Remove coredomain /dev access no longer needed after Treble
According to go/sedenials (internal dogfooding), coredomain access to following types is not exercised and can be removed: iio_device radio_device tee_device Access to audio_device is still needed since some ALSA interfaces (/dev/snd/*) are directly used by system_server. Bug: 110962171 Test: m selinux_policy Change-Id: I740b99813e1f93136bfcaec087b74f0e03b259ad
This commit is contained in:
parent
0096e7af57
commit
8a6cc52ed7
@ -169,13 +169,12 @@ full_treble_only(`
|
|||||||
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
# Audit coredomain access to /dev nodes that might no longer be needed after
|
# Following /dev nodes must not be directly accessed by coredomain after Treble,
|
||||||
# Treble.
|
# but should instead be wrapped by HALs.
|
||||||
userdebug_or_eng(`
|
full_treble_only(`
|
||||||
auditallow coredomain {
|
neverallow coredomain {
|
||||||
audio_device
|
iio_device
|
||||||
iio_device
|
radio_device
|
||||||
radio_device
|
tee_device
|
||||||
tee_device
|
}:chr_file { open read append write ioctl };
|
||||||
}:chr_file { open read append write ioctl };
|
|
||||||
')
|
')
|
||||||
|
@ -71,10 +71,6 @@ binder_call(surfaceflinger, dumpstate)
|
|||||||
binder_call(surfaceflinger, shell)
|
binder_call(surfaceflinger, shell)
|
||||||
r_dir_file(surfaceflinger, dumpstate)
|
r_dir_file(surfaceflinger, dumpstate)
|
||||||
|
|
||||||
# Needed on some devices for playing DRM protected content,
|
|
||||||
# but seems expected and appropriate for all devices.
|
|
||||||
allow surfaceflinger tee_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
# media.player service
|
# media.player service
|
||||||
|
|
||||||
# do not use add_service() as hal_graphics_composer_default may be the
|
# do not use add_service() as hal_graphics_composer_default may be the
|
||||||
|
@ -326,10 +326,8 @@ allow system_server device:dir r_dir_perms;
|
|||||||
allow system_server mdns_socket:sock_file rw_file_perms;
|
allow system_server mdns_socket:sock_file rw_file_perms;
|
||||||
allow system_server alarm_device:chr_file rw_file_perms;
|
allow system_server alarm_device:chr_file rw_file_perms;
|
||||||
allow system_server gpu_device:chr_file rw_file_perms;
|
allow system_server gpu_device:chr_file rw_file_perms;
|
||||||
allow system_server iio_device:chr_file rw_file_perms;
|
|
||||||
allow system_server input_device:dir r_dir_perms;
|
allow system_server input_device:dir r_dir_perms;
|
||||||
allow system_server input_device:chr_file rw_file_perms;
|
allow system_server input_device:chr_file rw_file_perms;
|
||||||
allow system_server radio_device:chr_file r_file_perms;
|
|
||||||
allow system_server tty_device:chr_file rw_file_perms;
|
allow system_server tty_device:chr_file rw_file_perms;
|
||||||
allow system_server usbaccessory_device:chr_file rw_file_perms;
|
allow system_server usbaccessory_device:chr_file rw_file_perms;
|
||||||
allow system_server video_device:dir r_dir_perms;
|
allow system_server video_device:dir r_dir_perms;
|
||||||
@ -338,7 +336,7 @@ allow system_server adbd_socket:sock_file rw_file_perms;
|
|||||||
allow system_server rtc_device:chr_file rw_file_perms;
|
allow system_server rtc_device:chr_file rw_file_perms;
|
||||||
allow system_server audio_device:dir r_dir_perms;
|
allow system_server audio_device:dir r_dir_perms;
|
||||||
|
|
||||||
# write access needed for MIDI
|
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
|
||||||
allow system_server audio_device:chr_file rw_file_perms;
|
allow system_server audio_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
# tun device used for 3rd party vpn apps
|
# tun device used for 3rd party vpn apps
|
||||||
|
@ -20,7 +20,6 @@ binder_call(drmserver, mediaserver)
|
|||||||
allow drmserver sdcard_type:dir search;
|
allow drmserver sdcard_type:dir search;
|
||||||
allow drmserver drm_data_file:dir create_dir_perms;
|
allow drmserver drm_data_file:dir create_dir_perms;
|
||||||
allow drmserver drm_data_file:file create_file_perms;
|
allow drmserver drm_data_file:file create_file_perms;
|
||||||
allow drmserver tee_device:chr_file rw_file_perms;
|
|
||||||
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
|
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
|
||||||
allow drmserver sdcard_type:file { read write getattr map };
|
allow drmserver sdcard_type:file { read write getattr map };
|
||||||
r_dir_file(drmserver, efs_file)
|
r_dir_file(drmserver, efs_file)
|
||||||
|
@ -7,7 +7,6 @@ binder_use(gatekeeperd)
|
|||||||
|
|
||||||
### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
|
### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
|
||||||
### These rules should eventually be granted only when needed.
|
### These rules should eventually be granted only when needed.
|
||||||
allow gatekeeperd tee_device:chr_file rw_file_perms;
|
|
||||||
allow gatekeeperd ion_device:chr_file r_file_perms;
|
allow gatekeeperd ion_device:chr_file r_file_perms;
|
||||||
# Load HAL implementation
|
# Load HAL implementation
|
||||||
allow gatekeeperd system_file:dir r_dir_perms;
|
allow gatekeeperd system_file:dir r_dir_perms;
|
||||||
|
Loading…
Reference in New Issue
Block a user