diff options
| author | dianlujitao <dianlujitao@lineageos.org> | 2019-02-14 13:28:42 +0800 |
|---|---|---|
| committer | dianlujitao <dianlujitao@lineageos.org> | 2019-06-15 21:59:42 +0800 |
| commit | 370b40b194a6dcf20dfd6f958a27c5ad7993e5c6 (patch) | |
| tree | a75401039823f63ff5b8c41379006b7b2d038b11 /common | |
| parent | 71566b5f54de3c3227a9ea5ab8a6ff90bb01240b (diff) | |
| download | android_device_lineage_sepolicy-370b40b194a6dcf20dfd6f958a27c5ad7993e5c6.tar.gz android_device_lineage_sepolicy-370b40b194a6dcf20dfd6f958a27c5ad7993e5c6.tar.bz2 android_device_lineage_sepolicy-370b40b194a6dcf20dfd6f958a27c5ad7993e5c6.zip | |
sepolicy: Dynamically build trust policy into system/vendor
* Introduce a new board flag TARGET_USES_PREBUILT_VENDOR_SEPOLICY and
a sepolicy variant: dynamic
* When TARGET_USES_PREBUILT_VENDOR_SEPOLICY=true, dynamic act as
private policy, and vendor policy is excluded in order to avoid
conflicts (it's not integrated to final builds anyway). When the flag
is not set, dynamic acts as vendor policy to survive from system
image change i.e. GSI installation.
Change-Id: I8bfd078d6064616c88e2c58a9fa3aa045dddf303
Diffstat (limited to 'common')
| -rw-r--r-- | common/dynamic/file.te | 1 | ||||
| -rw-r--r-- | common/dynamic/genfs_contexts | 1 | ||||
| -rw-r--r-- | common/dynamic/hal_lineage_trust.te (renamed from common/public/hal_lineage_trust.te) | 0 | ||||
| -rw-r--r-- | common/dynamic/hwservice.te | 1 | ||||
| -rw-r--r-- | common/dynamic/hwservice_contexts | 1 | ||||
| -rw-r--r-- | common/private/genfs_contexts | 2 | ||||
| -rw-r--r-- | common/private/hwservice_contexts | 1 | ||||
| -rw-r--r-- | common/public/file.te | 2 | ||||
| -rw-r--r-- | common/public/hwservice.te | 1 | ||||
| -rw-r--r-- | common/sepolicy.mk | 12 |
10 files changed, 16 insertions, 6 deletions
diff --git a/common/dynamic/file.te b/common/dynamic/file.te new file mode 100644 index 0000000..c77d9ec --- /dev/null +++ b/common/dynamic/file.te @@ -0,0 +1 @@ +type proc_deny_new_usb, fs_type, proc_type; diff --git a/common/dynamic/genfs_contexts b/common/dynamic/genfs_contexts new file mode 100644 index 0000000..60cf2c6 --- /dev/null +++ b/common/dynamic/genfs_contexts @@ -0,0 +1 @@ +genfscon proc /sys/kernel/deny_new_usb u:object_r:proc_deny_new_usb:s0 diff --git a/common/public/hal_lineage_trust.te b/common/dynamic/hal_lineage_trust.te index ca4eff4..ca4eff4 100644 --- a/common/public/hal_lineage_trust.te +++ b/common/dynamic/hal_lineage_trust.te diff --git a/common/dynamic/hwservice.te b/common/dynamic/hwservice.te new file mode 100644 index 0000000..7ca4141 --- /dev/null +++ b/common/dynamic/hwservice.te @@ -0,0 +1 @@ +type hal_lineage_trust_hwservice, hwservice_manager_type; diff --git a/common/dynamic/hwservice_contexts b/common/dynamic/hwservice_contexts new file mode 100644 index 0000000..6cb1181 --- /dev/null +++ b/common/dynamic/hwservice_contexts @@ -0,0 +1 @@ +vendor.lineage.trust::IUsbRestrict u:object_r:hal_lineage_trust_hwservice:s0 diff --git a/common/private/genfs_contexts b/common/private/genfs_contexts index 62ba3e3..09d7df6 100644 --- a/common/private/genfs_contexts +++ b/common/private/genfs_contexts @@ -11,5 +11,3 @@ genfscon sysfs /devices/virtual/graphics/fb0/sre u:object_r:sysfs_livedisplay_tu genfscon sysfs /devices/virtual/graphics/fb0/reading_mode u:object_r:sysfs_livedisplay_tuneable:s0 genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0 - -genfscon proc /sys/kernel/deny_new_usb u:object_r:proc_deny_new_usb:s0 diff --git a/common/private/hwservice_contexts b/common/private/hwservice_contexts index 58ffb72..71d03ed 100644 --- a/common/private/hwservice_contexts +++ b/common/private/hwservice_contexts @@ -12,4 +12,3 @@ vendor.lineage.touch::IGloveMode u:object_r:hal_lineage_touc vendor.lineage.touch::IKeyDisabler u:object_r:hal_lineage_touch_hwservice:s0 vendor.lineage.touch::IStylusMode u:object_r:hal_lineage_touch_hwservice:s0 vendor.lineage.touch::ITouchscreenGesture u:object_r:hal_lineage_touch_hwservice:s0 -vendor.lineage.trust::IUsbRestrict u:object_r:hal_lineage_trust_hwservice:s0 diff --git a/common/public/file.te b/common/public/file.te index 9b6c35e..45564dc 100644 --- a/common/public/file.te +++ b/common/public/file.te @@ -1,3 +1 @@ -type proc_deny_new_usb, fs_type, proc_type; - type sysfs_livedisplay_tuneable, fs_type, sysfs_type; diff --git a/common/public/hwservice.te b/common/public/hwservice.te index 62a4f87..3676f11 100644 --- a/common/public/hwservice.te +++ b/common/public/hwservice.te @@ -1,3 +1,2 @@ type hal_lineage_livedisplay_hwservice, hwservice_manager_type; type hal_lineage_touch_hwservice, hwservice_manager_type; -type hal_lineage_trust_hwservice, hwservice_manager_type; diff --git a/common/sepolicy.mk b/common/sepolicy.mk index 7e8299a..80aa4b2 100644 --- a/common/sepolicy.mk +++ b/common/sepolicy.mk @@ -3,11 +3,23 @@ # inherit from Lineage # +ifeq ($(TARGET_COPY_OUT_VENDOR), vendor) +ifeq ($(BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE),) +TARGET_USES_PREBUILT_VENDOR_SEPOLICY ?= true +endif +endif + BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \ device/lineage/sepolicy/common/public BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \ device/lineage/sepolicy/common/private +ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true) +BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \ + device/lineage/sepolicy/common/dynamic +else BOARD_SEPOLICY_DIRS += \ + device/lineage/sepolicy/common/dynamic \ device/lineage/sepolicy/common/vendor +endif |