Skip to content
Snippets Groups Projects
Commit 7636d607 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by Jeffrey Vander Stoep
Browse files

Useful neverallow errors 

Neverallow errors include the file name and line number of the
violated rule. However, if multiple neverallow rules are included
within a single macro, then the line number is for the entire macro,
not the individual neverallow rule that is violated. To fix this,
only include one neverallow rule per macro.

This changes nothing on device, nor does it change the results of
compilation, it only makes the printed errors more useful.

Bug: 69139821
Test: build aosp_taimen-userdebug (neverallow rules are build time
    tests)

Change-Id: Id0fc5906431db20e71265c7e9d55fbee4bdf53db
parent 34e35e9e
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 28 additions and 0 deletions
public/domain.te
+ 28
0
View file @ 7636d607
......@@ -619,12 +619,16 @@ full_treble_only(`
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
')
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # restrictions for vendor apps are declared lower down
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} service_manager_type:service_manager find;
')
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
neverallow {
......@@ -648,6 +652,8 @@ full_treble_only(`
-vr_hwc_service
-vr_manager_service
}:service_manager find;
')
full_treble_only(`
neverallow {
domain
-coredomain
......@@ -664,12 +670,18 @@ full_treble_only(`
userdebug_or_eng(`-su')
-ueventd # uevent is granted create for this device, but we still neverallow I/O below
} vndbinder_device:chr_file rw_file_perms;
')
full_treble_only(`
neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
')
full_treble_only(`
neverallow {
coredomain
-shell
userdebug_or_eng(`-su')
} vndservice_manager_type:service_manager *;
')
full_treble_only(`
neverallow {
coredomain
-shell
......@@ -791,6 +803,8 @@ full_treble_only(`
data_file_type
-core_data_file_type
}:file_class_set ~{ append getattr ioctl read write };
')
full_treble_only(`
neverallow {
coredomain
-appdomain # TODO(b/34980020) remove exemption for appdomain
......@@ -885,7 +899,9 @@ full_treble_only(`
-postinstall_dexopt
-system_server
} vendor_app_file:dir { open read getattr search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
......@@ -897,7 +913,9 @@ full_treble_only(`
-postinstall_dexopt
-system_server
} vendor_app_file:{ file lnk_file } r_file_perms;
')
full_treble_only(`
# Limit access to /vendor/overlay
neverallow {
coredomain
......@@ -909,7 +927,9 @@ full_treble_only(`
-webview_zygote
-zygote
} vendor_overlay_file:dir { getattr open read search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
......@@ -920,7 +940,9 @@ full_treble_only(`
-webview_zygote
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
')
full_treble_only(`
# Non-vendor domains are not allowed to file execute shell
# from vendor
neverallow {
......@@ -928,7 +950,9 @@ full_treble_only(`
-init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
')
full_treble_only(`
# Do not allow vendor components to execute files from system
# except for the ones whitelist here.
neverallow {
......@@ -944,7 +968,9 @@ full_treble_only(`
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
')
full_treble_only(`
# Do not allow system components to execute files from vendor
# except for the ones whitelisted here.
neverallow {
......@@ -958,7 +984,9 @@ full_treble_only(`
-vndk_sp_file
-vendor_app_file
}:file execute;
')
full_treble_only(`
neverallow {
coredomain
-shell
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment