diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2019-05-11 23:12:22 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2019-05-11 23:12:22 +0000 |
| commit | eec8dc359571b9ca6fb85915e595da0693516d2b (patch) | |
| tree | fc7188484f4ea335e5f48315389e4737392c26a5 | |
| parent | 8fc0fbd78b807c38f528067b0a4e2d0aba057938 (diff) | |
| parent | 56209c7c1744e184798e01a6109ecb4f1bc50f3b (diff) | |
| download | cuttlefish-eec8dc359571b9ca6fb85915e595da0693516d2b.tar.gz | |
Snap for 5558509 from 56209c7c1744e184798e01a6109ecb4f1bc50f3b to qt-release
Change-Id: I38607b77de986fe9d4bb25b9c3866268a4df5cdd
| -rw-r--r-- | shared/sepolicy/bug_map | 10 | ||||
| -rw-r--r-- | shared/sepolicy/file_contexts | 1 | ||||
| -rw-r--r-- | shared/sepolicy/hal_camera_default.te | 4 | ||||
| -rw-r--r-- | shared/sepolicy/init.te | 4 | ||||
| -rw-r--r-- | shared/sepolicy/logpersist.te | 1 | ||||
| -rw-r--r-- | shared/sepolicy/property_contexts | 2 | ||||
| -rw-r--r-- | shared/sepolicy/system_server.te | 1 | ||||
| -rw-r--r-- | shared/sepolicy/ueventd.te | 1 | ||||
| -rw-r--r-- | shared/sepolicy/vsoc_guest_region_e2e_test.te | 4 |
9 files changed, 27 insertions, 1 deletions
diff --git a/shared/sepolicy/bug_map b/shared/sepolicy/bug_map new file mode 100644 index 000000000..722a5f663 --- /dev/null +++ b/shared/sepolicy/bug_map @@ -0,0 +1,10 @@ +hal_bluetooth_sim hal_bluetooth_sim tcp_socket 128355308 +installd device file 128336318 +kernel device blk_file 130468851 +kernel kernel system 130424539 +lmkd device file 128336318 +netd device file 128336318 +storaged device file 128336318 +system_server system_server process 65201432 +vendor_init kernel system 130424539 +vold device file 128336318 diff --git a/shared/sepolicy/file_contexts b/shared/sepolicy/file_contexts index 0dfc4666d..6beb44478 100644 --- a/shared/sepolicy/file_contexts +++ b/shared/sepolicy/file_contexts @@ -41,6 +41,7 @@ /vendor/bin/hw/libcuttlefish-rild u:object_r:libcuttlefish_rild_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service\.sim u:object_r:hal_bluetooth_sim_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_default_exec:s0 /vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service\.cuttlefish u:object_r:hal_dumpstate_impl_exec:s0 /vendor/bin/hw/android\.hardware\.health@2\.0-service\.cuttlefish u:object_r:hal_health_default_exec:s0 /vendor/bin/hw/android\.hardware\.health\.storage@1\.0-service\.cuttlefish u:object_r:hal_health_storage_default_exec:s0 diff --git a/shared/sepolicy/hal_camera_default.te b/shared/sepolicy/hal_camera_default.te index 02fb9623c..79bed2681 100644 --- a/shared/sepolicy/hal_camera_default.te +++ b/shared/sepolicy/hal_camera_default.te @@ -1,3 +1,7 @@ +type hal_camera_prop, property_type; + vndbinder_use(hal_camera_default) hal_client_domain(hal_camera_default, hal_graphics_allocator) + +get_prop(hal_camera_default, hal_camera_prop) diff --git a/shared/sepolicy/init.te b/shared/sepolicy/init.te index f6731f7c0..26f71100e 100644 --- a/shared/sepolicy/init.te +++ b/shared/sepolicy/init.te @@ -11,3 +11,7 @@ allow init kernel:system module_request; # binfmt_misc arm for ndk translator allow init binfmt_miscfs:file w_file_perms; allow init proc:dir mounton; + +# /mnt/sdcard -> /storage/self/primary symlink is deprecated. Ignore attempts to +# create it. This denial is fixed in core policy in Android R aosp/943799. +dontaudit init tmpfs:lnk_file create; diff --git a/shared/sepolicy/logpersist.te b/shared/sepolicy/logpersist.te index f7fe15100..22e6da5c6 100644 --- a/shared/sepolicy/logpersist.te +++ b/shared/sepolicy/logpersist.te @@ -1,5 +1,6 @@ # Output to virtual serial console. Needed because seriallogging daemon # runs logcat and directs its output to vportXpY or cf_logcat_pipe under # the /dev filesystem. +allow logpersist device:dir r_dir_perms; allow logpersist device:fifo_file ra_file_perms; allow logpersist virtual_serial_device:chr_file ra_file_perms; diff --git a/shared/sepolicy/property_contexts b/shared/sepolicy/property_contexts index 2b09527cd..b7ac336a7 100644 --- a/shared/sepolicy/property_contexts +++ b/shared/sepolicy/property_contexts @@ -8,3 +8,5 @@ ro.boot.vsock_logcat_port u:object_r:vsock_logcat_port_prop:s0 ro.cdma.home.operator.alpha u:object_r:vendor_init_radio_prop:s0 ro.cdma.home.operator.numeric u:object_r:vendor_init_radio_prop:s0 vendor.vsock_logcat_status u:object_r:vsock_logcat_status_prop:s0 +qemu.sf.back_camera_caps u:object_r:hal_camera_prop:s0 +qemu.sf.front_camera_caps u:object_r:hal_camera_prop:s0 diff --git a/shared/sepolicy/system_server.te b/shared/sepolicy/system_server.te index c4b3729d3..703eeb516 100644 --- a/shared/sepolicy/system_server.te +++ b/shared/sepolicy/system_server.te @@ -5,4 +5,3 @@ # (system/sepolicy) contains a corresponding neverallow which would cause build-time errors if the # allow execmem rule were added here. permissive system_server; -dontaudit system_server self:process execmem; diff --git a/shared/sepolicy/ueventd.te b/shared/sepolicy/ueventd.te new file mode 100644 index 000000000..985c8ec4d --- /dev/null +++ b/shared/sepolicy/ueventd.te @@ -0,0 +1 @@ +allow ueventd metadata_file:dir search; diff --git a/shared/sepolicy/vsoc_guest_region_e2e_test.te b/shared/sepolicy/vsoc_guest_region_e2e_test.te index d4ab68fd3..db5749f48 100644 --- a/shared/sepolicy/vsoc_guest_region_e2e_test.te +++ b/shared/sepolicy/vsoc_guest_region_e2e_test.te @@ -7,3 +7,7 @@ init_daemon_domain(vsoc_guest_region_e2e_test) allow vsoc_guest_region_e2e_test region_e2e_test_device:chr_file rw_file_perms; allow vsoc_guest_region_e2e_test vendor_data_file:file { create_file_perms }; allow vsoc_guest_region_e2e_test vendor_data_file:dir { create_file_perms create_dir_perms }; + +# gtest checks access() on /data/local/tmp. However, vendor processes are +# neverallow'ed /data access outside of /data/vendor. +dontaudit vsoc_guest_region_e2e_test self:capability dac_override; |