aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTreehugger Robot2018-04-03 21:26:56 -0500
committerGerrit Code Review2018-04-03 21:26:56 -0500
commit38a84cf8da9099180fcad56389a87ae2a3ac7261 (patch)
treee40f35613c4a0881ffdac5a6c7d6e64f82d41892
parentc69cbe5590ac6aa46ce74222ff2f86e95d9982e5 (diff)
parentbdf2a9c4174ec84c7241af444299de82f7bedead (diff)
downloadsystem-sepolicy-38a84cf8da9099180fcad56389a87ae2a3ac7261.tar.gz
system-sepolicy-38a84cf8da9099180fcad56389a87ae2a3ac7261.tar.xz
system-sepolicy-38a84cf8da9099180fcad56389a87ae2a3ac7261.zip
Merge "Rename qtaguid_proc to conform to name conventions"
-rw-r--r--private/compat/26.0/26.0.cil5
-rw-r--r--private/compat/27.0/27.0.cil7
-rw-r--r--private/genfs_contexts2
-rw-r--r--public/app.te2
-rw-r--r--public/dumpstate.te2
-rw-r--r--public/file.te2
-rw-r--r--public/netd.te8
7 files changed, 17 insertions, 11 deletions
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index cf7bed71..4ff2d4c6 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -7,6 +7,7 @@
7(type asan_reboot_prop) 7(type asan_reboot_prop)
8(type log_device) 8(type log_device)
9(type mediacasserver_service) 9(type mediacasserver_service)
10(type qtaguid_proc)
10(type reboot_data_file) 11(type reboot_data_file)
11(type tracing_shell_writable) 12(type tracing_shell_writable)
12(type tracing_shell_writable_debug) 13(type tracing_shell_writable_debug)
@@ -522,7 +523,9 @@
522(typeattributeset pstorefs_26_0 (pstorefs)) 523(typeattributeset pstorefs_26_0 (pstorefs))
523(typeattributeset ptmx_device_26_0 (ptmx_device)) 524(typeattributeset ptmx_device_26_0 (ptmx_device))
524(typeattributeset qtaguid_device_26_0 (qtaguid_device)) 525(typeattributeset qtaguid_device_26_0 (qtaguid_device))
525(typeattributeset qtaguid_proc_26_0 (qtaguid_proc)) 526(typeattributeset qtaguid_proc_26_0
527 ( qtaguid_proc
528 proc_qtaguid_ctrl))
526(typeattributeset racoon_26_0 (racoon)) 529(typeattributeset racoon_26_0 (racoon))
527(typeattributeset racoon_exec_26_0 (racoon_exec)) 530(typeattributeset racoon_exec_26_0 (racoon_exec))
528(typeattributeset racoon_socket_26_0 (racoon_socket)) 531(typeattributeset racoon_socket_26_0 (racoon_socket))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 01636588..0f86e25f 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1,7 +1,8 @@
1;; types removed from current policy 1;; types removed from current policy
2(type webview_zygote_socket) 2(type qtaguid_proc)
3(type reboot_data_file) 3(type reboot_data_file)
4(type rild) 4(type rild)
5(type webview_zygote_socket)
5 6
6(expandtypeattribute (accessibility_service_27_0) true) 7(expandtypeattribute (accessibility_service_27_0) true)
7(expandtypeattribute (account_service_27_0) true) 8(expandtypeattribute (account_service_27_0) true)
@@ -1236,7 +1237,9 @@
1236(typeattributeset property_socket_27_0 (property_socket)) 1237(typeattributeset property_socket_27_0 (property_socket))
1237(typeattributeset pstorefs_27_0 (pstorefs)) 1238(typeattributeset pstorefs_27_0 (pstorefs))
1238(typeattributeset ptmx_device_27_0 (ptmx_device)) 1239(typeattributeset ptmx_device_27_0 (ptmx_device))
1239(typeattributeset qtaguid_device_27_0 (qtaguid_device)) 1240(typeattributeset qtaguid_device_27_0
1241 ( qtaguid_proc
1242 proc_qtaguid_ctrl))
1240(typeattributeset qtaguid_proc_27_0 (qtaguid_proc)) 1243(typeattributeset qtaguid_proc_27_0 (qtaguid_proc))
1241(typeattributeset racoon_27_0 (racoon)) 1244(typeattributeset racoon_27_0 (racoon))
1242(typeattributeset racoon_exec_27_0 (racoon_exec)) 1245(typeattributeset racoon_exec_27_0 (racoon_exec))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 350f6b1f..3d2528d3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,7 +17,7 @@ genfscon proc /misc u:object_r:proc_misc:s0
17genfscon proc /modules u:object_r:proc_modules:s0 17genfscon proc /modules u:object_r:proc_modules:s0
18genfscon proc /mounts u:object_r:proc_mounts:s0 18genfscon proc /mounts u:object_r:proc_mounts:s0
19genfscon proc /net u:object_r:proc_net:s0 19genfscon proc /net u:object_r:proc_net:s0
20genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 20genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
21genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0 21genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
22genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 22genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
23genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0 23genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
diff --git a/public/app.te b/public/app.te
index e6bf8886..27de8bb3 100644
--- a/public/app.te
+++ b/public/app.te
@@ -178,7 +178,7 @@ allow {
178 system_app 178 system_app
179 platform_app 179 platform_app
180 shell 180 shell
181} qtaguid_proc:file rw_file_perms; 181} proc_qtaguid_ctrl:file rw_file_perms;
182r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net) 182r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
183# read /proc/net/xt_qtguid/*stat* to per-app network data usage. 183# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
184# Exclude isolated app which may not use network sockets. 184# Exclude isolated app which may not use network sockets.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9166deba..cd983d79 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -92,7 +92,6 @@ allow dumpstate {
92}:file r_file_perms; 92}:file r_file_perms;
93 93
94# Other random bits of data we want to collect 94# Other random bits of data we want to collect
95allow dumpstate qtaguid_proc:file r_file_perms;
96allow dumpstate debugfs:file r_file_perms; 95allow dumpstate debugfs:file r_file_perms;
97 96
98# df for 97# df for
@@ -164,6 +163,7 @@ allow dumpstate {
164 proc_net 163 proc_net
165 proc_pipe_conf 164 proc_pipe_conf
166 proc_pagetypeinfo 165 proc_pagetypeinfo
166 proc_qtaguid_ctrl
167 proc_qtaguid_stat 167 proc_qtaguid_stat
168 proc_version 168 proc_version
169 proc_vmallocinfo 169 proc_vmallocinfo
diff --git a/public/file.te b/public/file.te
index 9301d890..c10058ea 100644
--- a/public/file.te
+++ b/public/file.te
@@ -12,7 +12,7 @@ type proc_min_free_order_shift, fs_type, proc_type;
12# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 12# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
13type usermodehelper, fs_type, proc_type; 13type usermodehelper, fs_type, proc_type;
14type sysfs_usermodehelper, fs_type, sysfs_type; 14type sysfs_usermodehelper, fs_type, sysfs_type;
15type qtaguid_proc, fs_type, mlstrustedobject, proc_type; 15type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
16type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; 16type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
17type proc_bluetooth_writable, fs_type, proc_type; 17type proc_bluetooth_writable, fs_type, proc_type;
18type proc_abi, fs_type, proc_type; 18type proc_abi, fs_type, proc_type;
diff --git a/public/netd.te b/public/netd.te
index c056ea9b..545ad7c1 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -34,10 +34,10 @@ allow netd devpts:chr_file rw_file_perms;
34# Acquire advisory lock on /system/etc/xtables.lock 34# Acquire advisory lock on /system/etc/xtables.lock
35allow netd system_file:file lock; 35allow netd system_file:file lock;
36 36
37# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have 37# Allow netd to write to qtaguid ctrl file.
38# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration 38# TODO: Add proper rules to prevent other process to access qtaguid_proc file
39# complete 39# after migration complete
40allow netd qtaguid_proc:file rw_file_perms; 40allow netd proc_qtaguid_ctrl:file rw_file_perms;
41# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have. 41# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
42allow netd qtaguid_device:chr_file r_file_perms; 42allow netd qtaguid_device:chr_file r_file_perms;
43 43