Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2732f1497bb93b012733b66154198dfa9f898b40^2..2732f1497bb93b012733b66154198dfa9f898b40 / .
commit2732f1497bb93b012733b66154198dfa9f898b40[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Tue Feb 13 18:02:01 2018 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Feb 13 18:02:01 2018 +0000
treeeb537985880f907b98e0e3a7f224858d398352c4
parent7a567e3a191e5a3ce75892187ae98b83514f957a [diff]
parentb4b31f9d72ab5e16a9717e7c240ec3127037ccbb [diff]
Merge "Allow perfetto traced_probes to access tracefs on user"
diff --git a/private/bug_map b/private/bug_map
index e9f7b25..712b5c9 100644
--- a/private/bug_map
+++ b/private/bug_map

@@ -12,6 +12,7 @@
 surfaceflinger unlabeled dir 68864350
 system_server crash_dump process 73128755
 system_server vendor_framework_file dir 68826235
+untrusted_app_25 system_data_file dir 72550646
 untrusted_app_27 system_data_file dir 72550646
 usbd usbd capability 72472544
 vold system_data_file file 62140539

diff --git a/public/domain.te b/public/domain.te
index 6f50552..13e4ba9 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -389,6 +389,7 @@
 # Init can't do anything with binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow * init:binder *;
+neverallow * vendor_init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type

diff --git a/public/servicemanager.te b/public/servicemanager.te
index c7cd738..87e3a22 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te

@@ -12,6 +12,7 @@
 allow servicemanager {
   domain
   -init
+  -vendor_init
   -hwservicemanager
   -vndservicemanager
 }:binder transfer;

diff --git a/public/vendor_init.te b/public/vendor_init.te
index dbb20fd..dd7479f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te

@@ -4,6 +4,9 @@
 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };
 
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open write };
 

diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index f956af8..dbc88fa 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te

@@ -6,7 +6,7 @@
 allow vndservicemanager self:binder set_context_mgr;
 
 # transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -coredomain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
 
 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;