Merge "Label /data/asan/* libs as system_lib_file."

commit: 9a06d551c6a67b8cfc1283e2d738c69369134b3d [log] [tgz]
author: Tri Vo <trong@google.com> Wed Oct 10 20:31:08 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Oct 10 20:31:08 2018 +0000
tree: 77b61f4401bb8d3b8963c04b840e4905d186aac6
parent: 505bc75e6df6303dac849c481cbd84fac07c48a5 [diff]
parent: 45d521a577cbe74566aaea8c4a133ce293868254 [diff]
diff --git a/public/domain.te b/public/domain.te
index db0c8cb..e9bdb6d 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -292,8 +292,9 @@
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
 # All domains must clearly enumerate what ioctls they use
-# on plain files and directories
-allowxperm domain { file_type fs_type }:{ dir file } ioctl { 0 };
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets)
+allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };
 
 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required

diff --git a/public/init.te b/public/init.te
index 215246b..02a0dfe 100644
--- a/public/init.te
+++ b/public/init.te

@@ -20,7 +20,7 @@
 # /dev/__properties__
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
-allow init property_type:file { create_file_perms relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
 # /dev/__properties__/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;

diff --git a/public/property.te b/public/property.te
index eb1fef8..0457300 100644
--- a/public/property.te
+++ b/public/property.te

@@ -101,6 +101,12 @@
 ### Neverallow rules
 ###
 
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
 # core_property_type should not be used for new properties or
 # device specific properties. Properties with this attribute
 # are readable to everyone, which is overly broad and should

diff --git a/public/te_macros b/public/te_macros
index def7b46..e756f36 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -323,7 +323,7 @@
 # targetproperty.
 #
 define(`get_prop', `
-allow $1 $2:file r_file_perms;
+allow $1 $2:file { getattr open read map };
 ')
 
 #####################################
commit	9a06d551c6a67b8cfc1283e2d738c69369134b3d	[log] [tgz]
author	Tri Vo <trong@google.com>	Wed Oct 10 20:31:08 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Oct 10 20:31:08 2018 +0000
tree	77b61f4401bb8d3b8963c04b840e4905d186aac6
parent	505bc75e6df6303dac849c481cbd84fac07c48a5 [diff]
parent	45d521a577cbe74566aaea8c4a133ce293868254 [diff]