diff options
author | Treehugger Robot | 2018-04-03 21:26:56 -0500 |
---|---|---|
committer | Gerrit Code Review | 2018-04-03 21:26:56 -0500 |
commit | 38a84cf8da9099180fcad56389a87ae2a3ac7261 (patch) | |
tree | e40f35613c4a0881ffdac5a6c7d6e64f82d41892 | |
parent | c69cbe5590ac6aa46ce74222ff2f86e95d9982e5 (diff) | |
parent | bdf2a9c4174ec84c7241af444299de82f7bedead (diff) | |
download | system-sepolicy-38a84cf8da9099180fcad56389a87ae2a3ac7261.tar.gz system-sepolicy-38a84cf8da9099180fcad56389a87ae2a3ac7261.tar.xz system-sepolicy-38a84cf8da9099180fcad56389a87ae2a3ac7261.zip |
Merge "Rename qtaguid_proc to conform to name conventions"
-rw-r--r-- | private/compat/26.0/26.0.cil | 5 | ||||
-rw-r--r-- | private/compat/27.0/27.0.cil | 7 | ||||
-rw-r--r-- | private/genfs_contexts | 2 | ||||
-rw-r--r-- | public/app.te | 2 | ||||
-rw-r--r-- | public/dumpstate.te | 2 | ||||
-rw-r--r-- | public/file.te | 2 | ||||
-rw-r--r-- | public/netd.te | 8 |
7 files changed, 17 insertions, 11 deletions
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil index cf7bed71..4ff2d4c6 100644 --- a/private/compat/26.0/26.0.cil +++ b/private/compat/26.0/26.0.cil | |||
@@ -7,6 +7,7 @@ | |||
7 | (type asan_reboot_prop) | 7 | (type asan_reboot_prop) |
8 | (type log_device) | 8 | (type log_device) |
9 | (type mediacasserver_service) | 9 | (type mediacasserver_service) |
10 | (type qtaguid_proc) | ||
10 | (type reboot_data_file) | 11 | (type reboot_data_file) |
11 | (type tracing_shell_writable) | 12 | (type tracing_shell_writable) |
12 | (type tracing_shell_writable_debug) | 13 | (type tracing_shell_writable_debug) |
@@ -522,7 +523,9 @@ | |||
522 | (typeattributeset pstorefs_26_0 (pstorefs)) | 523 | (typeattributeset pstorefs_26_0 (pstorefs)) |
523 | (typeattributeset ptmx_device_26_0 (ptmx_device)) | 524 | (typeattributeset ptmx_device_26_0 (ptmx_device)) |
524 | (typeattributeset qtaguid_device_26_0 (qtaguid_device)) | 525 | (typeattributeset qtaguid_device_26_0 (qtaguid_device)) |
525 | (typeattributeset qtaguid_proc_26_0 (qtaguid_proc)) | 526 | (typeattributeset qtaguid_proc_26_0 |
527 | ( qtaguid_proc | ||
528 | proc_qtaguid_ctrl)) | ||
526 | (typeattributeset racoon_26_0 (racoon)) | 529 | (typeattributeset racoon_26_0 (racoon)) |
527 | (typeattributeset racoon_exec_26_0 (racoon_exec)) | 530 | (typeattributeset racoon_exec_26_0 (racoon_exec)) |
528 | (typeattributeset racoon_socket_26_0 (racoon_socket)) | 531 | (typeattributeset racoon_socket_26_0 (racoon_socket)) |
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil index 01636588..0f86e25f 100644 --- a/private/compat/27.0/27.0.cil +++ b/private/compat/27.0/27.0.cil | |||
@@ -1,7 +1,8 @@ | |||
1 | ;; types removed from current policy | 1 | ;; types removed from current policy |
2 | (type webview_zygote_socket) | 2 | (type qtaguid_proc) |
3 | (type reboot_data_file) | 3 | (type reboot_data_file) |
4 | (type rild) | 4 | (type rild) |
5 | (type webview_zygote_socket) | ||
5 | 6 | ||
6 | (expandtypeattribute (accessibility_service_27_0) true) | 7 | (expandtypeattribute (accessibility_service_27_0) true) |
7 | (expandtypeattribute (account_service_27_0) true) | 8 | (expandtypeattribute (account_service_27_0) true) |
@@ -1236,7 +1237,9 @@ | |||
1236 | (typeattributeset property_socket_27_0 (property_socket)) | 1237 | (typeattributeset property_socket_27_0 (property_socket)) |
1237 | (typeattributeset pstorefs_27_0 (pstorefs)) | 1238 | (typeattributeset pstorefs_27_0 (pstorefs)) |
1238 | (typeattributeset ptmx_device_27_0 (ptmx_device)) | 1239 | (typeattributeset ptmx_device_27_0 (ptmx_device)) |
1239 | (typeattributeset qtaguid_device_27_0 (qtaguid_device)) | 1240 | (typeattributeset qtaguid_device_27_0 |
1241 | ( qtaguid_proc | ||
1242 | proc_qtaguid_ctrl)) | ||
1240 | (typeattributeset qtaguid_proc_27_0 (qtaguid_proc)) | 1243 | (typeattributeset qtaguid_proc_27_0 (qtaguid_proc)) |
1241 | (typeattributeset racoon_27_0 (racoon)) | 1244 | (typeattributeset racoon_27_0 (racoon)) |
1242 | (typeattributeset racoon_exec_27_0 (racoon_exec)) | 1245 | (typeattributeset racoon_exec_27_0 (racoon_exec)) |
diff --git a/private/genfs_contexts b/private/genfs_contexts index 350f6b1f..3d2528d3 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts | |||
@@ -17,7 +17,7 @@ genfscon proc /misc u:object_r:proc_misc:s0 | |||
17 | genfscon proc /modules u:object_r:proc_modules:s0 | 17 | genfscon proc /modules u:object_r:proc_modules:s0 |
18 | genfscon proc /mounts u:object_r:proc_mounts:s0 | 18 | genfscon proc /mounts u:object_r:proc_mounts:s0 |
19 | genfscon proc /net u:object_r:proc_net:s0 | 19 | genfscon proc /net u:object_r:proc_net:s0 |
20 | genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 | 20 | genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0 |
21 | genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0 | 21 | genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0 |
22 | genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 | 22 | genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 |
23 | genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0 | 23 | genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0 |
diff --git a/public/app.te b/public/app.te index e6bf8886..27de8bb3 100644 --- a/public/app.te +++ b/public/app.te | |||
@@ -178,7 +178,7 @@ allow { | |||
178 | system_app | 178 | system_app |
179 | platform_app | 179 | platform_app |
180 | shell | 180 | shell |
181 | } qtaguid_proc:file rw_file_perms; | 181 | } proc_qtaguid_ctrl:file rw_file_perms; |
182 | r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net) | 182 | r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net) |
183 | # read /proc/net/xt_qtguid/*stat* to per-app network data usage. | 183 | # read /proc/net/xt_qtguid/*stat* to per-app network data usage. |
184 | # Exclude isolated app which may not use network sockets. | 184 | # Exclude isolated app which may not use network sockets. |
diff --git a/public/dumpstate.te b/public/dumpstate.te index 9166deba..cd983d79 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te | |||
@@ -92,7 +92,6 @@ allow dumpstate { | |||
92 | }:file r_file_perms; | 92 | }:file r_file_perms; |
93 | 93 | ||
94 | # Other random bits of data we want to collect | 94 | # Other random bits of data we want to collect |
95 | allow dumpstate qtaguid_proc:file r_file_perms; | ||
96 | allow dumpstate debugfs:file r_file_perms; | 95 | allow dumpstate debugfs:file r_file_perms; |
97 | 96 | ||
98 | # df for | 97 | # df for |
@@ -164,6 +163,7 @@ allow dumpstate { | |||
164 | proc_net | 163 | proc_net |
165 | proc_pipe_conf | 164 | proc_pipe_conf |
166 | proc_pagetypeinfo | 165 | proc_pagetypeinfo |
166 | proc_qtaguid_ctrl | ||
167 | proc_qtaguid_stat | 167 | proc_qtaguid_stat |
168 | proc_version | 168 | proc_version |
169 | proc_vmallocinfo | 169 | proc_vmallocinfo |
diff --git a/public/file.te b/public/file.te index 9301d890..c10058ea 100644 --- a/public/file.te +++ b/public/file.te | |||
@@ -12,7 +12,7 @@ type proc_min_free_order_shift, fs_type, proc_type; | |||
12 | # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. | 12 | # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. |
13 | type usermodehelper, fs_type, proc_type; | 13 | type usermodehelper, fs_type, proc_type; |
14 | type sysfs_usermodehelper, fs_type, sysfs_type; | 14 | type sysfs_usermodehelper, fs_type, sysfs_type; |
15 | type qtaguid_proc, fs_type, mlstrustedobject, proc_type; | 15 | type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type; |
16 | type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; | 16 | type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; |
17 | type proc_bluetooth_writable, fs_type, proc_type; | 17 | type proc_bluetooth_writable, fs_type, proc_type; |
18 | type proc_abi, fs_type, proc_type; | 18 | type proc_abi, fs_type, proc_type; |
diff --git a/public/netd.te b/public/netd.te index c056ea9b..545ad7c1 100644 --- a/public/netd.te +++ b/public/netd.te | |||
@@ -34,10 +34,10 @@ allow netd devpts:chr_file rw_file_perms; | |||
34 | # Acquire advisory lock on /system/etc/xtables.lock | 34 | # Acquire advisory lock on /system/etc/xtables.lock |
35 | allow netd system_file:file lock; | 35 | allow netd system_file:file lock; |
36 | 36 | ||
37 | # Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have | 37 | # Allow netd to write to qtaguid ctrl file. |
38 | # TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration | 38 | # TODO: Add proper rules to prevent other process to access qtaguid_proc file |
39 | # complete | 39 | # after migration complete |
40 | allow netd qtaguid_proc:file rw_file_perms; | 40 | allow netd proc_qtaguid_ctrl:file rw_file_perms; |
41 | # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have. | 41 | # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have. |
42 | allow netd qtaguid_device:chr_file r_file_perms; | 42 | allow netd qtaguid_device:chr_file r_file_perms; |
43 | 43 | ||