4ab64c940f
Conservatively grant access to packages_list_file to everything that had
access to system_data_file:file even if the comment in the SELinux
policy suggests it was for another use.
Ran a diff on the resulting SEPolicy, the only difference of domains
being granted is those that had system_data_file:dir permissiosn which
is clearly not applicable for packages.list
diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new)
--- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000
+++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000
@@ -3 +2,0 @@
-allow appdomain packages_list_file:dir getattr;
@@ -6 +4,0 @@
-allow coredomain packages_list_file:dir getattr;
@@ -8 +5,0 @@
-allow domain packages_list_file:dir search;
@@ -35 +31,0 @@
-allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name };
@@ -40 +35,0 @@
-allow tee packages_list_file:dir { search read lock getattr ioctl open };
@@ -43,3 +37,0 @@
-allow traced_probes packages_list_file:dir { read getattr open search };
-allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name };
-allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name };
@@ -48 +39,0 @@
-allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name };
@@ -50 +40,0 @@
-allow zygote packages_list_file:dir { search read lock getattr ioctl open };
Bug: 123186697
Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
45 lines
1.5 KiB
Plaintext
45 lines
1.5 KiB
Plaintext
type sdcardd, domain;
|
|
type sdcardd_exec, system_file_type, exec_type, file_type;
|
|
|
|
allow sdcardd cgroup:dir create_dir_perms;
|
|
allow sdcardd fuse_device:chr_file rw_file_perms;
|
|
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
|
|
allow sdcardd sdcardfs:filesystem remount;
|
|
allow sdcardd tmpfs:dir r_dir_perms;
|
|
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
|
|
allow sdcardd storage_file:dir search;
|
|
allow sdcardd storage_stub_file:dir { search mounton };
|
|
allow sdcardd sdcard_type:filesystem { mount unmount };
|
|
allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
|
|
|
|
allow sdcardd sdcard_type:dir create_dir_perms;
|
|
allow sdcardd sdcard_type:file create_file_perms;
|
|
|
|
allow sdcardd media_rw_data_file:dir create_dir_perms;
|
|
allow sdcardd media_rw_data_file:file create_file_perms;
|
|
|
|
# Read /data/system/packages.list.
|
|
allow sdcardd system_data_file:file r_file_perms;
|
|
allow sdcardd packages_list_file:file r_file_perms;
|
|
|
|
# Read /data/.layout_version
|
|
allow sdcardd install_data_file:file r_file_perms;
|
|
|
|
# Allow stdin/out back to vold
|
|
allow sdcardd vold:fd use;
|
|
allow sdcardd vold:fifo_file { read write getattr };
|
|
|
|
# Allow running on top of expanded storage
|
|
allow sdcardd mnt_expand_file:dir search;
|
|
|
|
# access /proc/filesystems
|
|
allow sdcardd proc_filesystems:file r_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# The sdcard daemon should no longer be started from init
|
|
neverallow init sdcardd_exec:file execute;
|
|
neverallow init sdcardd:process { transition dyntransition };
|