Skip to content
Snippets Groups Projects
Commit 7151f754 authored by Jeffrey Vander Stoep's avatar Jeffrey Vander Stoep Committed by Gerrit Code Review
Browse files

Merge "remove overly permissive rules from domain"

parents 142f97b7 6e3506e1
No related branches found
No related tags found
No related merge requests found
...@@ -3,14 +3,6 @@ ...@@ -3,14 +3,6 @@
# Allow reaping by init. # Allow reaping by init.
allow domain init:process sigchld; allow domain init:process sigchld;
# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };
allow domain tmpfs:lnk_file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;
# Intra-domain accesses. # Intra-domain accesses.
allow domain self:process { allow domain self:process {
fork fork
...@@ -38,13 +30,6 @@ allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; ...@@ -38,13 +30,6 @@ allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
# Inherit or receive open files from others. # Inherit or receive open files from others.
allow domain init:fd use; allow domain init:fd use;
allow domain system_server:fd use;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
allow domain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
userdebug_or_eng(` userdebug_or_eng(`
# Same as adbd rules above, except allow su to do the same thing # Same as adbd rules above, except allow su to do the same thing
...@@ -73,15 +58,13 @@ allow domain debuggerd:process sigchld; ...@@ -73,15 +58,13 @@ allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto; allow domain debuggerd:unix_stream_socket connectto;
# Root fs. # Root fs.
allow domain rootfs:dir r_dir_perms; allow domain rootfs:dir search;
allow domain rootfs:file r_file_perms; allow domain rootfs:lnk_file read;
allow domain rootfs:lnk_file r_file_perms;
# Device accesses. # Device accesses.
allow domain device:dir search; allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms; allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search; allow domain devpts:dir search;
allow domain device:file read;
allow domain socket_device:dir r_dir_perms; allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms; allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms; allow domain null_device:chr_file rw_file_perms;
...@@ -99,70 +82,20 @@ allow domain vold:key search; ...@@ -99,70 +82,20 @@ allow domain vold:key search;
# logd access # logd access
write_logd(domain) write_logd(domain)
# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
# System file accesses. # System file accesses.
allow domain system_file:dir r_dir_perms; allow domain system_file:dir search;
allow domain system_file:file r_file_perms; allow domain system_file:file { execute read open getattr };
allow domain system_file:file execute; allow domain system_file:lnk_file read;
allow domain system_file:lnk_file r_file_perms;
# Read files already opened under /data. # files under /data.
allow domain system_data_file:dir { search getattr }; allow domain system_data_file:dir { search getattr };
allow domain system_data_file:file { getattr read };
allow domain system_data_file:lnk_file r_file_perms; # required by the dynamic linker
allow domain proc:lnk_file read;
# Read apk files under /data/app.
allow domain apk_data_file:dir { getattr search }; # toybox loads libselinux which stats /sys/fs/selinux/
allow domain apk_data_file:file r_file_perms; allow domain selinuxfs:file getattr;
allow domain apk_data_file:lnk_file r_file_perms; allow domain sysfs:dir search;
# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain cache_file:dir r_dir_perms;
allow domain cache_file:file { getattr read };
allow domain cache_file:lnk_file r_file_perms;
# Read timezone related information
r_dir_file(domain, zoneinfo_data_file)
# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;
#Allow access to ion memory allocation device
allow domain ion_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
r_dir_file(domain, proc)
r_dir_file(domain, sysfs)
r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
r_dir_file(domain, proc_net)
allow domain proc_cpuinfo:file r_file_perms;
# debugfs access
allow domain debugfs:dir r_dir_perms;
allow domain debugfs:file w_file_perms;
# Get SELinux enforcing status.
allow domain selinuxfs:dir r_dir_perms;
allow domain selinuxfs:file r_file_perms;
# /data/security files
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;
allow domain security_file:lnk_file r_file_perms;
# World readable asec image contents
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
### ###
### neverallow rules ### neverallow rules
......
# rules removed from the domain attribute # rules removed from the domain attribute
# Read access to properties mapping.
allow domain_deprecated kernel:fd use;
allow domain_deprecated tmpfs:file { read getattr };
allow domain_deprecated tmpfs:lnk_file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:unix_stream_socket connectto;
allow domain_deprecated adbd:fd use;
allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
# Device accesses.
allow domain_deprecated device:file read;
# Filesystem accesses.
allow domain_deprecated fs_type:filesystem getattr;
allow domain_deprecated fs_type:dir getattr;
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
allow domain_deprecated system_file:lnk_file r_file_perms;
# Read files already opened under /data.
allow domain_deprecated system_data_file:dir { search getattr };
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
# Read /data/dalvik-cache.
allow domain_deprecated dalvikcache_data_file:dir { search getattr };
allow domain_deprecated dalvikcache_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
# Read timezone related information
r_dir_file(domain_deprecated, zoneinfo_data_file)
# For /acct/uid/*/tasks.
allow domain_deprecated cgroup:dir { search write };
allow domain_deprecated cgroup:file w_file_perms;
#Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, sysfs_devices_system_cpu)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
r_dir_file(domain_deprecated, proc_net)
allow domain_deprecated proc_cpuinfo:file r_file_perms;
# debugfs access
allow domain_deprecated debugfs:dir r_dir_perms;
allow domain_deprecated debugfs:file w_file_perms;
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
# /data/security files
allow domain_deprecated security_file:dir { search getattr };
allow domain_deprecated security_file:file getattr;
allow domain_deprecated security_file:lnk_file r_file_perms;
# World readable asec image contents
allow domain_deprecated asec_public_file:file r_file_perms;
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment