Something went wrong on our end
-
Jeff Vander Stoep authoredLogs indicate that all processes that require read access have already been granted it. Bug: 28760354 Test: build policy Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62 (cherry picked from commit 7fc2b564ce2af2b5f27739a2d9bbb535814fc89e)
Jeff Vander Stoep authoredLogs indicate that all processes that require read access have already been granted it. Bug: 28760354 Test: build policy Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62 (cherry picked from commit 7fc2b564ce2af2b5f27739a2d9bbb535814fc89e)
domain_deprecated.te 3.20 KiB
# rules removed from the domain attribute
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
-healthd
-installd
-recovery
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-healthd
-installd
-recovery
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:file r_file_perms;
auditallow {
domain_deprecated
-appdomain
-healthd
-installd
-recovery
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
')
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-fingerprintd
-installd
-keystore
-surfaceflinger
-system_server
-update_engine
-vold
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
')
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated -appdomain
-sdcardd
-system_server
-tee
} system_data_file:file { getattr read };
auditallow {
domain_deprecated
-appdomain
-system_server
-tee
} system_data_file:lnk_file r_file_perms;
')
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:dir { getattr search };
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:file r_file_perms;
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:lnk_file r_file_perms;
')
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
-fsck_untrusted
-sdcardd
-system_server
-update_engine
-vold
} proc:file r_file_perms;
auditallow {
domain_deprecated
-fsck
-fsck_untrusted
-system_server
-vold
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-recovery
-system_app
-surfaceflinger -system_server
-tee
-ueventd
-vold
} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-recovery
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:file r_file_perms;
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-recovery
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
')