Skip to content
Snippets Groups Projects
Commit b5aeaf6d authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev

parents 3692b318 939b50ff
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
public/domain.te
+ 8
0
View file @ b5aeaf6d
...@@ -497,6 +497,7 @@ neverallow { ...@@ -497,6 +497,7 @@ neverallow {
-recovery -recovery
-ueventd -ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
...@@ -555,6 +556,7 @@ full_treble_only(` ...@@ -555,6 +556,7 @@ full_treble_only(`
-appdomain -appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer }; } servicemanager:binder { call transfer };
neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
') ')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
...@@ -613,6 +615,7 @@ full_treble_only(` ...@@ -613,6 +615,7 @@ full_treble_only(`
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
}); });
neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
neverallow_establish_socket_comms({ neverallow_establish_socket_comms({
...@@ -644,6 +647,10 @@ full_treble_only(` ...@@ -644,6 +647,10 @@ full_treble_only(`
-pdx_endpoint_socket_type # used by VR layer -pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer -pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write }; }:sock_file ~{ append getattr ioctl read write };
neverallow {
pdx_endpoint_socket_type
pdx_channel_socket_type
} unlabeled:service_manager list; #TODO: b/62658302
# Core domains are not permitted to create/open sockets owned by vendor domains # Core domains are not permitted to create/open sockets owned by vendor domains
neverallow { neverallow {
...@@ -728,6 +735,7 @@ full_treble_only(` ...@@ -728,6 +735,7 @@ full_treble_only(`
-crash_dump_exec -crash_dump_exec
-netutils_wrapper_exec -netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans }; }:file { entrypoint execute execute_no_trans };
neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
') ')
# Only authorized processes should be writing to files in /data/dalvik-cache # Only authorized processes should be writing to files in /data/dalvik-cache
......
public/te_macros
+ 2
0
View file @ b5aeaf6d
...@@ -550,6 +550,7 @@ define(`use_drmservice', ` ...@@ -550,6 +550,7 @@ define(`use_drmservice', `
define(`add_service', ` define(`add_service', `
allow $1 $2:service_manager { add find }; allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add; neverallow { domain -$1 } $2:service_manager add;
neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
') ')
########################################### ###########################################
...@@ -561,6 +562,7 @@ define(`add_hwservice', ` ...@@ -561,6 +562,7 @@ define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find }; allow $1 $2:hwservice_manager { add find };
allow $1 hidl_base_hwservice:hwservice_manager add; allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add; neverallow { domain -$1 } $2:hwservice_manager add;
neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
') ')
########################################## ##########################################
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment