PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sepolicy: Add iorap_prefetcherd rules

Browse Source 
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
This commit is contained in:
Igor Murashkin 2019-09-19 11:04:20 -07:00
parent 94b0e84094
commit 9f74a428c4
8 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
private/compat/29.0/29.0.ignore.cil
View File

@ -17,6 +17,10 @@
hal_can_controller_hwservice
hal_tv_tuner_hwservice
init_svc_debug_prop
iorap_prefetcherd
iorap_prefetcherd_data_file
iorap_prefetcherd_exec
iorap_prefetcherd_tmpfs
linker_prop
mock_ota_prop
ota_metadata_file

2
private/coredomain.te
View File

@ -56,6 +56,7 @@ full_treble_only(`
-idmap
-init
-installd
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@ -73,6 +74,7 @@ full_treble_only(`
-idmap
-init
-installd
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server

4
private/domain.te
View File

@ -136,6 +136,7 @@ neverallow {
-app_zygote
-dexoptanalyzer
-installd
-iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@ -157,6 +158,7 @@ neverallow {
-appdomain
-app_zygote
-installd
-iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@ -201,6 +203,7 @@ neverallow {
domain
-appdomain
with_asan(`-asan_extract')
-iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
@ -284,6 +287,7 @@ neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
iorap_prefetcherd
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;

1
private/file_contexts
View File

@ -289,6 +289,7 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0

4
private/iorap_prefecherd.te Normal file
View File

@ -0,0 +1,4 @@
typeattribute iorap_prefetcherd coredomain;
init_daemon_domain(iorap_prefetcherd)
tmpfs_domain(iorap_prefetcherd)

2
private/iorapd.te
View File

@ -2,3 +2,5 @@ typeattribute iorapd coredomain;
init_daemon_domain(iorapd)
tmpfs_domain(iorapd)
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)

3
public/domain.te
View File

@ -927,6 +927,7 @@ full_treble_only(`
-system_lib_file
-system_linker_exec
-crash_dump_exec
-iorap_prefetcherd_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@ -969,6 +970,7 @@ full_treble_only(`
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
-iorap_prefetcherd
-kernel # loads /vendor/firmware
userdebug_or_eng(`-heapprofd')
-shell
@ -1296,6 +1298,7 @@ full_treble_only(`
-bootanim
-crash_dump
-init
-iorap_prefetcherd
-kernel
-heapprofd
-ueventd

54
public/iorap_prefetcherd.te Normal file
View File

@ -0,0 +1,54 @@
# volume manager
type iorap_prefetcherd, domain;
type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
type iorap_prefetcherd_tmpfs, file_type;
r_dir_file(iorap_prefetcherd, rootfs)
# Allow read/write /proc/sys/vm/drop/caches
allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
# iorap_prefetcherd temporarily changes its priority when running benchmarks
allow iorap_prefetcherd self:global_capability_class_set sys_nice;
# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
allow iorap_prefetcherd iorapd:fd use;
allow iorap_prefetcherd iorapd:fifo_file { read write };
# Allow reading most files under / ignoring usual access controls.
allow iorap_prefetcherd self:capability dac_read_search;
typeattribute iorap_prefetcherd mlstrustedsubject;
# Grant logcat access
allow iorap_prefetcherd logcat_exec:file { open read };
# Grant access to open most of the files under /
allow iorap_prefetcherd apk_data_file:dir { open read search };
allow iorap_prefetcherd apk_data_file:file { open read };
allow iorap_prefetcherd app_data_file:dir { open read search };
allow iorap_prefetcherd app_data_file:file { open read };
allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
allow iorap_prefetcherd packages_list_file:dir { open read search };
allow iorap_prefetcherd packages_list_file:file { open read };
allow iorap_prefetcherd privapp_data_file:dir { open read search };
allow iorap_prefetcherd privapp_data_file:file { open read };
allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
allow iorap_prefetcherd same_process_hal_file:file { open read };
allow iorap_prefetcherd system_data_file:dir { open read search };
allow iorap_prefetcherd system_data_file:file { open read };
allow iorap_prefetcherd system_data_file:lnk_file { open read };
allow iorap_prefetcherd user_profile_data_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:file { open read };
allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
allow iorap_prefetcherd vendor_overlay_file:file { open read };
# Note: Do not add any /vendor labels because they can be customized
# by the vendor and we won't know about them beforehand.
###
### neverallow rules
###
neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;