diff options
| author | Martin Liu <liumartin@google.com> | 2021-06-11 09:00:53 +0800 |
|---|---|---|
| committer | Martin Liu <liumartin@google.com> | 2021-06-11 10:38:18 +0800 |
| commit | b063289131cfc34dac355dccfc220669a83b62c1 (patch) | |
| tree | 5e280b62bdb64d559defb780a5b9fd50bc58e2e8 | |
| parent | 9faa5458944a3a858a6ddbce492d0a75b3828bf5 (diff) | |
| download | pixel-sepolicy-b063289131cfc34dac355dccfc220669a83b62c1.tar.gz | |
MM: create GKI version of sepolicy
Bug: 190571517
Bug: 189938926
Bug: 190732106
Signed-off-by: Martin Liu <liumartin@google.com>
Change-Id: Id5c39f45b0dd88e4c7c972fa60f416c715d6f34d
Merged-In: Id5c39f45b0dd88e4c7c972fa60f416c715d6f34d
| -rw-r--r-- | mm/gki/file.te | 5 | ||||
| -rw-r--r-- | mm/gki/file_contexts | 3 | ||||
| -rw-r--r-- | mm/gki/genfs_contexts | 4 | ||||
| -rw-r--r-- | mm/gki/init-mm-logging.sh.te | 19 | ||||
| -rw-r--r-- | mm/gki/vendor_init.te | 3 |
5 files changed, 34 insertions, 0 deletions
diff --git a/mm/gki/file.te b/mm/gki/file.te new file mode 100644 index 0000000..d0e1b64 --- /dev/null +++ b/mm/gki/file.te @@ -0,0 +1,5 @@ +type mm_logd_vendor_data_file, file_type, data_file_type; +type debugfs_page_owner, debugfs_type, fs_type; +type proc_watermark_boost_factor, fs_type, proc_type; +type proc_min_free_kbytes, fs_type, proc_type; +type proc_lowmem_reserve_ratio, fs_type, proc_type; diff --git a/mm/gki/file_contexts b/mm/gki/file_contexts new file mode 100644 index 0000000..a4bd033 --- /dev/null +++ b/mm/gki/file_contexts @@ -0,0 +1,3 @@ +/vendor/bin/mm_logd u:object_r:init-mm-logging-sh_exec:s0 +/data/vendor/mm(/.*)? u:object_r:mm_logd_vendor_data_file:s0 + diff --git a/mm/gki/genfs_contexts b/mm/gki/genfs_contexts new file mode 100644 index 0000000..957a343 --- /dev/null +++ b/mm/gki/genfs_contexts @@ -0,0 +1,4 @@ +genfscon debugfs /page_owner u:object_r:debugfs_page_owner:s0 +genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0 +genfscon proc /sys/vm/lowmem_reserve_ratio u:object_r:proc_watermark_boost_factor:s0 +genfscon proc /sys/vm/min_free_kbytes u:object_r:proc_watermark_boost_factor:s0 diff --git a/mm/gki/init-mm-logging.sh.te b/mm/gki/init-mm-logging.sh.te new file mode 100644 index 0000000..ae05e7b --- /dev/null +++ b/mm/gki/init-mm-logging.sh.te @@ -0,0 +1,19 @@ +type init-mm-logging-sh, domain; +type init-mm-logging-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-mm-logging-sh) + +dontaudit init-mm-logging-sh { domain -kernel }:{ file dir } *; +dontaudit init-mm-logging-sh self:capability sys_ptrace; + +userdebug_or_eng(` + allow init-mm-logging-sh vendor_toolbox_exec:file rx_file_perms; + allow init-mm-logging-sh proc_vmstat:file r_file_perms; + allow init-mm-logging-sh mm_logd_vendor_data_file:dir create_dir_perms; + allow init-mm-logging-sh mm_logd_vendor_data_file:file create_file_perms; + # Allow /proc/<pid>/stat + allow init-mm-logging-sh kernel:dir r_dir_perms; + allow init-mm-logging-sh kernel:file r_file_perms; + allow init-mm-logging-sh proc_stat:file r_file_perms; +') + diff --git a/mm/gki/vendor_init.te b/mm/gki/vendor_init.te new file mode 100644 index 0000000..5bedbad --- /dev/null +++ b/mm/gki/vendor_init.te @@ -0,0 +1,3 @@ +allow vendor_init proc_watermark_boost_factor:file w_file_perms; +allow vendor_init proc_lowmem_reserve_ratio:file w_file_perms; +allow vendor_init proc_min_free_kbytes:file w_file_perms; |