Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9a8980aed5f8b8b53d75e8cf6af6eb6b54fdc4ea^2..9a8980aed5f8b8b53d75e8cf6af6eb6b54fdc4ea / .
commit9a8980aed5f8b8b53d75e8cf6af6eb6b54fdc4ea[log] [tgz]
authorSandro Montanari <sandrom@google.com>Wed Oct 12 09:27:01 2022 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Oct 12 09:27:01 2022 +0000
tree98f80b2966bc91a7ead0803ec88dd7d8db8098fb
parentdda67f95f05138345ab6fb91d7c1e53a7ee4bf30 [diff]
parentd0553529bb090a781fbea8aa9109a5b037e2ecad [diff]
Merge "Add auditallow for system properties access from the sdk sandbox"
diff --git a/prebuilts/api/33.0/private/kernel.te b/prebuilts/api/33.0/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/prebuilts/api/33.0/private/kernel.te
+++ b/prebuilts/api/33.0/private/kernel.te

@@ -32,6 +32,19 @@
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
 
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into

diff --git a/private/crosvm.te b/private/crosvm.te
index 034107f..c750b50 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -42,7 +42,7 @@
 #   read, write, getattr: listener socket polling
 #   accept: listener socket accepting new connection
 # Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr };
+allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
 
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk

diff --git a/private/kernel.te b/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/private/kernel.te
+++ b/private/kernel.te

@@ -32,6 +32,19 @@
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
 
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into