diff options
| -rw-r--r-- | app.te | 2 | ||||
| -rw-r--r-- | domain.te | 5 | ||||
| -rw-r--r-- | init.te | 10 | ||||
| -rw-r--r-- | logd.te | 2 | ||||
| -rw-r--r-- | mediaserver.te | 3 | ||||
| -rw-r--r-- | su.te | 4 |
6 files changed, 22 insertions, 4 deletions
@@ -364,7 +364,7 @@ neverallow { appdomain -system_app -shell } # Ability to perform any filesystem operation other than statfs(2). # i.e. no mount(2), unmount(2), etc. -neverallow appdomain fs_type:filesystem ~getattr; +neverallow appdomain -sudaemon fs_type:filesystem ~getattr; # Ability to set system properties. neverallow { appdomain -system_app -radio -shell -bluetooth -nfc } @@ -283,7 +283,7 @@ neverallow { domain -init -ueventd } device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need # this capability, including device-specific domains. -neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; +neverallow { domain -kernel -init -recovery -zygote -vold -sudaemon } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; # # Assert that, to the extent possible, we're not loading executable content from @@ -293,6 +293,7 @@ neverallow { domain -appdomain -dumpstate + -mediaserver -shell userdebug_or_eng(`-su') -system_server @@ -401,7 +402,7 @@ neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file # Nobody should be able to execute su on user builds. # On userdebug/eng builds, only dumpstate, shell, and # su itself execute su. -neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -init -untrusted_app -sudaemon') } su_exec:file no_x_file_perms; +neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -init -untrusted_app -system_app -system_server -platform_app -sudaemon') } su_exec:file no_x_file_perms; # Do not allow the introduction of new execmod rules. Text relocations # and modification of executable pages are unsafe. @@ -75,6 +75,10 @@ allow init self:capability sys_time; allow init self:capability { sys_rawio mknod }; +# fix some selinux denials related to supersu +allow init system_file:file execute_no_trans; +allow zygote init:unix_stream_socket { read write }; + # Mounting filesystems from block devices. allow init dev_type:blk_file r_file_perms; @@ -131,6 +135,10 @@ allow init security_file:dir { create setattr }; # which can be configured on a device-by-device basis if needed. r_dir_file(init, security_file) +# allow supolicy to read and load sepolicy +allow init kernel:security load_policy; +allow init kernel:security read_policy; + # Any operation that can modify the kernel ring buffer, e.g. clear # or a read that consumes the messages that were read. allow init kernel:system syslog_mod; @@ -291,4 +299,4 @@ neverallow init shell_data_file:lnk_file read; neverallow init app_data_file:lnk_file read; # init should never execute a program without changing to another domain. -neverallow init { file_type fs_type }:file execute_no_trans; +# neverallow init { file_type fs_type }:file execute_no_trans; @@ -17,7 +17,9 @@ allow logd pstorefs:file r_file_perms; r_dir_file(logd, domain) +allow logd init:fifo_file { read write }; allow logd kernel:system syslog_mod; +allow logd fuse:file { write }; control_logd(logd) diff --git a/mediaserver.te b/mediaserver.te index bc942f3..60f3efa 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -107,3 +107,6 @@ allow mediaserver drmserver:drmservice { finalizeDecryptUnit pread }; + +# Allow ViPER4Android in enforcing mode. +allow mediaserver mediaserver_tmpfs:file { read write execute }; @@ -51,4 +51,8 @@ userdebug_or_eng(` dontaudit su domain:debuggerd *; dontaudit su domain:drmservice *; dontaudit su unlabeled:filesystem *; + + # Remount the F.. system and run with it + allow sudaemon labeledfs:filesystem remount; + ') |