PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove unnecessary HAL permissions

Browse Source 
Comments indicate that these permissions are used to access already
open FDs. However, getattr of a directory is clearly not necessary
for that, search of system_data_file is already granted to domain
and following symlinks is clearly not needed for reading an already
open FD.

Bug: 34980020
Test: boot marlin. Test drm with google play movies, no related
    denials
Test: cts-tradefed run cts -m CtsMediaTestCases -t \
    android.media.cts.MediaCasTest
    5/6 tests fail with no related selinux denials. The same 5/6
    also fail in selinux permissive mode.
Change-Id: Ib4b9a1e18bdc479d656b2d64917bbc0358515525
This commit is contained in:
Jeff Vander Stoep 2017-10-09 13:44:46 -07:00
parent dcee57b8c2
commit 89d771871e
2 changed files with 0 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
public/hal_cas.te
View File

@ -10,9 +10,7 @@ allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
get_prop(hal_cas, serialno_prop)
# Read files already opened under /data
allow hal_cas system_data_file:dir { search getattr };
allow hal_cas system_data_file:file { getattr read };
allow hal_cas system_data_file:lnk_file r_file_perms;
# Read access to pseudo filesystems
r_dir_file(hal_cas, cgroup)

2
public/hal_drm.te
View File

@ -19,9 +19,7 @@ allow hal_drm system_file:file r_file_perms;
allow hal_drm system_file:lnk_file r_file_perms;
# Read files already opened under /data
allow hal_drm system_data_file:dir { search getattr };
allow hal_drm system_data_file:file { getattr read };
allow hal_drm system_data_file:lnk_file r_file_perms;
# Read access to pseudo filesystems
r_dir_file(hal_drm, cgroup)