Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AndroidSystemSEPolicy
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Werner Sembach
AndroidSystemSEPolicy
Commits
68e7327a
Commit
68e7327a
authored
Oct 7, 2015
by
David Zeuthen
Committed by
Android Git Automerger
Oct 7, 2015
Browse files
Options
Downloads
Plain Diff
am
40ce54b3
: am
a10f789d
: Move update_engine policy to AOSP.
* commit '
40ce54b3
': Move update_engine policy to AOSP.
parents
a683908d
40ce54b3
Branches
Branches containing commit
Tags
Tags containing commit
No related merge requests found
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
device.te
+3
-0
3 additions, 0 deletions
device.te
domain.te
+2
-2
2 additions, 2 deletions
domain.te
file_contexts
+2
-0
2 additions, 0 deletions
file_contexts
uncrypt.te
+2
-0
2 additions, 0 deletions
uncrypt.te
update_engine.te
+27
-0
27 additions, 0 deletions
update_engine.te
with
36 additions
and
2 deletions
device.te
+
3
−
0
View file @
68e7327a
...
@@ -93,3 +93,6 @@ type swap_block_device, dev_type;
...
@@ -93,3 +93,6 @@ type swap_block_device, dev_type;
# Assign this type to the partition specified by the encryptable=
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# mount option in your fstab file in the entry for userdata.
type metadata_block_device, dev_type;
type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
type misc_block_device, dev_type;
This diff is collapsed.
Click to expand it.
domain.te
+
2
−
2
View file @
68e7327a
...
@@ -351,8 +351,8 @@ neverallow { domain -init } default_prop:property_service set;
...
@@ -351,8 +351,8 @@ neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
# No domain other than recovery can write to system.
# No domain other than recovery
and update_engine
can write to system
partition(s)
.
neverallow { domain -recovery } system_block_device:blk_file write;
neverallow { domain -recovery
-update_engine
} system_block_device:blk_file write;
# No domains other than install_recovery or recovery can write to recovery.
# No domains other than install_recovery or recovery can write to recovery.
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
...
...
This diff is collapsed.
Click to expand it.
file_contexts
+
2
−
0
View file @
68e7327a
...
@@ -199,6 +199,7 @@
...
@@ -199,6 +199,7 @@
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
#############################
#############################
# Vendor files
# Vendor files
...
@@ -274,6 +275,7 @@
...
@@ -274,6 +275,7 @@
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
# Fingerprint data
# Fingerprint data
...
...
This diff is collapsed.
Click to expand it.
uncrypt.te
+
2
−
0
View file @
68e7327a
...
@@ -27,6 +27,8 @@ set_prop(uncrypt, powerctl_prop)
...
@@ -27,6 +27,8 @@ set_prop(uncrypt, powerctl_prop)
# Raw writes to block device
# Raw writes to block device
allow uncrypt self:capability sys_rawio;
allow uncrypt self:capability sys_rawio;
allow uncrypt block_device:blk_file w_file_perms;
allow uncrypt block_device:blk_file w_file_perms;
auditallow uncrypt block_device:blk_file w_file_perms;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
# Access userdata block device.
...
...
This diff is collapsed.
Click to expand it.
update_engine.te
0 → 100644
+
27
−
0
View file @
68e7327a
# Domain for update_engine daemon.
type update_engine, domain;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
init_daemon_domain(update_engine);
net_domain(update_engine);
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
allow update_engine kmsg_device:chr_file w_file_perms;
wakelock_use(update_engine);
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create_dir_perms };
allow update_engine update_engine_data_file:file { create_file_perms };
# Allow update_engine to reach block devices in /dev/block.
allow update_engine block_device:dir search;
# Allow read/write on system and boot partitions.
allow update_engine boot_block_device:blk_file rw_file_perms;
allow update_engine system_block_device:blk_file rw_file_perms;
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment