Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
remove overly permissive rules from domain
Move to domain_deprecated Bug: 25433265 Change-Id: Ib21876e450d8146ef9363d6430f6c7f00ab0c7f3
- Loading branch information
1 parent
d22987b
commit 6e3506e
Showing
2 changed files
with
102 additions
and
80 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,90 @@ | ||
# rules removed from the domain attribute | ||
|
||
# Read access to properties mapping. | ||
allow domain_deprecated kernel:fd use; | ||
allow domain_deprecated tmpfs:file { read getattr }; | ||
allow domain_deprecated tmpfs:lnk_file { read getattr }; | ||
|
||
# Search /storage/emulated tmpfs mount. | ||
allow domain_deprecated tmpfs:dir r_dir_perms; | ||
|
||
# Inherit or receive open files from others. | ||
allow domain_deprecated system_server:fd use; | ||
|
||
# Connect to adbd and use a socket transferred from it. | ||
# This is used for e.g. adb backup/restore. | ||
allow domain_deprecated adbd:unix_stream_socket connectto; | ||
allow domain_deprecated adbd:fd use; | ||
allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; | ||
|
||
# Root fs. | ||
allow domain_deprecated rootfs:dir r_dir_perms; | ||
allow domain_deprecated rootfs:file r_file_perms; | ||
allow domain_deprecated rootfs:lnk_file r_file_perms; | ||
|
||
# Device accesses. | ||
allow domain_deprecated device:file read; | ||
|
||
# Filesystem accesses. | ||
allow domain_deprecated fs_type:filesystem getattr; | ||
allow domain_deprecated fs_type:dir getattr; | ||
|
||
# System file accesses. | ||
allow domain_deprecated system_file:dir r_dir_perms; | ||
allow domain_deprecated system_file:file r_file_perms; | ||
allow domain_deprecated system_file:lnk_file r_file_perms; | ||
|
||
# Read files already opened under /data. | ||
allow domain_deprecated system_data_file:dir { search getattr }; | ||
allow domain_deprecated system_data_file:file { getattr read }; | ||
allow domain_deprecated system_data_file:lnk_file r_file_perms; | ||
|
||
# Read apk files under /data/app. | ||
allow domain_deprecated apk_data_file:dir { getattr search }; | ||
allow domain_deprecated apk_data_file:file r_file_perms; | ||
allow domain_deprecated apk_data_file:lnk_file r_file_perms; | ||
|
||
# Read /data/dalvik-cache. | ||
allow domain_deprecated dalvikcache_data_file:dir { search getattr }; | ||
allow domain_deprecated dalvikcache_data_file:file r_file_perms; | ||
|
||
# Read already opened /cache files. | ||
allow domain_deprecated cache_file:dir r_dir_perms; | ||
allow domain_deprecated cache_file:file { getattr read }; | ||
allow domain_deprecated cache_file:lnk_file r_file_perms; | ||
|
||
# Read timezone related information | ||
r_dir_file(domain_deprecated, zoneinfo_data_file) | ||
|
||
# For /acct/uid/*/tasks. | ||
allow domain_deprecated cgroup:dir { search write }; | ||
allow domain_deprecated cgroup:file w_file_perms; | ||
|
||
#Allow access to ion memory allocation device | ||
allow domain_deprecated ion_device:chr_file rw_file_perms; | ||
|
||
# Read access to pseudo filesystems. | ||
r_dir_file(domain_deprecated, proc) | ||
r_dir_file(domain_deprecated, sysfs) | ||
r_dir_file(domain_deprecated, sysfs_devices_system_cpu) | ||
r_dir_file(domain_deprecated, inotify) | ||
r_dir_file(domain_deprecated, cgroup) | ||
r_dir_file(domain_deprecated, proc_net) | ||
allow domain_deprecated proc_cpuinfo:file r_file_perms; | ||
|
||
# debugfs access | ||
allow domain_deprecated debugfs:dir r_dir_perms; | ||
allow domain_deprecated debugfs:file w_file_perms; | ||
|
||
# Get SELinux enforcing status. | ||
allow domain_deprecated selinuxfs:dir r_dir_perms; | ||
allow domain_deprecated selinuxfs:file r_file_perms; | ||
|
||
# /data/security files | ||
allow domain_deprecated security_file:dir { search getattr }; | ||
allow domain_deprecated security_file:file getattr; | ||
allow domain_deprecated security_file:lnk_file r_file_perms; | ||
|
||
# World readable asec image contents | ||
allow domain_deprecated asec_public_file:file r_file_perms; | ||
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms; |