Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8bc0b045557719de74dc9314cdb12fe01efb5ae6^2..8bc0b045557719de74dc9314cdb12fe01efb5ae6 / .
commit8bc0b045557719de74dc9314cdb12fe01efb5ae6[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Thu Dec 09 16:57:33 2021 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Dec 09 16:57:33 2021 +0000
treee714e78218bb8cc6ee2004b599dfc5c23ab6c8de
parentc6c31eb7b37f0b65cc2b6fb3c9f1073042e656e9 [diff]
parent0a707fadb2340c42626ec5ac379ba832ef5d2d55 [diff]
Merge "Refactor Android.bp build modules for readability"
diff --git a/microdroid/TEST_MAPPING b/microdroid/TEST_MAPPING
new file mode 100644
index 0000000..f6e1c4f
--- /dev/null
+++ b/microdroid/TEST_MAPPING

@@ -0,0 +1,7 @@
+{
+  "imports": [
+    {
+      "path": "packages/modules/Virtualization"
+    }
+  ]
+}

diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index c3f718b..84e1575 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te

@@ -36,7 +36,6 @@
 allow apkdmverity kmsg_device:chr_file w_file_perms;
 
 # apkdmverity is forked from microdroid_manager
-# TODO(inseob): remove this
 allow apkdmverity microdroid_manager:fd use;
 
 # Only microdroid_manager can run apkdmverity

diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index c852268..2329a1d 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te

@@ -271,6 +271,14 @@
 # Properties that microdroid doesn't have but some still want to read.
 dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
 
+###
+### neverallow rules
+###
+
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 neverallow domain device:chr_file { open read write };
+
+# No executable memory unless backed by an unmodified file
+neverallow * self:process { execmem execheap execstack };
+neverallow * *:file execmod;

diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index 3dd2d2c..c281896 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te

@@ -19,5 +19,11 @@
 # the current APEXes.
 allow odrefresh apex_info_file:file r_file_perms;
 
+# Minijail uses pipe for the parent process to signal the child (as a fallback
+# mechanism, since Android does not support minijail's preload).
+# TODO(196109647): We can probably remove this once the minijail preload is
+# supported on Android.
+allow odrefresh compos:fifo_file read;
+
 # Do not audit unused resources from parent processes.
 dontaudit odrefresh compos:fd use;

diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index b88c014..da0cd0f 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te

@@ -42,7 +42,6 @@
 allow zipfuse extra_apk_file:dir mounton;
 
 # zipfuse is forked from microdroid_manager
-# TODO(inseob): remove this
 allow zipfuse microdroid_manager:fd use;
 
 # Only microdroid_manager can run zipfuse

diff --git a/public/hal_nlinterceptor.te b/public/hal_nlinterceptor.te
index 2076de8..1a738a5 100644
--- a/public/hal_nlinterceptor.te
+++ b/public/hal_nlinterceptor.te

@@ -5,4 +5,4 @@
 
 allow hal_nlinterceptor self:global_capability_class_set net_admin;
 allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
+allow hal_nlinterceptor self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_readpriv nlmsg_write };