Update sepolicy to use inclusive language
See https://source.android.com/setup/contribute/respectful-code for reference
#inclusivefixit
Bug: 161896447
Test: Build
Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
diff --git a/private/property_contexts b/private/property_contexts
index 357a56c..3a04f09 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -129,7 +129,7 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
-# Don't allow blind access to all services
+# Don't allow uncontrolled access to all services
ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
ctl.start$ u:object_r:ctl_start_prop:s0
diff --git a/public/app.te b/public/app.te
index 77f85bd..95c4b0a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -542,7 +542,9 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Sensitive app domains are not allowed to execute from /data
+# to prevent persistence attacks and ensure all code is executed
+# from read-only locations.
neverallow {
bluetooth
isolated_app
@@ -563,7 +565,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/public/domain.te b/public/domain.te
index 4d81d76..f23e832 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -273,19 +273,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to an allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -301,7 +301,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -344,7 +344,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to an allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -359,7 +359,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowed domains.
neverallow {
domain
-kernel
@@ -554,7 +554,7 @@
neverallow { domain -init } build_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowed domains.
neverallow {
domain
-adbd
@@ -941,7 +941,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowed here.
neverallow {
domain
-coredomain
@@ -979,7 +979,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowed here.
neverallow {
coredomain
-init
@@ -1008,7 +1008,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowed here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1043,7 +1043,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowed here.
neverallow {
domain
-appdomain
@@ -1236,7 +1236,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 2b25ed7..1046fa8 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -13,11 +13,11 @@
Use file_contexts and policy to verify Treble requirements
are not violated.
'''
-coredomainWhitelist = {
+coredomainAllowlist = {
# TODO: how do we make sure vendor_init doesn't have bad coupling with
# /vendor? It is the only system process which is not coredomain.
'vendor_init',
- # TODO(b/152813275): need to avoid whitelist for rootdir
+ # TODO(b/152813275): need to avoid allowlist for rootdir
"modprobe",
"slideshow",
"healthd",
@@ -92,7 +92,7 @@
domain.coredomain = True
coredomains.add(d)
# check whether domains are executed off of /system or /vendor
- if d in coredomainWhitelist:
+ if d in coredomainAllowlist:
continue
# TODO(b/153112003): add checks to prevent app domains from being
# incorrectly labeled as coredomain. Apps don't have entrypoints as
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 6d60a12..1d695c0 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -459,7 +459,7 @@
log_info("Validating %s=%s\n", key, value);
/*
- * Neverallows are completely skipped from sanity checking so you can match
+ * Neverallows are completely skipped from validity checking so you can match
* un-unspecified inputs.
*/
if (is_neverallow) {
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
index ca1e432..51b4ab6 100755
--- a/tools/insertkeys.py
+++ b/tools/insertkeys.py
@@ -56,7 +56,7 @@
# If we ended the certificate trip the flag
inCert = False
- # Sanity check the input
+ # Check the input
if len(base64Key) == 0:
sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: "
+ path)