sepolicy: allow update angine and syslog read
Change-Id: Ib3db5b998bc62c8cda3a298e2d626bacfed37070
sepolicy: allow update angine and syslog read II
Change-Id: Ia656b4767f41e4cbfc21a485f312810b45fc2d58
sepolicy: allow update angine and syslog read III
Change-Id: Ic231ad9f99da96eee9083e4a500eda2c2c4dd655
sepolicy: allow update angine and syslog read IV
Change-Id: I42d55d4adc022b8cc31ff2fb2d486b49829ceaa2
sepolicy: allow update angine and syslog read V
For api 33
Change-Id: I2fe89e2955721e3d50b036c80db3b94d7627c887
sepolicy: policy for ota pt III
Change-Id: Ifad8dabaea731ad4a68e57e8ea29008e5e4fe9e3
sepolocy: sync prebuilts/34.0
Change-Id: Iba65d47940b1056b2a61eade70802e6877996db5
sepolicy: add syslog_read perms for matlog
[micky387] move to private/app.te for A15
Change-Id: Ie7d88e717fe233b3a241d580af85b01639123261
sepolicy: Sync to prebuilts/202404
Change-Id: I8ab8c413af887d2ddb9b0733dccff0ce17f5c2c4
sepolicy: Sync to prebuilts/202404 v2
Change-Id: I40b232478cf86ad45e41690af84d96b35dfb1d4b
diff --git a/prebuilts/api/202404/private/domain.te b/prebuilts/api/202404/private/domain.te
index 66bce05..e3d884a 100644
--- a/prebuilts/api/202404/private/domain.te
+++ b/prebuilts/api/202404/private/domain.te
@@ -495,6 +495,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/202404/private/gsid.te b/prebuilts/api/202404/private/gsid.te
index 9391016..7477bbe 100644
--- a/prebuilts/api/202404/private/gsid.te
+++ b/prebuilts/api/202404/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/202404/public/app.te b/prebuilts/api/202404/public/app.te
index b539913..1dbcfbb 100644
--- a/prebuilts/api/202404/public/app.te
+++ b/prebuilts/api/202404/public/app.te
@@ -157,7 +157,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/202404/public/domain.te b/prebuilts/api/202404/public/domain.te
index 0a2a5e5..7c6623f 100644
--- a/prebuilts/api/202404/public/domain.te
+++ b/prebuilts/api/202404/public/domain.te
@@ -493,19 +493,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -1102,6 +1103,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/30.0/private/gsid.te b/prebuilts/api/30.0/private/gsid.te
index 3ff9d67..aec3a52 100644
--- a/prebuilts/api/30.0/private/gsid.te
+++ b/prebuilts/api/30.0/private/gsid.te
@@ -144,6 +144,7 @@
-fastbootd
-recovery
-vold
+ -update_engine
} gsi_metadata_file:dir *;
neverallow {
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index c892d9e..04e7bdd 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -516,7 +516,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -platform_app -priv_app -shell } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index c151b95..a69e358 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -473,20 +473,21 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+neverallow { domain -init -coredomain } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -630,6 +631,7 @@
# system services cant add vendor services
neverallow {
coredomain
+ -update_engine
} vendor_service:service_manager add;
full_treble_only(`
@@ -1151,6 +1153,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/31.0/private/domain.te b/prebuilts/api/31.0/private/domain.te
index b91d36d..d97cd2b 100644
--- a/prebuilts/api/31.0/private/domain.te
+++ b/prebuilts/api/31.0/private/domain.te
@@ -338,6 +338,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/31.0/private/gsid.te b/prebuilts/api/31.0/private/gsid.te
index 8a13cb1..da200bd 100644
--- a/prebuilts/api/31.0/private/gsid.te
+++ b/prebuilts/api/31.0/private/gsid.te
@@ -166,6 +166,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/31.0/public/app.te b/prebuilts/api/31.0/public/app.te
index 5527f99..7b8a95a 100644
--- a/prebuilts/api/31.0/public/app.te
+++ b/prebuilts/api/31.0/public/app.te
@@ -534,7 +534,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te
index 799a2f1..6dffaa1 100644
--- a/prebuilts/api/31.0/public/domain.te
+++ b/prebuilts/api/31.0/public/domain.te
@@ -493,19 +493,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -642,6 +643,7 @@
# system services cant add vendor services
neverallow {
coredomain
+ -update_engine
} vendor_service:service_manager add;
full_treble_only(`
@@ -1141,6 +1143,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/32.0/private/domain.te b/prebuilts/api/32.0/private/domain.te
index b91d36d..d97cd2b 100644
--- a/prebuilts/api/32.0/private/domain.te
+++ b/prebuilts/api/32.0/private/domain.te
@@ -338,6 +338,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/32.0/private/gsid.te b/prebuilts/api/32.0/private/gsid.te
index 8a13cb1..da200bd 100644
--- a/prebuilts/api/32.0/private/gsid.te
+++ b/prebuilts/api/32.0/private/gsid.te
@@ -166,6 +166,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/32.0/public/app.te b/prebuilts/api/32.0/public/app.te
index 5527f99..7b8a95a 100644
--- a/prebuilts/api/32.0/public/app.te
+++ b/prebuilts/api/32.0/public/app.te
@@ -534,7 +534,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/32.0/public/domain.te b/prebuilts/api/32.0/public/domain.te
index 799a2f1..6dffaa1 100644
--- a/prebuilts/api/32.0/public/domain.te
+++ b/prebuilts/api/32.0/public/domain.te
@@ -493,19 +493,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -642,6 +643,7 @@
# system services cant add vendor services
neverallow {
coredomain
+ -update_engine
} vendor_service:service_manager add;
full_treble_only(`
@@ -1141,6 +1143,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/33.0/private/domain.te b/prebuilts/api/33.0/private/domain.te
index bcb9d52..f99bb52 100644
--- a/prebuilts/api/33.0/private/domain.te
+++ b/prebuilts/api/33.0/private/domain.te
@@ -389,6 +389,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/33.0/private/gsid.te b/prebuilts/api/33.0/private/gsid.te
index e795cea..e4117a2 100644
--- a/prebuilts/api/33.0/private/gsid.te
+++ b/prebuilts/api/33.0/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/33.0/public/app.te b/prebuilts/api/33.0/public/app.te
index de3d0ca..6327f38 100644
--- a/prebuilts/api/33.0/public/app.te
+++ b/prebuilts/api/33.0/public/app.te
@@ -166,7 +166,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index de529f5..29b0e33 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -500,19 +500,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -630,6 +631,7 @@
# system services cant add vendor services
neverallow {
coredomain
+ -update_engine
} vendor_service:service_manager add;
full_treble_only(`
@@ -1116,6 +1118,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index f98a285..fb45a9d 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -466,6 +466,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/34.0/private/gsid.te b/prebuilts/api/34.0/private/gsid.te
index 9391016..7477bbe 100644
--- a/prebuilts/api/34.0/private/gsid.te
+++ b/prebuilts/api/34.0/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/34.0/public/app.te b/prebuilts/api/34.0/public/app.te
index da59f32..1c24cea 100644
--- a/prebuilts/api/34.0/public/app.te
+++ b/prebuilts/api/34.0/public/app.te
@@ -156,7 +156,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te
index d4be205..03955e3 100644
--- a/prebuilts/api/34.0/public/domain.te
+++ b/prebuilts/api/34.0/public/domain.te
@@ -361,6 +361,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -475,19 +476,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -1084,6 +1086,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/private/app.te b/private/app.te
index 30931e4..50a9d9a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -656,7 +656,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/private/domain.te b/private/domain.te
index 61e2ea6..e9f061b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -609,6 +609,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -727,19 +728,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -1333,6 +1335,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -1905,6 +1908,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/private/gsid.te b/private/gsid.te
index 9391016..7477bbe 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {