diff options
| author | Ricardo Cerqueira <ricardo@cyngn.com> | 2015-06-16 02:17:56 +0100 |
|---|---|---|
| committer | Ricardo Cerqueira <ricardo@cyngn.com> | 2015-06-16 02:17:56 +0100 |
| commit | 1d7bc1d6cd9a88943acdc202150a1984d67a82be (patch) | |
| tree | ab21f45cddac2c8e345898569ff941c2a860f1ab | |
| parent | d2a9e973cd087b936df9ac2592f1e01468bbbec4 (diff) | |
| download | android_external_sepolicy-1d7bc1d6cd9a88943acdc202150a1984d67a82be.tar.gz android_external_sepolicy-1d7bc1d6cd9a88943acdc202150a1984d67a82be.tar.bz2 android_external_sepolicy-1d7bc1d6cd9a88943acdc202150a1984d67a82be.zip | |
domain: Restore original neverallow rules for shipping builds
MR1 CTS validates the integrity of neverallow rules, so we can't
change them
Fixes android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules82
Change-Id: If8d3e26355a0774edee60ac9293a58eb48dc1b48
| -rw-r--r-- | Android.mk | 1 | ||||
| -rw-r--r-- | domain.te | 6 | ||||
| -rw-r--r-- | file.te | 7 | ||||
| -rw-r--r-- | vold.te | 4 |
4 files changed, 15 insertions, 3 deletions
@@ -113,6 +113,7 @@ $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files)) @mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=$(TARGET_BUILD_VARIANT) \ + -D shipping_build=$(CYNGN_TARGET) \ -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ -s $^ > $@ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit @@ -299,7 +299,11 @@ neverallow { domain -recovery } rootfs:file { create write setattr relabelto app # Restrict context mounts to specific types marked with # the contextmount_type attribute. -neverallow domain {fs_type -contextmount_type -sdcard_posix}:filesystem relabelto; +ifelse(shipping_build, `true', + `neverallow domain {fs_type -contextmount_type}:filesystem relabelto;' +, + `neverallow domain {fs_type -contextmount_type -sdcard_posix}:filesystem relabelto;' +) # Ensure that context mount types are not writable, to ensure that # the write to /system restriction above is not bypassed via context= @@ -31,7 +31,12 @@ type shm, fs_type; type mqueue, fs_type; type fuse, sdcard_type, fs_type, mlstrustedobject; type vfat, sdcard_type, fs_type, mlstrustedobject; -type sdcard_posix, sdcard_type, fs_type, mlstrustedobject; +ifelse(shipping_build, `true', + # Dummy this out in shipping to avoid breaking code mentioning the label + `typealias vfat alias sdcard_posix;' +, + `type sdcard_posix, sdcard_type, fs_type, mlstrustedobject;' +) typealias fuse alias sdcard_internal; typealias vfat alias sdcard_external; type debugfs, fs_type, mlstrustedobject; @@ -13,7 +13,9 @@ allow vold devpts:chr_file rw_file_perms; allow vold rootfs:dir mounton; allow vold sdcard_type:dir mounton; allow vold sdcard_type:filesystem { mount remount unmount }; -allow vold sdcard_posix:filesystem { relabelto relabelfrom }; +ifelse(shipping_build, `true', , + allow vold sdcard_posix:filesystem { relabelto relabelfrom }; +) allow vold labeledfs:filesystem { relabelfrom }; allow vold sdcard_type:dir create_dir_perms; allow vold sdcard_type:file create_file_perms; |