diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-02-24 18:13:12 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-02-24 18:13:12 +0000 |
| commit | 277a225da48c36d9c05fe198692ef945d80f833d (patch) | |
| tree | 63c904290f30be50375743bfdc5dca5eb56a1f7d | |
| parent | 83a9827c4b98248ef049e67c23827cdea9b39d31 (diff) | |
| parent | 65a66499ccdd1a7963b5895aaf4c3564a51c8a08 (diff) | |
| download | wembley-sepolicy-277a225da48c36d9c05fe198692ef945d80f833d.tar.gz | |
Snap for 9652768 from 65a66499ccdd1a7963b5895aaf4c3564a51c8a08 to simpleperf-release
Change-Id: I59934cf8508949a87ba7c89115698240475b1387
| -rw-r--r-- | neverallows/non_plat/neverallows.te | 32 | ||||
| -rw-r--r-- | neverallows/plat_private/neverallows.te | 37 | ||||
| -rw-r--r-- | neverallows/plat_public/neverallows.te | 30 | ||||
| -rw-r--r-- | non_plat/file.te | 3 | ||||
| -rw-r--r-- | non_plat/genfs_contexts | 2 | ||||
| -rw-r--r-- | non_plat/kernel.te | 6 |
6 files changed, 4 insertions, 106 deletions
diff --git a/neverallows/non_plat/neverallows.te b/neverallows/non_plat/neverallows.te index 64524ac..4c71456 100644 --- a/neverallows/non_plat/neverallows.te +++ b/neverallows/non_plat/neverallows.te @@ -218,38 +218,6 @@ full_treble_only(` # hal_client_domain(cameraserver, hal_camera) # full_treble_only(` - neverallow ~{ - apexd - cameraserver - fastbootd - hal_camera - hal_camera_default - hal_evs_default - init - mtk_hal_camera - otapreopt_chroot - recovery - shell - slideshow - system_server - vendor_init - vold - ueventd - } device:dir ~{ search getattr }; - - neverallow { - cameraserver - fastbootd - hal_camera - hal_camera_default - hal_evs_default - mtk_hal_camera - system_server - shell - slideshow - recovery - } device:dir ~r_dir_perms; - neverallow init device:dir ~{ create_dir_perms mounton relabelto }; neverallow vendor_init device:dir ~{ create_dir_perms mounton }; diff --git a/neverallows/plat_private/neverallows.te b/neverallows/plat_private/neverallows.te index 695a6c7..1281248 100644 --- a/neverallows/plat_private/neverallows.te +++ b/neverallows/plat_private/neverallows.te @@ -116,44 +116,7 @@ full_treble_only(` neverallow system_server system_data_file:lnk_file ~create_file_perms; ') -# Do not allow access to the generic device label. This is too broad. -# Instead, if access to part of device is desired, it should have a -# more specific label. -# TODO: Remove hal_camera and so on once there are no violations. -# -# allow hal_camera device:dir r_dir_perms; -# hal_client_domain(cameraserver, hal_camera) -# full_treble_only(` - neverallow { - coredomain - -apexd - -cameraserver - -fastbootd - -hal_camera - -init - -otapreopt_chroot - -recovery - -shell - -slideshow - -system_server - -vendor_init - -vold - -ueventd - } device:dir ~{ search getattr }; - - neverallow init device:dir ~{ create_dir_perms mounton relabelto }; - - neverallow { - cameraserver - fastbootd - hal_camera - system_server - shell - slideshow - recovery - } device:dir ~r_dir_perms; - neverallow vendor_init device:dir ~{ create_dir_perms mounton }; neverallow vold device:dir ~{ search getattr write }; diff --git a/neverallows/plat_public/neverallows.te b/neverallows/plat_public/neverallows.te index d4141b5..f130f1e 100644 --- a/neverallows/plat_public/neverallows.te +++ b/neverallows/plat_public/neverallows.te @@ -257,6 +257,7 @@ full_treble_only(` ') neverallow ~{ + artd apexd init installd @@ -271,6 +272,8 @@ full_treble_only(` zygote } system_data_file:dir ~{ search getattr }; + neverallow artd system_data_file:dir ~r_dir_perms; + neverallow apexd system_data_file:dir ~r_dir_perms; neverallow init system_data_file:dir ~{ @@ -445,33 +448,6 @@ full_treble_only(` neverallow ueventd device:lnk_file ~{ r_file_perms create unlink }; - neverallow { - coredomain - -apexd - -cameraserver - -fastbootd - -hal_camera - -init - -otapreopt_chroot - -recovery - -shell - -slideshow - -system_server - -vendor_init - -vold - -ueventd - } device:dir ~{ search getattr }; - - neverallow { - cameraserver - fastbootd - hal_camera - system_server - shell - slideshow - recovery - } device:dir ~r_dir_perms; - neverallow init device:dir ~{ create_dir_perms mounton relabelto }; neverallow vendor_init device:dir ~{ create_dir_perms mounton }; diff --git a/non_plat/file.te b/non_plat/file.te index 9699e92..abd910a 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -197,9 +197,6 @@ type adbd_data_file, file_type, data_file_type, core_data_file_type; #autokd data file type autokd_data_file, file_type, data_file_type; -#fuse -type fuseblk,sdcard_type,fs_type,mlstrustedobject; - # for mt-ramdump reset type proc_mrdump_rst, fs_type, proc_type; diff --git a/non_plat/genfs_contexts b/non_plat/genfs_contexts index b627077..a18259e 100644 --- a/non_plat/genfs_contexts +++ b/non_plat/genfs_contexts @@ -234,7 +234,7 @@ genfscon debugfs /smi_mon u:object_r:debugfs_smi_mon:s0 genfscon iso9660 / u:object_r:iso9660:s0 genfscon rawfs / u:object_r:rawfs:s0 -genfscon fuseblk / u:object_r:fuseblk:s0 + # 2019/08/24 genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0 diff --git a/non_plat/kernel.te b/non_plat/kernel.te index 15b2430..43bf6fd 100644 --- a/non_plat/kernel.te +++ b/non_plat/kernel.te @@ -47,12 +47,6 @@ allow kernel misc2_block_device:blk_file rw_file_perms; # Date : WK16.30 # Operation: SQC # Purpose: Allow sdcardfs workqueue to access lower file systems -allow kernel { fuseblk }:dir create_dir_perms; -allow kernel { fuseblk }:file create_file_perms; - -# Date : WK16.30 -# Operation: SQC -# Purpose: Allow sdcardfs workqueue to access lower file systems allow kernel {vfat mnt_media_rw_file}:dir create_dir_perms; allow kernel {vfat mnt_media_rw_file}:file create_file_perms; allow kernel kernel:key { write search setattr }; |