Sepolicy: update_engine and matlog context to 202504 api
Change-Id: Ie9050b515ba197794610a46e6fb14c3b43558191
Signed-off-by: micky387 <mickaelsaibi@free.fr>
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index 2c418a8..43ba6bb 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -9424,7 +9424,8 @@
proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }Add commentMore actions
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/202504/202504_general_sepolicy.conf b/prebuilts/api/202504/202504_general_sepolicy.conf
index 3274553..6b4098f 100644
--- a/prebuilts/api/202504/202504_general_sepolicy.conf
+++ b/prebuilts/api/202504/202504_general_sepolicy.conf
@@ -20249,7 +20249,8 @@
proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }Add commentMore actions
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/202504/private/app.te b/prebuilts/api/202504/private/app.te
index b359663..d85adfe 100644
--- a/prebuilts/api/202504/private/app.te
+++ b/prebuilts/api/202504/private/app.te
@@ -656,7 +656,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }Add commentMore actions
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/202504/private/domain.te b/prebuilts/api/202504/private/domain.te
index 8db40a5..78c5695 100644
--- a/prebuilts/api/202504/private/domain.te
+++ b/prebuilts/api/202504/private/domain.te
@@ -621,6 +621,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -741,13 +742,14 @@
recovery_only(`userdebug_or_eng(`-fastbootd')')
userdebug_or_eng(`-kernel')
userdebug_or_eng(`-overlay_remounter')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') userdebug_or_eng(`-overlay_remounter') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') userdebug_or_eng(`-overlay_remounter') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow {
@@ -756,7 +758,7 @@
} exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -1372,6 +1374,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -1964,6 +1967,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
userdebug_or_eng(`overlay_remounter')
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
diff --git a/prebuilts/api/202504/private/gsid.te b/prebuilts/api/202504/private/gsid.te
index 9391016..7477bbe 100644
--- a/prebuilts/api/202504/private/gsid.te
+++ b/prebuilts/api/202504/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/29.0/public/app.te b/prebuilts/api/29.0/public/app.te
index 5b3459f..f456e7e 100644
--- a/prebuilts/api/29.0/public/app.te
+++ b/prebuilts/api/29.0/public/app.te
@@ -516,7 +516,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }Add commentMore actions
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };