Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 50563c03671902c76f03554b317f3fa068509611
commit50563c03671902c76f03554b317f3fa068509611[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Wed Mar 29 15:50:32 2017 -0700
committerJeff Vander Stoep <jeffv@google.com>Sat Apr 01 07:16:40 2017 -0700
tree7ea1656c71f7a762731b7f1ba10de4736c73c284
parentf4739f40291c4c06697ca1c79f380191b6f0550c [diff]
Ban core components from accessing vendor data types

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.

This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.

A temporary exemption is granted to domains that currently rely on
access.

(cherry picked from commit cd97e71084b026b201f8d5a0bc08c283f8d673cd)

Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc
4 files changed
tree: 7ea1656c71f7a762731b7f1ba10de4736c73c284
  1. private/
  2. public/
  3. reqd_mask/
  4. tools/
  5. vendor/
  6. Android.mk
  7. CleanSpec.mk
  8. MODULE_LICENSE_PUBLIC_DOMAIN
  9. NOTICE
  10. PREUPLOAD.cfg
  11. README