You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
162 lines
3.9 KiB
162 lines
3.9 KiB
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
|
|
# Do not allow access to the generic system_data_file label. This is
|
|
# too broad.
|
|
# Instead, if access to part of system_data_file is desired, it should
|
|
# have a more specific label.
|
|
# TODO: Remove merged_hal_service and so on once there are no violations.
|
|
#
|
|
# allow hal_drm system_data_file:file { getattr read };
|
|
# hal_server_domain(merged_hal_service, hal_drm)
|
|
#
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-app_zygote
|
|
-dumpstate
|
|
-init
|
|
-installd
|
|
-iorap_prefetcherd
|
|
-iorap_inode2filename
|
|
-logd
|
|
-mediadrmserver
|
|
-mediaextractor
|
|
-mediaserver
|
|
-runas
|
|
-sdcardd
|
|
-simpleperf_app_runner
|
|
-storaged
|
|
-system_server
|
|
-toolbox
|
|
-vold
|
|
-vold_prepare_subdirs
|
|
with_asan(`-asan_extract')
|
|
-zygote
|
|
} system_data_file:file *;
|
|
|
|
neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
|
|
|
|
neverallow {
|
|
dumpstate
|
|
logd
|
|
runas
|
|
sdcardd
|
|
simpleperf_app_runner
|
|
storaged
|
|
zygote
|
|
} system_data_file:file ~r_file_perms;
|
|
|
|
neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
|
|
|
|
neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
|
|
|
|
neverallow iorap_prefetcherd system_data_file:file ~{ open read };
|
|
neverallow iorap_inode2filename system_data_file:file ~getattr;
|
|
|
|
neverallow {
|
|
mediadrmserver
|
|
mediaextractor
|
|
mediaserver
|
|
} system_data_file:file ~{ read getattr };
|
|
|
|
neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
|
|
|
|
neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
|
|
|
|
neverallow vold system_data_file:file ~read;
|
|
|
|
neverallow ~{
|
|
appdomain
|
|
app_zygote
|
|
dexoptanalyzer
|
|
init
|
|
installd
|
|
iorap_prefetcherd
|
|
iorap_inode2filename
|
|
logd
|
|
rs
|
|
runas
|
|
simpleperf_app_runner
|
|
system_server
|
|
tee
|
|
vold
|
|
webview_zygote
|
|
with_asan(`asan_extract')
|
|
zygote
|
|
} system_data_file:lnk_file *;
|
|
|
|
neverallow {
|
|
appdomain
|
|
app_zygote
|
|
logd
|
|
webview_zygote
|
|
} system_data_file:lnk_file ~r_file_perms;
|
|
|
|
neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr;
|
|
|
|
neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
|
|
|
|
neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
|
|
|
|
neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
|
|
|
|
neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };
|
|
|
|
neverallow rs system_data_file:lnk_file ~{ read };
|
|
|
|
neverallow {
|
|
runas
|
|
simpleperf_app_runner
|
|
tee
|
|
} system_data_file:lnk_file ~{ read getattr };
|
|
|
|
neverallow system_server system_data_file:lnk_file ~create_file_perms;
|
|
')
|
|
|
|
# Do not allow access to the generic device label. This is too broad.
|
|
# Instead, if access to part of device is desired, it should have a
|
|
# more specific label.
|
|
# TODO: Remove hal_camera and so on once there are no violations.
|
|
#
|
|
# allow hal_camera device:dir r_dir_perms;
|
|
# hal_client_domain(cameraserver, hal_camera)
|
|
#
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-cameraserver
|
|
-fastbootd
|
|
-hal_camera
|
|
-init
|
|
-otapreopt_chroot
|
|
-recovery
|
|
-shell
|
|
-slideshow
|
|
-system_server
|
|
-vendor_init
|
|
-vold
|
|
-ueventd
|
|
} device:dir ~{ search getattr };
|
|
|
|
neverallow init device:dir ~{ create_dir_perms mounton relabelto };
|
|
|
|
neverallow {
|
|
cameraserver
|
|
fastbootd
|
|
hal_camera
|
|
system_server
|
|
shell
|
|
slideshow
|
|
recovery
|
|
} device:dir ~r_dir_perms;
|
|
|
|
neverallow vendor_init device:dir ~{ create_dir_perms mounton };
|
|
|
|
neverallow vold device:dir ~{ search getattr write };
|
|
|
|
neverallow ueventd device:dir ~create_dir_perms;
|
|
')
|