Página inicial Explorar Ajuda
Registrar Entrar
drachfly
/
android10
1
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
android10
/
system
/
sepolicy
/
public
/
hal_configstore.te

hal_configstore.te 2.3 KB
Link permanente Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. # HwBinder IPC from client to server
    2. 

  2. binder_call(hal_configstore_client, hal_configstore_server)
    3. 

  3. 

  4. hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
    5. 

  5. 

  6. # hal_configstore runs with a strict seccomp filter. Use crash_dump's
    7. 

  7. # fallback path to collect crash data.
    8. 

  8. crash_dump_fallback(hal_configstore_server)
    9. 

  9. 

  10. ###
    11. 

  11. ### neverallow rules
    12. 

  12. ###
    13. 

  13. 

  14. # Should never execute an executable without a domain transition
    15. 

  15. neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
    16. 

  16. 

  17. # Should never need network access. Disallow sockets except for
    18. 

  18. # for unix stream/dgram sockets used for logging/debugging.
    19. 

  19. neverallow hal_configstore_server domain:{
    20. 

  20.   rawip_socket tcp_socket udp_socket
    21. 

  21.   netlink_route_socket netlink_selinux_socket
    22. 

  22.   socket netlink_socket packet_socket key_socket appletalk_socket
    23. 

  23.   netlink_tcpdiag_socket netlink_nflog_socket
    24. 

  24.   netlink_xfrm_socket netlink_audit_socket
    25. 

  25.   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
    26. 

  26.   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
    27. 

  27.   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
    28. 

  28.   netlink_rdma_socket netlink_crypto_socket
    29. 

  29. } *;
    30. 

  30. neverallow hal_configstore_server {
    31. 

  31.   domain
    32. 

  32.   -hal_configstore_server
    33. 

  33.   -logd
    34. 

  34.   userdebug_or_eng(`-su')
    35. 

  35.   -tombstoned
    36. 

  36.   userdebug_or_eng(`-heapprofd')
    37. 

  37. }:{ unix_dgram_socket unix_stream_socket } *;
    38. 

  38. 

  39. # Should never need access to anything on /data
    40. 

  40. neverallow hal_configstore_server {
    41. 

  41.   data_file_type
    42. 

  42.   -anr_data_file # for crash dump collection
    43. 

  43.   -tombstone_data_file # for crash dump collection
    44. 

  44.   -zoneinfo_data_file # granted to domain
    45. 

  45.   with_native_coverage(`-method_trace_data_file')
    46. 

  46. }:{ file fifo_file sock_file } *;
    47. 

  47. 

  48. # Should never need sdcard access
    49. 

  49. neverallow hal_configstore_server {
    50. 

  50.     sdcard_type
    51. 

  51.     fuse sdcardfs vfat exfat        # manual expansion for completeness
    52. 

  52. }:dir ~getattr;
    53. 

  53. neverallow hal_configstore_server {
    54. 

  54.     sdcard_type
    55. 

  55.     fuse sdcardfs vfat exfat        # manual expansion for completeness
    56. 

  56. }:file *;
    57. 

  57. 

  58. # Do not permit access to service_manager and vndservice_manager
    59. 

  59. neverallow hal_configstore_server *:service_manager *;
    60. 

  60. 

  61. # No privileged capabilities
    62. 

  62. neverallow hal_configstore_server self:capability_class_set *;
    63. 

  63. 

  64. # No ptracing other processes
    65. 

  65. neverallow hal_configstore_server *:process ptrace;
    66. 

  66. 

  67. # no relabeling
    68. 

  68. neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
    69.