Skip to content
Snippets Groups Projects
Commit 326874bd authored by android-build-team Robot's avatar android-build-team Robot
Browse files

release-request-99856c15-b008-4977-9971-f86523a23c0a-for-git_oc-m2-release-436...

release-request-99856c15-b008-4977-9971-f86523a23c0a-for-git_oc-m2-release-4367109 snap-temp-L18300000107415568

Change-Id: I2f8496a3ffe874b8a6eb1fa15158a93a6bad5b7f
parents 65c26b23 c9fdc246
Branches
Tags
No related merge requests found
...@@ -3,108 +3,12 @@ ...@@ -3,108 +3,12 @@
# Read files already opened under /data. # Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read }; allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms; allow domain_deprecated system_data_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-sdcardd
-system_server
-tee
} system_data_file:file { getattr read };
auditallow {
domain_deprecated
-appdomain
-system_server
-tee
} system_data_file:lnk_file r_file_perms;
')
# Read apk files under /data/app. # Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search }; allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms; allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms; allow domain_deprecated apk_data_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:dir { getattr search };
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:file r_file_perms;
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:lnk_file r_file_perms;
')
# Read access to pseudo filesystems. # Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc) r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs) r_dir_file(domain_deprecated, sysfs)
userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
-fsck_untrusted
-sdcardd
-system_server
-update_engine
-vold
} proc:file r_file_perms;
auditallow {
domain_deprecated
-fsck
-fsck_untrusted
-system_server
-vold
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-recovery
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-recovery
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:file r_file_perms;
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-recovery
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
')
...@@ -493,6 +493,7 @@ set_prop(system_server, firstboot_prop) ...@@ -493,6 +493,7 @@ set_prop(system_server, firstboot_prop)
allow system_server system_ndebug_socket:sock_file create_file_perms; allow system_server system_ndebug_socket:sock_file create_file_perms;
# Manage cache files. # Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
......
...@@ -249,7 +249,7 @@ expandattribute hal_cas false; ...@@ -249,7 +249,7 @@ expandattribute hal_cas false;
attribute hal_cas_client; attribute hal_cas_client;
expandattribute hal_cas_client true; expandattribute hal_cas_client true;
attribute hal_cas_server; attribute hal_cas_server;
expandattribute hal_cas_server true; expandattribute hal_cas_server false;
attribute hal_dumpstate; attribute hal_dumpstate;
expandattribute hal_dumpstate true; expandattribute hal_dumpstate true;
attribute hal_dumpstate_client; attribute hal_dumpstate_client;
......
...@@ -459,6 +459,12 @@ define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) ...@@ -459,6 +459,12 @@ define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
# #
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
# User builds
# SELinux rules which apply only to user builds
#
define(`userbuild', ifelse(target_build_variant, `user', $1, ))
##################################### #####################################
# asan builds # asan builds
# SELinux rules which apply only to asan builds # SELinux rules which apply only to asan builds
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment