king
/
v811_spc009
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
v811_spc009/device/mediatek/wembley-sepolicy/neverallows/non_plat/neverallows.te

252 lines
5.7 KiB
Raw Permalink Blame History

# ==============================================
# MTK Policy Rule
# ==============================================
# Do not allow access to the generic sysfs label. This is too broad.
# Instead, if access to part of sysfs is desired, it should have a
# more specific label.
# TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations.
# allow hal_usb sysfs:file write;
# hal_server_domain(mtk_hal_usb, hal_usb)
#
# r_dir_file(hal_wifi, sysfs_type)
# hal_server_domain(mtk_hal_wifi, hal_wifi)
#
full_treble_only(`
neverallow ~{
init
merged_hal_service
mtk_hal_bluetooth
# TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed.
mtk_hal_camera
mtk_hal_power
mtk_hal_usb
mtk_hal_wifi
hal_bluetooth_btlinux
hal_bluetooth_default
hal_drm_clearkey
hal_drm_default
hal_drm_widevine
hal_fingerprint_default
hal_radio_config_default
hal_radio_default
hal_usb_default
hal_wifi_default
hal_wifi_supplicant_default
rild
tee
ueventd
vendor_init
vold
} sysfs:file *;
neverallow {
merged_hal_service
mtk_hal_bluetooth
mtk_hal_power
mtk_hal_wifi
hal_bluetooth_btlinux
hal_bluetooth_default
hal_drm_clearkey
hal_drm_default
hal_drm_widevine
hal_fingerprint_default
hal_radio_config_default
hal_radio_default
hal_wifi_default
hal_wifi_supplicant_default
rild
tee
} sysfs:file ~r_file_perms;
neverallow {
hal_usb_default
init
mtk_hal_usb
ueventd
vendor_init
vold
} sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
')
# Do not allow access to the generic proc label. This is too broad.
# Instead, if access to part of proc is desired, it should have a
# more specific label.
# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
#
# r_dir_file(hal_audio, proc)
# hal_server_domain(mtk_hal_audio, hal_audio)
# hal_client_domain(audioserver, hal_audio)
#
full_treble_only(`
neverallow ~{
audiocmdservice_atci
audioserver
bluetooth
hal_audio_default
hal_graphics_allocator_default
init
merged_hal_service
mtk_hal_audio
rild
system_server
vendor_init
vold
} proc:file *;
neverallow {
audiocmdservice_atci
audioserver
bluetooth
hal_audio_default
hal_graphics_allocator_default
init
merged_hal_service
mtk_hal_audio
rild
system_server
vold
} proc:file ~r_file_perms;
neverallow vendor_init proc:file ~{ r_file_perms setattr };
neverallow ~{
audiocmdservice_atci
audioserver
bluetooth
hal_audio_default
init
mtk_hal_audio
rild
system_server
} proc:lnk_file ~{ read getattr };
neverallow {
audiocmdservice_atci
audioserver
bluetooth
hal_audio_default
init
mtk_hal_audio
rild
system_server
} proc:lnk_file ~r_file_perms;
')
# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
# allow hal_drm system_data_file:file { getattr read };
# hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain
-hal_cas_default
-hal_drm_clearkey
-hal_drm_default
-hal_drm_widevine
-merged_hal_service
-tee
} system_data_file:file *;
neverallow ~{
appdomain
app_zygote
hal_drm_clearkey
hal_drm_default
hal_drm_widevine
init
installd
iorap_prefetcherd
mediadrmserver
mediaextractor
mediaserver
merged_hal_service
system_server
tee
toolbox
vold
vold_prepare_subdirs
with_asan(`asan_extract')
} system_data_file:file ~r_file_perms;
neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
neverallow iorap_prefetcherd system_data_file:file ~{ open read };
neverallow {
hal_drm_clearkey
hal_drm_default
hal_drm_widevine
mediadrmserver
mediaextractor
mediaserver
merged_hal_service
tee
} system_data_file:file ~{ getattr read };
neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
neverallow vold system_data_file:file ~read;
')
# Do not allow access to the generic device label. This is too broad.
# Instead, if access to part of device is desired, it should have a
# more specific label.
# TODO: Remove hal_camera and so on once there are no violations.
#
# allow hal_camera device:dir r_dir_perms;
# hal_client_domain(cameraserver, hal_camera)
#
full_treble_only(`
neverallow ~{
cameraserver
fastbootd
hal_camera
hal_camera_default
init
mtk_hal_camera
otapreopt_chroot
recovery
shell
slideshow
system_server
vendor_init
vold
ueventd
} device:dir ~{ search getattr };
neverallow {
cameraserver
fastbootd
hal_camera
hal_camera_default
mtk_hal_camera
system_server
shell
slideshow
recovery
} device:dir ~r_dir_perms;
neverallow init device:dir ~{ create_dir_perms mounton relabelto };
neverallow vendor_init device:dir ~{ create_dir_perms mounton };
neverallow vold device:dir ~{ search getattr write };
neverallow ueventd device:dir ~create_dir_perms;
')
Reference in new issue View Git Blame Copy Permalink