forked from AndDiSa/platform_manifest-Grouper-AOSP
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsystem_sepolicy.patch
237 lines (216 loc) · 8.57 KB
/
system_sepolicy.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
diff --git a/Android.mk b/Android.mk
index 0bfa54d3..886e0816 100644
--- a/Android.mk
+++ b/Android.mk
@@ -95,7 +95,10 @@ $(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_has_legacy_camera_hal1=$(TARGET_HAS_LEGACY_CAMERA_HAL1) \
+ -D target_needs_platform_text_relocations=$(TARGET_NEEDS_PLATFORM_TEXT_RELOCATIONS) \
-s $^ > $@
+
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@@ -134,6 +137,7 @@ $(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_recovery=true \
+ -D target_needs_platform_text_relocations=$(TARGET_NEEDS_PLATFORM_TEXT_RELOCATIONS) \
-s $^ > $@
$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
diff --git a/app.te b/app.te
index e9dd7b39..ef2bd9d8 100644
--- a/app.te
+++ b/app.te
@@ -274,7 +274,7 @@ allow appdomain cache_file:dir getattr;
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
+neverallow { appdomain -bluetooth -shell } self:capability *;
neverallow { appdomain -bluetooth } self:capability2 *;
# Block device access.
diff --git a/attributes b/attributes
index a846c347..e8fe3aea 100644
--- a/attributes
+++ b/attributes
@@ -113,3 +113,5 @@ attribute boot_control_hal;
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;
+
+attribute tracefs_type;
diff --git a/domain.te b/domain.te
index 45569de4..5013ad30 100644
--- a/domain.te
+++ b/domain.te
@@ -62,7 +62,7 @@ allow domain debuggerd:unix_stream_socket connectto;
# Root fs.
allow domain rootfs:dir search;
-allow domain rootfs:lnk_file read;
+allow domain rootfs:lnk_file { read getattr };
# Device accesses.
allow domain device:dir search;
@@ -159,6 +159,7 @@ neverallow {
-dumpstate
-system_server
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-procrank')
} self:capability sys_ptrace;
# Limit device node creation to these whitelisted domains.
@@ -267,6 +268,7 @@ neverallow { domain -init -ueventd } device:chr_file { open read write };
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
@@ -292,7 +294,9 @@ neverallow domain { cache_file cache_backup_file cache_private_backup_file cache
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
- -appdomain
+ -untrusted_app
+ -priv_app
+ -shell
} {
data_file_type
-dalvikcache_data_file
@@ -379,6 +383,8 @@ neverallow {
-cppreopts
-dex2oat
-otapreopt_slot
+ -shell
+ -system_app
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -390,6 +396,7 @@ neverallow {
-dex2oat
-zygote
-otapreopt_slot
+ -shell
} dalvikcache_data_file:dir no_w_dir_perms;
# Only system_server should be able to send commands via the zygote socket
@@ -428,14 +435,24 @@ neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
-neverallow * {
- file_type
- -system_data_file
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
+#ifelse(target_needs_platform_text_relocations, `true',
+# `neverallow * {
+# file_type
+# -system_file
+# -system_data_file
+# -apk_data_file
+# -app_data_file
+# -asec_public_file
+# }:file execmod;'
+#,
+# `neverallow * {
+# file_type
+# -system_data_file
+# -apk_data_file
+# -app_data_file
+# -asec_public_file
+# }:file execmod;'
+#)
# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
@@ -443,7 +460,9 @@ neverallow * self:process { execstack execheap };
# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
-neverallow { domain -appdomain } file_type:file execmod;
+#ifelse(target_needs_platform_text_relocations, `true', ,
+# `neverallow { domain -appdomain } file_type:file execmod;'
+#)
neverallow { domain -init } proc:{ file dir } mounton;
@@ -570,7 +589,7 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+#neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
neverallow {
domain
diff --git a/file.te b/file.te
index 87cec829..1ebe2163 100644
--- a/file.te
+++ b/file.te
@@ -46,12 +46,14 @@ type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
+type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
+type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type;
type pstorefs, fs_type;
type functionfs, fs_type;
type oemfs, fs_type, contextmount_type;
@@ -245,6 +247,7 @@ type property_contexts, file_type;
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
+allow tracefs_type debugfs_tracing:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
diff --git a/mediaserver.te b/mediaserver.te
index 5fbaa303..dc05e14b 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -94,6 +94,12 @@ allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
+ifelse(target_has_legacy_camera_hal1, `true',
+ allow mediaserver cameraproxy_service:service_manager find;
+ allow mediaserver cameraserver_service:service_manager add;
+,
+)
+
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
diff --git a/priv_app.te b/priv_app.te
index 85516a6e..e1f96d5d 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -112,7 +112,7 @@ neverallow priv_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
+#neverallow priv_app debugfs:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
diff --git a/untrusted_app.te b/untrusted_app.te
index 35c811c5..19cfc64f 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -62,7 +62,7 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
-allow untrusted_app mnt_media_rw_file:dir search;
+#allow untrusted_app mnt_media_rw_file:dir search;
# allow cts to query all services
allow untrusted_app servicemanager:service_manager list;
@@ -122,7 +122,7 @@ neverallow untrusted_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow untrusted_app debugfs_type:file read;
+#neverallow untrusted_app debugfs_type:file read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering