Skip to content
Snippets Groups Projects
Commit 5751241d authored by Tom Cherry's avatar Tom Cherry Committed by android-build-merger
Browse files

Remove vendor_init from coredomain 

am: 9c778045

Change-Id: I4274e2a8496d26a20e0f6359d71647afe1c728df
parents 1d88e1ff 9c778045
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
private/coredomain.te
+ 0
1
View file @ 5751241d
...@@ -10,7 +10,6 @@ neverallow { ...@@ -10,7 +10,6 @@ neverallow {
# generic access to sysfs_type # generic access to sysfs_type
-ueventd -ueventd
-vendor_init
-vold -vold
} sysfs_leds:file *; } sysfs_leds:file *;
') ')
private/domain.te
+ 0
10
View file @ 5751241d
...@@ -25,7 +25,6 @@ full_treble_only(` ...@@ -25,7 +25,6 @@ full_treble_only(`
neverallow { neverallow {
coredomain coredomain
-vold -vold
-vendor_init
} proc:file no_rw_file_perms; } proc:file no_rw_file_perms;
# /sys # /sys
...@@ -34,7 +33,6 @@ full_treble_only(` ...@@ -34,7 +33,6 @@ full_treble_only(`
-init -init
-ueventd -ueventd
-vold -vold
-vendor_init
} sysfs:file no_rw_file_perms; } sysfs:file no_rw_file_perms;
# /dev # /dev
...@@ -43,7 +41,6 @@ full_treble_only(` ...@@ -43,7 +41,6 @@ full_treble_only(`
-fsck -fsck
-init -init
-ueventd -ueventd
-vendor_init
} device:{ blk_file file } no_rw_file_perms; } device:{ blk_file file } no_rw_file_perms;
# debugfs # debugfs
...@@ -52,7 +49,6 @@ full_treble_only(` ...@@ -52,7 +49,6 @@ full_treble_only(`
-dumpstate -dumpstate
-init -init
-system_server -system_server
-vendor_init
} debugfs:file no_rw_file_perms; } debugfs:file no_rw_file_perms;
# tracefs # tracefs
...@@ -65,14 +61,12 @@ full_treble_only(` ...@@ -65,14 +61,12 @@ full_treble_only(`
userdebug_or_eng(`-traced_probes') userdebug_or_eng(`-traced_probes')
-shell -shell
userdebug_or_eng(`-traceur_app') userdebug_or_eng(`-traceur_app')
-vendor_init
} debugfs_tracing:file no_rw_file_perms; } debugfs_tracing:file no_rw_file_perms;
# inotifyfs # inotifyfs
neverallow { neverallow {
coredomain coredomain
-init -init
-vendor_init
} inotify:file no_rw_file_perms; } inotify:file no_rw_file_perms;
# pstorefs # pstorefs
...@@ -89,7 +83,6 @@ full_treble_only(` ...@@ -89,7 +83,6 @@ full_treble_only(`
-recovery_refresh -recovery_refresh
-shell -shell
-system_server -system_server
-vendor_init
} pstorefs:file no_rw_file_perms; } pstorefs:file no_rw_file_perms;
# configfs # configfs
...@@ -97,7 +90,6 @@ full_treble_only(` ...@@ -97,7 +90,6 @@ full_treble_only(`
coredomain coredomain
-init -init
-system_server -system_server
-vendor_init
} configfs:file no_rw_file_perms; } configfs:file no_rw_file_perms;
# functionfs # functionfs
...@@ -106,13 +98,11 @@ full_treble_only(` ...@@ -106,13 +98,11 @@ full_treble_only(`
-adbd -adbd
-init -init
-mediaprovider -mediaprovider
-vendor_init
}functionfs:file no_rw_file_perms; }functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs # usbfs and binfmt_miscfs
neverallow { neverallow {
coredomain coredomain
-init -init
-vendor_init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms; }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
') ')
private/vendor_init.te
+ 0
2
View file @ 5751241d
typeattribute vendor_init coredomain;
# Creating files on sysfs is impossible so this isn't a threat # Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional # Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example. # init behavior. See b/35303861 for an example.
......
public/domain.te
+ 1
10
View file @ 5751241d
...@@ -718,6 +718,7 @@ full_treble_only(` ...@@ -718,6 +718,7 @@ full_treble_only(`
-coredomain -coredomain
-appdomain # appdomain restrictions below -appdomain # appdomain restrictions below
-socket_between_core_and_vendor_violators -socket_between_core_and_vendor_violators
-vendor_init
} { } {
coredomain_socket coredomain_socket
core_data_file_type core_data_file_type
...@@ -741,7 +742,6 @@ full_treble_only(` ...@@ -741,7 +742,6 @@ full_treble_only(`
-init -init
-ueventd -ueventd
-socket_between_core_and_vendor_violators -socket_between_core_and_vendor_violators
-vendor_init
} { } {
file_type file_type
dev_type dev_type
...@@ -767,7 +767,6 @@ full_treble_only(` ...@@ -767,7 +767,6 @@ full_treble_only(`
-appdomain # TODO(b/34980020) remove exemption for appdomain -appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators -data_between_core_and_vendor_violators
-init -init
-vendor_init
} { } {
data_file_type data_file_type
-core_data_file_type -core_data_file_type
...@@ -777,7 +776,6 @@ full_treble_only(` ...@@ -777,7 +776,6 @@ full_treble_only(`
-appdomain # TODO(b/34980020) remove exemption for appdomain -appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators -data_between_core_and_vendor_violators
-init -init
-vendor_init
} { } {
data_file_type data_file_type
-core_data_file_type -core_data_file_type
...@@ -838,7 +836,6 @@ full_treble_only(` ...@@ -838,7 +836,6 @@ full_treble_only(`
userdebug_or_eng(`-perfprofd') userdebug_or_eng(`-perfprofd')
-postinstall_dexopt -postinstall_dexopt
-system_server -system_server
-vendor_init
} vendor_app_file:dir { open read getattr search }; } vendor_app_file:dir { open read getattr search };
neverallow { neverallow {
...@@ -851,7 +848,6 @@ full_treble_only(` ...@@ -851,7 +848,6 @@ full_treble_only(`
userdebug_or_eng(`-perfprofd') userdebug_or_eng(`-perfprofd')
-postinstall_dexopt -postinstall_dexopt
-system_server -system_server
-vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms; } vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay # Limit access to /vendor/overlay
...@@ -863,7 +859,6 @@ full_treble_only(` ...@@ -863,7 +859,6 @@ full_treble_only(`
-installd -installd
-system_server -system_server
-zygote -zygote
-vendor_init
} vendor_overlay_file:dir { getattr open read search }; } vendor_overlay_file:dir { getattr open read search };
neverallow { neverallow {
...@@ -874,7 +869,6 @@ full_treble_only(` ...@@ -874,7 +869,6 @@ full_treble_only(`
-installd -installd
-system_server -system_server
-zygote -zygote
-vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms; } vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell # Non-vendor domains are not allowed to file execute shell
...@@ -882,7 +876,6 @@ full_treble_only(` ...@@ -882,7 +876,6 @@ full_treble_only(`
neverallow { neverallow {
coredomain coredomain
-init -init
-vendor_init
-shell -shell
} vendor_shell_exec:file { execute execute_no_trans }; } vendor_shell_exec:file { execute execute_no_trans };
...@@ -908,7 +901,6 @@ full_treble_only(` ...@@ -908,7 +901,6 @@ full_treble_only(`
coredomain coredomain
-init -init
-system_executes_vendor_violators -system_executes_vendor_violators
-vendor_init
} { } {
vendor_file_type vendor_file_type
-same_process_hal_file -same_process_hal_file
...@@ -1217,6 +1209,5 @@ full_treble_only(` ...@@ -1217,6 +1209,5 @@ full_treble_only(`
-ueventd -ueventd
-crash_dump -crash_dump
-perfprofd -perfprofd
-vendor_init
} vendor_file:file { create_file_perms x_file_perms }; } vendor_file:file { create_file_perms x_file_perms };
') ')
tests/treble_sepolicy_tests.py
+ 1
0
View file @ 5751241d
...@@ -38,6 +38,7 @@ coredomainWhitelist = { ...@@ -38,6 +38,7 @@ coredomainWhitelist = {
'postinstall_dexopt', 'postinstall_dexopt',
'recovery', 'recovery',
'system_server', 'system_server',
'vendor_init',
} }
coredomainWhitelist |= coreAppdomain coredomainWhitelist |= coreAppdomain
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment