Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Blame History Permalink
  • Dan Cashman's avatar
    Remove vndservice_manager object classes. · 2f1c7ba7
    Dan Cashman authored 
    vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e
    2f1c7ba7
su.te 1.81 KiB 
# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;

userdebug_or_eng(`
  # Domain used for su processes, as well as for adbd and adb shell
  # after performing an adb root command.  The domain definition is
  # wrapped to ensure that it does not exist at all on -user builds.
  type su, domain, mlstrustedsubject;

  # Add su to various domains
  net_domain(su)

  # grant su access to vndbinder
  vndbinder_use(su)

  dontaudit su self:capability_class_set *;
  dontaudit su kernel:security *;
  dontaudit su kernel:system *;
  dontaudit su self:memprotect *;
  dontaudit su domain:process *;
  dontaudit su domain:fd *;
  dontaudit su domain:dir *;
  dontaudit su domain:lnk_file *;
  dontaudit su domain:{ fifo_file file } *;
  dontaudit su domain:socket_class_set *;
  dontaudit su domain:ipc_class_set *;
  dontaudit su domain:key *;
  dontaudit su fs_type:filesystem *;
  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
  dontaudit su node_type:node *;
  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
  dontaudit su netif_type:netif *;
  dontaudit su port_type:socket_class_set *;
  dontaudit su port_type:{ tcp_socket dccp_socket } *;
  dontaudit su domain:peer *;
  dontaudit su domain:binder *;
  dontaudit su property_type:property_service *;
  dontaudit su property_type:file *;
  dontaudit su service_manager_type:service_manager *;
  dontaudit su hwservice_manager_type:hwservice_manager *;
  dontaudit su vndservice_manager_type:service_manager *;
  dontaudit su servicemanager:service_manager list;
  dontaudit su hwservicemanager:hwservice_manager list;
  dontaudit su vndservicemanager:service_manager list;
  dontaudit su keystore:keystore_key *;
  dontaudit su domain:drmservice *;
  dontaudit su unlabeled:filesystem *;
  dontaudit su postinstall_file:filesystem *;
')