From aa38b56dac3528f810a5ca29e45a87009e7620f7 Mon Sep 17 00:00:00 2001 From: Steve Kondik Date: Fri, 26 Aug 2016 02:31:15 -0700 Subject: [PATCH] sepolicy: Clean up policy for N Change-Id: I39ddec0f60a9995de13b82f09705d246d7e0f454 --- sepolicy/app.te | 5 ----- sepolicy/domain.te | 1 - sepolicy/file.te | 5 +++++ sepolicy/genfs_contexts | 6 +++--- sepolicy/installd.te | 4 ++-- sepolicy/kernel.te | 1 - sepolicy/mediaserver.te | 3 --- sepolicy/platform_app.te | 14 -------------- sepolicy/qcom/dumpstate.te | 3 --- sepolicy/recovery.te | 4 ++-- sepolicy/su.te | 3 +++ sepolicy/vold.te | 4 ++-- 12 files changed, 17 insertions(+), 36 deletions(-) delete mode 100644 sepolicy/platform_app.te diff --git a/sepolicy/app.te b/sepolicy/app.te index 6405e20b..b2ad5535 100644 --- a/sepolicy/app.te +++ b/sepolicy/app.te @@ -1,8 +1,3 @@ -# Access OBBs (sdcard_posix) mounted by vold -# File write access allowed for FDs returned through Storage Access Framework -allow appdomain sdcard_posix:dir r_dir_perms; -allow appdomain sdcard_posix:file rw_file_perms; - # Themed resources (i.e. composed icons) allow appdomain themeservice_app_data_file:dir r_dir_perms; allow appdomain themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/domain.te b/sepolicy/domain.te index b1fc15ee..e05768ee 100644 --- a/sepolicy/domain.te +++ b/sepolicy/domain.te @@ -2,4 +2,3 @@ allow domain block_device:dir { search getattr }; allow domain block_device:blk_file getattr; allow domain cache_block_device:blk_file getattr; allow domain userdata_block_device:blk_file getattr; -allow domain fuse_device:chr_file getattr; diff --git a/sepolicy/file.te b/sepolicy/file.te index 05e3c5d2..b115ebac 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -17,3 +17,8 @@ type persist_property_file, file_type; # Knobs for LiveDisplay type livedisplay_sysfs, sysfs_type, file_type; + +# Filesystems +type exfat, sdcard_type, fs_type, mlstrustedobject; +type fuseblk, sdcard_type, fs_type, mlstrustedobject; +type ntfs, sdcard_type, fs_type, mlstrustedobject; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index b39d3dda..b5652a26 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -1,3 +1,3 @@ -genfscon fuseblk / u:object_r:sdcard_external:s0 -genfscon exfat / u:object_r:sdcard_external:s0 -genfscon ntfs / u:object_r:sdcard_external:s0 +genfscon fuseblk / u:object_r:fuseblk:s0 +genfscon exfat / u:object_r:exfat:s0 +genfscon ntfs / u:object_r:ntfs:s0 diff --git a/sepolicy/installd.te b/sepolicy/installd.te index c2405990..fc38117c 100644 --- a/sepolicy/installd.te +++ b/sepolicy/installd.te @@ -1,6 +1,6 @@ # Allow querying of asec size on SD card -allow installd sdcard_external:dir { search }; -allow installd sdcard_external:file { getattr }; +allow installd sdcard_type:dir { search }; +allow installd sdcard_type:file { getattr }; # Required for installd to create theme service's /data/data directory allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te index 2984b772..b944a75e 100644 --- a/sepolicy/kernel.te +++ b/sepolicy/kernel.te @@ -1,3 +1,2 @@ # used by sdcardfs to read package list allow kernel system_data_file:file open; -allow kernel media_rw_data_file:file rw_file_perms; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index c380ce90..62ed0b7b 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -1,6 +1,3 @@ # Themed resources (i.e. composed icons) allow mediaserver themeservice_app_data_file:dir r_dir_perms; allow mediaserver themeservice_app_data_file:file r_file_perms; - -# For camera -allow mediaserver media_rw_data_file:file write; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te deleted file mode 100644 index 3e0eb57e..00000000 --- a/sepolicy/platform_app.te +++ /dev/null @@ -1,14 +0,0 @@ -# Direct access to vold-mounted storage under /mnt/media_rw -# This is a performance optimization that allows platform apps to bypass the FUSE layer -allow platform_app sdcard_posix:dir create_dir_perms; -allow platform_app sdcard_posix:file create_file_perms; - -# Allow Gallery3D to crop user images -allow platform_app system_app_data_file:file rw_file_perms; - -# Allow Gallery3D to execute render scripts -allow platform_app app_data_file:file execute; - -# Allow batterymanager and batteryproperties services to be found -allow platform_app battery_service:service_manager find; -allow platform_app healthd_service:service_manager find; diff --git a/sepolicy/qcom/dumpstate.te b/sepolicy/qcom/dumpstate.te index d2844a6b..4ba25cc7 100644 --- a/sepolicy/qcom/dumpstate.te +++ b/sepolicy/qcom/dumpstate.te @@ -8,6 +8,3 @@ allow dumpstate fuse:file r_file_perms; allow dumpstate themeservice_app_data_file:dir r_dir_perms; allow dumpstate themeservice_app_data_file:file r_file_perms; allow dumpstate media_rw_data_file:dir search; -allow dumpstate sdcardfs:file getattr; -allow dumpstate sdcardfs:dir search; - diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te index c5f58c6e..1a1460b0 100644 --- a/sepolicy/recovery.te +++ b/sepolicy/recovery.te @@ -24,8 +24,8 @@ allow recovery media_rw_data_file:dir r_dir_perms; allow recovery media_rw_data_file:file r_file_perms; allow recovery vfat:dir r_dir_perms; allow recovery vfat:file r_file_perms; -allow recovery sdcard_posix:dir r_dir_perms; -allow recovery sdcard_posix:file r_file_perms; +allow recovery sdcard_type:dir r_dir_perms; +allow recovery sdcard_type:file r_file_perms; # Control properties allow recovery recovery_prop:property_service set; diff --git a/sepolicy/su.te b/sepolicy/su.te index 473386bc..1a2a2b3d 100644 --- a/sepolicy/su.te +++ b/sepolicy/su.te @@ -66,4 +66,7 @@ userdebug_or_eng(` allow system_app superuser_device:dir { create rw_dir_perms setattr unlink }; allow kernel sudaemon:fd { use }; + ') + +neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app -init -sudaemon') } su_exec:file no_x_file_perms; diff --git a/sepolicy/vold.te b/sepolicy/vold.te index d00fcec3..14b9063f 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -1,11 +1,11 @@ domain_trans(init, rootfs, vold) # Allow vold to manage ASEC -allow vold sdcard_external:file create_file_perms; +allow vold sdcard_type:file create_file_perms; allow vold vold_tmpfs:file create_file_perms; # Allow vold to access fuse for fuse-based fs -allow vold fuse_device:chr_file rw_file_perms; +allow vold fuseblk:chr_file rw_file_perms; # NTFS-3g wants to drop permission allow vold self:capability { setgid setuid };