diff options
author | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-03-07 17:26:46 +0800 |
---|---|---|
committer | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-03-07 17:26:46 +0800 |
commit | 512aae2db42b32c1210cb424022ad61cd55dd30f (patch) | |
tree | 20e77e6b203097fa06f6679162808cb1de03b1eb | |
parent | 097a3549a6ff75175cb40175adfa0e2c956abfb9 (diff) | |
download | wembley-sepolicy-512aae2db42b32c1210cb424022ad61cd55dd30f.tar.gz |
[ALPS05025613] SEPolicy: Modify neverallow rule for system_data_file
[Detail]
AOSP/1242251 add allow rule for inode2filename.
[Solution]
Modify neverallow rule of system_data_file dir to exclude inode2filename.
Change-Id: I1794bbd1f5d66f0c134dcbbf86abdf30eb096b2b
CR-Id: ALPS05025613
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
-rw-r--r-- | plat_private/domain.te | 204 | ||||
-rw-r--r-- | plat_public/domain.te | 274 |
2 files changed, 239 insertions, 239 deletions
diff --git a/plat_private/domain.te b/plat_private/domain.te index ced61d6..4252e23 100644 --- a/plat_private/domain.te +++ b/plat_private/domain.te @@ -13,105 +13,105 @@ # allow hal_drm system_data_file:file { getattr read }; # hal_server_domain(merged_hal_service, hal_drm) # -#full_treble_only(` -# neverallow { -# coredomain -# -appdomain -# -app_zygote -# -dumpstate -# -init -# -installd -# -iorap_prefetcherd -# -iorap_inode2filename -# -logd -# -mediadrmserver -# -mediaextractor -# -mediaserver -# -runas -# -sdcardd -# -simpleperf_app_runner -# -storaged -# -system_server -# -toolbox -# -vold -# -vold_prepare_subdirs -# -zygote -# } system_data_file:file *; -# -# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; -# -# neverallow { -# dumpstate -# logd -# runas -# sdcardd -# simpleperf_app_runner -# storaged -# zygote -# } system_data_file:file ~r_file_perms; -# -# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; -# -# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; -# -# neverallow iorap_prefetcherd system_data_file:file ~{ open read }; -# neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; -# -# neverallow { -# mediadrmserver -# mediaextractor -# mediaserver -# } system_data_file:file ~{ read getattr }; -# -# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; -# -# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; -# -# neverallow vold system_data_file:file ~read; -# -# neverallow ~{ -# appdomain -# app_zygote -# dexoptanalyzer -# init -# installd -# iorap_prefetcherd -# iorap_inode2filename -# logd -# rs -# runas -# simpleperf_app_runner -# system_server -# tee -# vold -# webview_zygote -# zygote -# } system_data_file:lnk_file *; -# -# neverallow { -# appdomain -# app_zygote -# logd -# webview_zygote -# } system_data_file:lnk_file ~r_file_perms; -# -# neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr; -# -# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; -# -# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; -# -# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; -# -# neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; -# -# neverallow rs system_data_file:lnk_file ~{ read }; -# -# neverallow { -# runas -# simpleperf_app_runner -# tee -# } system_data_file:lnk_file ~{ read getattr }; -# -# neverallow system_server system_data_file:lnk_file ~create_file_perms; -#') +full_treble_only(` + neverallow { + coredomain + -appdomain + -app_zygote + -dumpstate + -init + -installd + -iorap_prefetcherd + -iorap_inode2filename + -logd + -mediadrmserver + -mediaextractor + -mediaserver + -runas + -sdcardd + -simpleperf_app_runner + -storaged + -system_server + -toolbox + -vold + -vold_prepare_subdirs + -zygote + } system_data_file:file *; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow { + dumpstate + logd + runas + sdcardd + simpleperf_app_runner + storaged + zygote + } system_data_file:file ~r_file_perms; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + neverallow iorap_inode2filename system_data_file:file ~getattr; + + neverallow { + mediadrmserver + mediaextractor + mediaserver + } system_data_file:file ~{ read getattr }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; + + neverallow ~{ + appdomain + app_zygote + dexoptanalyzer + init + installd + iorap_prefetcherd + iorap_inode2filename + logd + rs + runas + simpleperf_app_runner + system_server + tee + vold + webview_zygote + zygote + } system_data_file:lnk_file *; + + neverallow { + appdomain + app_zygote + logd + webview_zygote + } system_data_file:lnk_file ~r_file_perms; + + neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr; + + neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; + + neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; + + neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + + neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; + + neverallow rs system_data_file:lnk_file ~{ read }; + + neverallow { + runas + simpleperf_app_runner + tee + } system_data_file:lnk_file ~{ read getattr }; + + neverallow system_server system_data_file:lnk_file ~create_file_perms; +') diff --git a/plat_public/domain.te b/plat_public/domain.te index f01e49d..3feb681 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -147,143 +147,143 @@ full_treble_only(` # allow hal_drm system_data_file:file { getattr read }; # hal_server_domain(merged_hal_service, hal_drm) # -#full_treble_only(` -# neverallow ~{ -# init -# installd -# system_server -# } system_data_file:{ chr_file blk_file sock_file fifo_file } *; -# -# neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; -# -# neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; -# -# neverallow installd system_data_file:{ chr_file blk_file } *; -# -# neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; -# -# neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; -# -# neverallow { -# coredomain -# -appdomain -# -app_zygote -# -init -# -installd -# -iorap_prefetcherd -# -iorap_inode2filename -# -system_server -# -toolbox -# -vold -# -vold_prepare_subdirs -# } system_data_file:file ~r_file_perms; -# -# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; -# -# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; -# -# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; -# -# neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; -# -# neverallow iorap_prefetcherd system_data_file:file ~{ open read }; -# -# neverallow { -# mediadrmserver -# mediaextractor -# mediaserver -# } system_data_file:file ~{ read getattr }; -# -# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; -# -# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; -# -# neverallow vold system_data_file:file ~read; -# -# neverallow ~{ -# appdomain -# app_zygote -# init -# installd -# iorap_prefetcherd -# iorap_inode2filename -# logd -# rs -# runas -# simpleperf_app_runner -# system_server -# tee -# vold -# webview_zygote -# zygote -# } system_data_file:lnk_file ~getattr; -# -# neverallow { -# appdomain -# app_zygote -# logd -# webview_zygote -# } system_data_file:lnk_file ~r_file_perms; -# -# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; -# -# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; -# -# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; -# -# neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; -# -# neverallow rs system_data_file:lnk_file ~{ read }; -# -# neverallow { -# runas -# simpleperf_app_runner -# tee -# } system_data_file:lnk_file ~{ read getattr }; -# -# neverallow system_server system_data_file:lnk_file ~create_file_perms; -# -# neverallow ~{ -# apexd -# init -# installd -# iorap_prefetcherd -# iorap_inode2filename -# system_server -# toolbox -# traced_probes -# vold -# vold_prepare_subdirs -# zygote -# } system_data_file:dir ~{ search getattr }; -# -# neverallow apexd system_data_file:dir ~r_dir_perms; -# -# neverallow init system_data_file:dir ~{ -# create search getattr open read setattr ioctl -# mounton -# relabelto -# write add_name remove_name rmdir relabelfrom -# }; -# -# neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; -# -# neverallow { -# iorap_prefetcherd -# iorap_inode2filename -# traced_probes -# } system_data_file:dir ~{ open read search getattr }; -# -# neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; -# -# neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; -# -# neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; -# -# neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; -# -# neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; -#') +full_treble_only(` + neverallow ~{ + init + installd + system_server + } system_data_file:{ chr_file blk_file sock_file fifo_file } *; + + neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; + + neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; + + neverallow installd system_data_file:{ chr_file blk_file } *; + + neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; + + neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; + + neverallow { + coredomain + -appdomain + -app_zygote + -init + -installd + -iorap_prefetcherd + -iorap_inode2filename + -system_server + -toolbox + -vold + -vold_prepare_subdirs + } system_data_file:file ~r_file_perms; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_inode2filename system_data_file:file ~getattr; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + + neverallow { + mediadrmserver + mediaextractor + mediaserver + } system_data_file:file ~{ read getattr }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; + + neverallow ~{ + appdomain + app_zygote + init + installd + iorap_prefetcherd + iorap_inode2filename + logd + rs + runas + simpleperf_app_runner + system_server + tee + vold + webview_zygote + zygote + } system_data_file:lnk_file ~getattr; + + neverallow { + appdomain + app_zygote + logd + webview_zygote + } system_data_file:lnk_file ~r_file_perms; + + neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; + + neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; + + neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + + neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; + + neverallow rs system_data_file:lnk_file ~{ read }; + + neverallow { + runas + simpleperf_app_runner + tee + } system_data_file:lnk_file ~{ read getattr }; + + neverallow system_server system_data_file:lnk_file ~create_file_perms; + + neverallow ~{ + apexd + init + installd + iorap_prefetcherd + iorap_inode2filename + system_server + toolbox + traced_probes + vold + vold_prepare_subdirs + zygote + } system_data_file:dir ~{ search getattr }; + + neverallow apexd system_data_file:dir ~r_dir_perms; + + neverallow init system_data_file:dir ~{ + create search getattr open read setattr ioctl + mounton + relabelto + write add_name remove_name rmdir relabelfrom + }; + + neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; + + neverallow { + iorap_prefetcherd + iorap_inode2filename + traced_probes + } system_data_file:dir ~{ open read search getattr }; + + neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; + + neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; + + neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; + + neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; + + neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; +') # Do not allow access to the generic vendor_data_file label. This is |