diff options
| author | Martin Liu <liumartin@google.com> | 2021-06-14 07:58:02 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-06-14 07:58:02 +0000 |
| commit | 1395c0592329209c919dc24bee0dc40c7dc67e69 (patch) | |
| tree | 5e280b62bdb64d559defb780a5b9fd50bc58e2e8 | |
| parent | 6b461ad86cc269447195b7c29f0f1ccf702fbc1f (diff) | |
| parent | b063289131cfc34dac355dccfc220669a83b62c1 (diff) | |
| download | pixel-sepolicy-1395c0592329209c919dc24bee0dc40c7dc67e69.tar.gz | |
MM: create GKI version of sepolicy am: b063289131
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/google/pixel-sepolicy/+/14934442
Change-Id: Ibef8fac35db9ada218ee7b4eb6e2dd586679d262
| -rw-r--r-- | mm/gki/file.te | 5 | ||||
| -rw-r--r-- | mm/gki/file_contexts | 3 | ||||
| -rw-r--r-- | mm/gki/genfs_contexts | 4 | ||||
| -rw-r--r-- | mm/gki/init-mm-logging.sh.te | 19 | ||||
| -rw-r--r-- | mm/gki/vendor_init.te | 3 |
5 files changed, 34 insertions, 0 deletions
diff --git a/mm/gki/file.te b/mm/gki/file.te new file mode 100644 index 0000000..d0e1b64 --- /dev/null +++ b/mm/gki/file.te @@ -0,0 +1,5 @@ +type mm_logd_vendor_data_file, file_type, data_file_type; +type debugfs_page_owner, debugfs_type, fs_type; +type proc_watermark_boost_factor, fs_type, proc_type; +type proc_min_free_kbytes, fs_type, proc_type; +type proc_lowmem_reserve_ratio, fs_type, proc_type; diff --git a/mm/gki/file_contexts b/mm/gki/file_contexts new file mode 100644 index 0000000..a4bd033 --- /dev/null +++ b/mm/gki/file_contexts @@ -0,0 +1,3 @@ +/vendor/bin/mm_logd u:object_r:init-mm-logging-sh_exec:s0 +/data/vendor/mm(/.*)? u:object_r:mm_logd_vendor_data_file:s0 + diff --git a/mm/gki/genfs_contexts b/mm/gki/genfs_contexts new file mode 100644 index 0000000..957a343 --- /dev/null +++ b/mm/gki/genfs_contexts @@ -0,0 +1,4 @@ +genfscon debugfs /page_owner u:object_r:debugfs_page_owner:s0 +genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0 +genfscon proc /sys/vm/lowmem_reserve_ratio u:object_r:proc_watermark_boost_factor:s0 +genfscon proc /sys/vm/min_free_kbytes u:object_r:proc_watermark_boost_factor:s0 diff --git a/mm/gki/init-mm-logging.sh.te b/mm/gki/init-mm-logging.sh.te new file mode 100644 index 0000000..ae05e7b --- /dev/null +++ b/mm/gki/init-mm-logging.sh.te @@ -0,0 +1,19 @@ +type init-mm-logging-sh, domain; +type init-mm-logging-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-mm-logging-sh) + +dontaudit init-mm-logging-sh { domain -kernel }:{ file dir } *; +dontaudit init-mm-logging-sh self:capability sys_ptrace; + +userdebug_or_eng(` + allow init-mm-logging-sh vendor_toolbox_exec:file rx_file_perms; + allow init-mm-logging-sh proc_vmstat:file r_file_perms; + allow init-mm-logging-sh mm_logd_vendor_data_file:dir create_dir_perms; + allow init-mm-logging-sh mm_logd_vendor_data_file:file create_file_perms; + # Allow /proc/<pid>/stat + allow init-mm-logging-sh kernel:dir r_dir_perms; + allow init-mm-logging-sh kernel:file r_file_perms; + allow init-mm-logging-sh proc_stat:file r_file_perms; +') + diff --git a/mm/gki/vendor_init.te b/mm/gki/vendor_init.te new file mode 100644 index 0000000..5bedbad --- /dev/null +++ b/mm/gki/vendor_init.te @@ -0,0 +1,3 @@ +allow vendor_init proc_watermark_boost_factor:file w_file_perms; +allow vendor_init proc_lowmem_reserve_ratio:file w_file_perms; +allow vendor_init proc_min_free_kbytes:file w_file_perms; |