/common/hal_graphics_composer_default.te @@ -0,0 +1,3 @@ +#============= hal_graphics_composer_default ============== +allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write }; + diff --git a/sepolicy/common/hal_wifi_default.te b/sepolicy/common/hal_wifi_default.te new file mode 100644 index 0000000..de4b996 --- /dev/null +++ b/sepolicy/common/hal_wifi_default.te @@ -0,0 +1 @@ +allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read }; diff --git a/sepolicy/common/healthd.te b/sepolicy/common/healthd.te new file mode 100644 index 0000000..ced6704 --- /dev/null +++ b/sepolicy/common/healthd.te @@ -0,0 +1,2 @@ +# Allow to read /sys/class/power_supply directory +allow healthd sysfs:dir r_dir_perms; diff --git a/sepolicy/common/hostapd_nohidl.te b/sepolicy/common/hostapd_nohidl.te new file mode 100644 index 0000000..add648a --- /dev/null +++ b/sepolicy/common/hostapd_nohidl.te @@ -0,0 +1,16 @@ +type hostapd_nohidl, domain; +type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hostapd_nohidl) +net_domain(hostapd_nohidl) + +allow hostapd_nohidl execns:fd use; + +allow hostapd_nohidl self:capability { net_admin net_raw }; +allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write }; +allow hostapd_nohidl self:netlink_route_socket nlmsg_write; +allow hostapd_nohidl self:packet_socket { create setopt }; +allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls; + +# hostapd will attempt to search sysfs but it's not needed and will spam the log +dontaudit hostapd_nohidl sysfs_net:dir search; diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te new file mode 100644 index 0000000..84a4e8d --- /dev/null +++ b/sepolicy/common/init.te @@ -0,0 +1,2 @@ +allow init tmpfs:lnk_file create_file_perms; +dontaudit init kernel:system module_request; diff --git a/sepolicy/common/ipv6proxy.te b/sepolicy/common/ipv6proxy.te new file mode 100644 index 0000000..22976fe --- /dev/null +++ b/sepolicy/common/ipv6proxy.te @@ -0,0 +1,16 @@ +# IPv6 proxying +type ipv6proxy, domain; +type ipv6proxy_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(ipv6proxy) +net_domain(ipv6proxy) + +# Allow ipv6proxy to be run by execns in its own domain +domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy); +allow ipv6proxy execns:fd use; + +allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw }; +allow ipv6proxy self:packet_socket { bind create read }; +allow ipv6proxy self:netlink_route_socket nlmsg_write; +allow ipv6proxy varrun_file:dir search; +allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR }; diff --git a/sepolicy/common/logpersist.te b/sepolicy/common/logpersist.te new file mode 100644 index 0000000..3fc0250 --- /dev/null +++ b/sepolicy/common/logpersist.te @@ -0,0 +1,13 @@ +# goldfish logcat service: runs logcat -Q in logpersist domain + +# See global logcat.te/logpersist.te, only set for eng & userdebug, +# allow for all builds in a non-conflicting manner. + +domain_auto_trans(init, logcat_exec, logpersist) + +# Read from logd. +unix_socket_connect(logpersist, logdr, logd) + +# Write to /dev/ttyS2 and /dev/ttyGF2. +allow logpersist serial_device:chr_file { write open }; +get_prop(logpersist, qemu_cmdline) diff --git a/sepolicy/common/mediacodec.te b/sepolicy/common/mediacodec.te new file mode 100644 index 0000000..acf4e59 --- /dev/null +++ b/sepolicy/common/mediacodec.te @@ -0,0 +1 @@ +allow mediacodec system_file:dir { open read }; diff --git a/sepolicy/common/netd.te b/sepolicy/common/netd.te new file mode 100644 index 0000000..09a28b9 --- /dev/null +++ b/sepolicy/common/netd.te @@ -0,0 +1,3 @@ +dontaudit netd self:capability sys_module; +#TODO: This can safely be ignored until b/62954877 is fixed +dontaudit netd kernel:system module_request; diff --git a/sepolicy/common/priv_app.te b/sepolicy/common/priv_app.te new file mode 100644 index 0000000..3d16f32 --- /dev/null +++ b/sepolicy/common/priv_app.te @@ -0,0 +1,5 @@ +#TODO: b/62908025 +dontaudit priv_app firstboot_prop:file { getattr open }; +dontaudit priv_app device:dir { open read }; +dontaudit priv_app proc_interrupts:file { getattr open read }; +dontaudit priv_app proc_modules:file { getattr open read }; diff --git a/sepolicy/common/property.te b/sepolicy/common/property.te new file mode 100644 index 0000000..3593a39 --- /dev/null +++ b/sepolicy/common/property.te @@ -0,0 +1,5 @@ +type qemu_prop, property_type; +type qemu_cmdline, property_type; +type radio_noril_prop, property_type; +type net_eth0_prop, property_type; +type net_share_prop, property_type; diff --git a/sepolicy/common/property_contexts b/sepolicy/common/property_contexts new file mode 100644 index 0000000..f7a241c --- /dev/null +++ b/sepolicy/common/property_contexts @@ -0,0 +1,8 @@ +qemu. u:object_r:qemu_prop:s0 +qemu.cmdline u:object_r:qemu_cmdline:s0 +vendor.qemu u:object_r:qemu_prop:s0 +ro.emu. u:object_r:qemu_prop:s0 +ro.emulator. u:object_r:qemu_prop:s0 +ro.radio.noril u:object_r:radio_noril_prop:s0 +net.eth0. u:object_r:net_eth0_prop:s0 +net.shared_net_ip u:object_r:net_share_prop:s0 diff --git a/sepolicy/common/qemu_props.te b/sepolicy/common/qemu_props.te new file mode 100644 index 0000000..b3e2d95 --- /dev/null +++ b/sepolicy/common/qemu_props.te @@ -0,0 +1,10 @@ +# qemu-props service: Sets system properties on boot. +type qemu_props, domain; +type qemu_props_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(qemu_props) + +set_prop(qemu_props, qemu_prop) +# TODO(b/79502552): Invalid property access from emulator vendor +#set_prop(qemu_props, qemu_cmdline) +set_prop(qemu_props, qemu_cmdline) diff --git a/sepolicy/common/radio.te b/sepolicy/common/radio.te new file mode 100644 index 0000000..742d3b2 --- /dev/null +++ b/sepolicy/common/radio.te @@ -0,0 +1,3 @@ +# Allow the radio to read these properties, they only have an SELinux label in +# the emulator. +get_prop(radio, net_eth0_prop); diff --git a/sepolicy/common/rild.te b/sepolicy/common/rild.te new file mode 100644 index 0000000..ea18373 --- /dev/null +++ b/sepolicy/common/rild.te @@ -0,0 +1,3 @@ +# Allow rild to read these properties, they only have an SELinux label in the +# emulator. +get_prop(rild, net_eth0_prop); diff --git a/sepolicy/common/shell.te b/sepolicy/common/shell.te new file mode 100644 index 0000000..b246d7e --- /dev/null +++ b/sepolicy/common/shell.te @@ -0,0 +1 @@ +allow shell serial_device:chr_file rw_file_perms; diff --git a/sepolicy/common/surfaceflinger.te b/sepolicy/common/surfaceflinger.te new file mode 100644 index 0000000..2bba8a7 --- /dev/null +++ b/sepolicy/common/surfaceflinger.te @@ -0,0 +1,5 @@ +allow surfaceflinger self:process execmem; +allow surfaceflinger ashmem_device:chr_file execute; + +typeattribute surfaceflinger system_writes_vendor_properties_violators; +set_prop(surfaceflinger, qemu_prop) diff --git a/sepolicy/common/system_server.te b/sepolicy/common/system_server.te new file mode 100644 index 0000000..dd70b12 --- /dev/null +++ b/sepolicy/common/system_server.te @@ -0,0 +1 @@ +get_prop(system_server, radio_noril_prop) diff --git a/sepolicy/common/vendor_init.te b/sepolicy/common/vendor_init.te new file mode 100644 index 0000000..b18d391 --- /dev/null +++ b/sepolicy/common/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, qemu_prop) diff --git a/sepolicy/common/vold.te b/sepolicy/common/vold.te new file mode 100644 index 0000000..bea4501 --- /dev/null +++ b/sepolicy/common/vold.te @@ -0,0 +1,3 @@ +dontaudit vold kernel:system module_request; + +allow vold nsfs:file r_file_perms; diff --git a/sepolicy/common/zygote.te b/sepolicy/common/zygote.te new file mode 100644 index 0000000..da403b5 --- /dev/null +++ b/sepolicy/common/zygote.te @@ -0,0 +1,5 @@ +typeattribute zygote system_writes_vendor_properties_violators; +set_prop(zygote, qemu_prop) +# TODO (b/63631799) fix this access +# Suppress denials to storage. Webview zygote should not be accessing. +dontaudit webview_zygote mnt_expand_file:dir getattr; diff --git a/sepolicy/x86/OWNERS b/sepolicy/x86/OWNERS new file mode 100644 index 0000000..ff29677 --- /dev/null +++ b/sepolicy/x86/OWNERS @@ -0,0 +1,8 @@ +alanstokes@google.com +bowgotsai@google.com +jbires@google.com +jeffv@google.com +jgalenson@google.com +sspatil@google.com +tomcherry@google.com +trong@google.com diff --git a/sepolicy/x86/domain.te b/sepolicy/x86/domain.te new file mode 100644 index 0000000..0bc8d87 --- /dev/null +++ b/sepolicy/x86/domain.te @@ -0,0 +1 @@ +allow domain cpuctl_device:dir search; diff --git a/sepolicy/x86/healthd.te b/sepolicy/x86/healthd.te new file mode 100644 index 0000000..95fa807 --- /dev/null +++ b/sepolicy/x86/healthd.te @@ -0,0 +1 @@ +allow healthd self:capability sys_nice; diff --git a/sepolicy/x86/init.te b/sepolicy/x86/init.te new file mode 100644 index 0000000..3aa81d1 --- /dev/null +++ b/sepolicy/x86/init.te @@ -0,0 +1 @@ +allow init tmpfs:lnk_file create_file_perms; diff --git a/sepolicy/x86/installd.te b/sepolicy/x86/installd.te new file mode 100644 index 0000000..7a558b1 --- /dev/null +++ b/sepolicy/x86/installd.te @@ -0,0 +1 @@ +allow installd self:process execmem; diff --git a/sepolicy/x86/zygote.te b/sepolicy/x86/zygote.te new file mode 100644 index 0000000..93993a4 --- /dev/null +++ b/sepolicy/x86/zygote.te @@ -0,0 +1,2 @@ +allow zygote self:process execmem; +allow zygote self:capability sys_nice; |