Something went wrong on our end
Select Git revision
system_server.te
-
Nick Kralevich authoredCommit https://android.googlesource.com/kernel/common/+/f0ce0eee added CAP_SYS_RESOURCE as a capability check which would allow access to sensitive /proc/PID files. However, in an SELinux based world, allowing this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE (without :process ptrace) already provides. Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE. Test: Device boots, functionality remains identical, no sys_resource denials from system_server. Bug: 34951864 Bug: 38496951 Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34 (cherry picked from commit 44866954) (cherry picked from commit 3d8dde0e)
Nick Kralevich authoredCommit https://android.googlesource.com/kernel/common/+/f0ce0eee added CAP_SYS_RESOURCE as a capability check which would allow access to sensitive /proc/PID files. However, in an SELinux based world, allowing this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE (without :process ptrace) already provides. Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE. Test: Device boots, functionality remains identical, no sys_resource denials from system_server. Bug: 34951864 Bug: 38496951 Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34 (cherry picked from commit 44866954) (cherry picked from commit 3d8dde0e)
gatekeeperd.te 1.29 KiB
type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
binder_service(gatekeeperd)
binder_use(gatekeeperd)
### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
### These rules should eventually be granted only when needed.
allow gatekeeperd tee_device:chr_file rw_file_perms;
allow gatekeeperd ion_device:chr_file r_file_perms;
# Load HAL implementation
allow gatekeeperd system_file:dir r_dir_perms;
###
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
hwbinder_use(gatekeeperd)
###
# need to find KeyStore and add self
add_service(gatekeeperd, gatekeeper_service)
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
# For parent user ID lookup
allow gatekeeperd user_service:service_manager find;
# for SID file access
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)