relax fuse_device neverallow rules
The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
This commit is contained in:
parent
53b2c80949
commit
45766d4178
@ -87,6 +87,9 @@ neverallow all_untrusted_apps {
|
||||
')
|
||||
}:dir_file_class_set { create unlink };
|
||||
|
||||
# No untrusted component should be touching /dev/fuse
|
||||
neverallow all_untrusted_apps fuse_device:chr_file *;
|
||||
|
||||
# Do not allow untrusted apps to directly open tun_device
|
||||
neverallow all_untrusted_apps tun_device:chr_file open;
|
||||
|
||||
|
@ -61,3 +61,10 @@ allow platform_app preloads_media_file:file r_file_perms;
|
||||
allow platform_app preloads_media_file:dir r_dir_perms;
|
||||
|
||||
read_runtime_log_tags(platform_app)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
||||
# app domains which access /dev/fuse should not run as platform_app
|
||||
neverallow platform_app fuse_device:chr_file *;
|
||||
|
@ -83,3 +83,10 @@ r_dir_file(system_app, sysfs_type)
|
||||
|
||||
control_logd(system_app)
|
||||
read_runtime_log_tags(system_app)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
||||
# app domains which access /dev/fuse should not run as system_app
|
||||
neverallow system_app fuse_device:chr_file *;
|
||||
|
@ -965,26 +965,6 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
|
||||
# TODO: fix system_server and dumpstate
|
||||
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-recovery
|
||||
-sdcardd
|
||||
-vold
|
||||
} fuse_device:chr_file open;
|
||||
neverallow {
|
||||
domain
|
||||
-dumpstate
|
||||
-init
|
||||
-priv_app
|
||||
-recovery
|
||||
-sdcardd
|
||||
-shell # Restricted by shell.te to only getattr
|
||||
-system_server
|
||||
-ueventd
|
||||
-vold
|
||||
} fuse_device:chr_file *;
|
||||
|
||||
# Profiles contain untrusted data and profman parses that. We should only run
|
||||
# in from installd forked processes.
|
||||
neverallow {
|
||||
|
Loading…
Reference in New Issue
Block a user