| author | Baocheng Sun <baocheng.sun@amlogic.com> | 2017-10-20 07:03:00 (GMT) |
|---|---|---|
| committer | Tellen Yu <tellen.yu@amlogic.com> | 2017-11-01 03:23:02 (GMT) |
| commit | 94373a40843e72fcef53a5130626c1249e855d23 (patch) | |
| tree | 1949aa45bada9ee95cab44f9dbcbd3d8b33cb4d3 | |
| parent | 77d95ce6ccb6046f9a55187c7d1fb873493f0673 (diff) | |
| download | amlogic-o-94373a40843e72fcef53a5130626c1249e855d23.zip amlogic-o-94373a40843e72fcef53a5130626c1249e855d23.tar.gz amlogic-o-94373a40843e72fcef53a5130626c1249e855d23.tar.bz2 | |
sepolicy: update droidvold related sepolicy [4/4]
PD# 151674
update droidvold related sepolicy
Change-Id: Ib4d35841f82199d9f14885db05a85bdb5ac722cd
| -rw-r--r-- | common/core_amlogic.mk | 6 | ||||
| -rw-r--r-- | common/sepolicy/droidvold.te | 61 | ||||
| -rw-r--r-- | common/sepolicy/file_contexts | 1 | ||||
| -rw-r--r-- | common/sepolicy/hwservice.te | 1 | ||||
| -rw-r--r-- | common/sepolicy/hwservice_contexts | 1 | ||||
| -rw-r--r-- | common/sepolicy/hwservicemanager.te | 7 | ||||
| -rw-r--r-- | common/sepolicy/mediaextractor.te | 2 | ||||
| -rw-r--r-- | common/sepolicy/ntfs-3g.te | 24 | ||||
| -rw-r--r-- | common/sepolicy/platform_app.te | 4 | ||||
| -rw-r--r-- | common/sepolicy/service.te | 1 | ||||
| -rw-r--r-- | common/sepolicy/service_contexts | 2 | ||||
| -rw-r--r-- | common/sepolicy/system_app.te | 5 | ||||
| -rw-r--r-- | common/sepolicy/vold.te | 2 | ||||
| -rw-r--r-- | p212/manifest.xml | 9 | ||||
| -rw-r--r-- | p230/manifest.xml | 9 |
15 files changed, 127 insertions, 8 deletions
diff --git a/common/core_amlogic.mk b/common/core_amlogic.mk index 5858b2f..a87cbd0 100644 --- a/common/core_amlogic.mk +++ b/common/core_amlogic.mk @@ -423,6 +423,12 @@ PRODUCT_PACKAGES += \ android.hardware.health@1.0-impl \ android.hardware.health@1.0-service +# DroidVold +PRODUCT_PACKAGES += \ + vendor.amlogic.hardware.droidvold@10 \ + vendor.amlogic.hardware.droidvold@10_vendor \ + vendor.amlogic.hardware.droidvold-V1.0-java + ifeq ($(TARGET_BUILD_GOOGLE_ATV), true) PRODUCT_IS_ATV := true endif diff --git a/common/sepolicy/droidvold.te b/common/sepolicy/droidvold.te index cb8ae6b..5c62af5 100644 --- a/common/sepolicy/droidvold.te +++ b/common/sepolicy/droidvold.te @@ -3,6 +3,12 @@ type droidvold_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(droidvold) +# Read access to pseudo filesystems. +r_dir_file(droidvold, proc) +r_dir_file(droidvold, sysfs_type) + + +allow droidvold proc_meminfo:file r_file_perms; allow droidvold self:capability { setgid setuid }; allow droidvold cpuctl_device:dir search; @@ -13,9 +19,9 @@ allow droidvold system_data_file:fifo_file { open read write }; allow droidvold block_device:dir { create read write search add_name }; -allow droidvold fuseblk:filesystem mount; +allow droidvold fuseblk:filesystem { mount unmount }; -#allow droidvold self:capability { dac_override sys_admin }; +allow droidvold self:capability { net_admin dac_override sys_admin sys_rawio chown fowner fsetid }; allow droidvold tmpfs:dir create_dir_perms; allow droidvold tmpfs:dir mounton; @@ -25,7 +31,6 @@ allow droidvold mnt_media_rw_file:dir { r_dir_perms }; allow droidvold mnt_media_rw_stub_file:dir { r_dir_perms mounton }; allow droidvold droidvold:netlink_kobject_uevent_socket { create setopt bind read getopt }; -allow droidvold self:capability { net_admin }; allow droidvold rootfs:dir mounton; allow droidvold rootfs:file { read open getattr }; @@ -36,3 +41,53 @@ allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:file { write open read }; allow droidvold file_contexts_file:file r_file_perms; allow proc_net proc:filesystem { associate }; + +allow droidvold self:process { setexec setfscreate }; +allow droidvold sysfs:file { getattr }; +# For sgdisk launched through popen() +# allow droidvold shell_exec:file rx_file_perms; + +allow droidvold hwservicemanager_prop:file { open read getattr }; + +allow droidvold hwservicemanager:binder { call transfer }; +allow droidvold { droidvold_hwservice hidl_base_hwservice }:hwservice_manager { add }; + +allow droidvold system_app:binder { call transfer }; + +allow droidvold mnt_media_rw_file:dir { create_dir_perms mounton }; +allow droidvold mnt_media_rw_file:file create_file_perms; + +allow droidvold ntfs:filesystem { mount unmount}; +allow droidvold exfat:filesystem { mount unmount}; +allow droidvold vfat:filesystem { mount unmount}; +allow droidvold { vfat exfat ntfs }:dir rw_dir_perms; + +allow droidvold iso9660:filesystem { mount unmount}; +allow droidvold hfsplus:filesystem { mount unmount}; + +# For vold Process::killProcessesWithOpenFiles function. +allow droidvold domain:dir r_dir_perms; +allow droidvold domain:{ file lnk_file } r_file_perms; +allow droidvold domain:process { signal sigkill }; +allow droidvold self:capability { kill }; + +allow droidvold platform_app:file r_file_perms; +allow droidvold platform_app:dir { open read getattr search }; +allow droidvold init:file r_file_perms; +allow droidvold init:dir { r_dir_perms search }; + +allow droidvold platform_app:lnk_file { open getattr read }; +allow droidvold init:lnk_file { open getattr read }; +allow droidvold untrusted_app:lnk_file { open getattr read }; + + +# Allowed read-only access to droidvold block devices to extract UUID/label +allow droidvold vold_device:blk_file r_file_perms; +allow droidvold sda_block_device:dir search; +allow droidvold sda_block_device:blk_file r_file_perms; + +allow droidvold fuse_device:chr_file r_file_perms; + +allow droidvold devpts:chr_file rw_file_perms; + +domain_auto_trans(droidvold, ntfs_3g_exec, ntfs_3g); diff --git a/common/sepolicy/file_contexts b/common/sepolicy/file_contexts index 4a5806b..0e22eec 100644 --- a/common/sepolicy/file_contexts +++ b/common/sepolicy/file_contexts @@ -122,6 +122,7 @@ /vendor/bin/systemcontrol u:object_r:system_control_exec:s0 /vendor/bin/hdmicecd u:object_r:hdmicecd_exec:s0 /vendor/bin/droidvold u:object_r:droidvold_exec:s0 +/vendor/bin/ntfs-3g u:object_r:ntfs_3g_exec:s0 /vendor/bin/tee-supplicant u:object_r:tee_exec:s0 /vendor/bin/tee_preload_fw u:object_r:firmload_exec:s0 diff --git a/common/sepolicy/hwservice.te b/common/sepolicy/hwservice.te index 9668e00..7f6168c 100644 --- a/common/sepolicy/hwservice.te +++ b/common/sepolicy/hwservice.te @@ -1,2 +1,3 @@ type systemcontrol_hwservice, hwservice_manager_type; type hdmicecd_hwservice, hwservice_manager_type; +type droidvold_hwservice, hwservice_manager_type; diff --git a/common/sepolicy/hwservice_contexts b/common/sepolicy/hwservice_contexts index e6787ae..fb676c2 100644 --- a/common/sepolicy/hwservice_contexts +++ b/common/sepolicy/hwservice_contexts @@ -1,2 +1,3 @@ vendor.amlogic.hardware.systemcontrol::ISystemControl u:object_r:systemcontrol_hwservice:s0 vendor.amlogic.hardware.hdmicec::IDroidHdmiCEC u:object_r:hdmicecd_hwservice:s0 +vendor.amlogic.hardware.droidvold::IDroidVold u:object_r:droidvold_hwservice:s0 diff --git a/common/sepolicy/hwservicemanager.te b/common/sepolicy/hwservicemanager.te index b74d62b..7e9542b 100644 --- a/common/sepolicy/hwservicemanager.te +++ b/common/sepolicy/hwservicemanager.te @@ -6,4 +6,9 @@ allow hwservicemanager system_control:process { getattr }; allow hwservicemanager hdmicecd:binder { call transfer }; allow hwservicemanager hdmicecd:dir { search }; allow hwservicemanager hdmicecd:file { read open }; -allow hwservicemanager hdmicecd:process { getattr };
\ No newline at end of file +allow hwservicemanager hdmicecd:process { getattr }; + +allow hwservicemanager droidvold:binder { call transfer }; +allow hwservicemanager droidvold:dir { search }; +allow hwservicemanager droidvold:file { read open }; +allow hwservicemanager droidvold:process { getattr }; diff --git a/common/sepolicy/mediaextractor.te b/common/sepolicy/mediaextractor.te index 79ed75b..2223556 100644 --- a/common/sepolicy/mediaextractor.te +++ b/common/sepolicy/mediaextractor.te @@ -2,3 +2,5 @@ get_prop(mediaextractor, media_prop) allow mediaextractor exfat:file { read getattr }; allow mediaextractor ntfs:file { read getattr }; +allow mediaextractor vfat:file { read getattr }; +allow mediaextractor fuseblk:file { read getattr }; diff --git a/common/sepolicy/ntfs-3g.te b/common/sepolicy/ntfs-3g.te new file mode 100644 index 0000000..d92f033 --- a/dev/null +++ b/common/sepolicy/ntfs-3g.te @@ -0,0 +1,24 @@ +type ntfs_3g, domain; +type ntfs_3g_exec, exec_type, vendor_file_type, file_type; + +allow ntfs_3g droidvold:fd use; +allow ntfs_3g fuseblk:filesystem { mount unmount }; + +allow ntfs_3g devpts:chr_file rw_file_perms; +allow ntfs_3g droidvold:fifo_file rw_file_perms; +allow ntfs_3g self:capability { setgid setuid sys_admin }; + +allow ntfs_3g block_device:dir { open read search getattr }; +allow ntfs_3g sda_block_device:dir search; +allow ntfs_3g sda_block_device:blk_file rw_file_perms; + +allow ntfs_3g fuse_device:chr_file rw_file_perms; +allow ntfs_3g tmpfs:dir {open read search getattr }; + +allow ntfs_3g mnt_media_rw_file:dir { create_dir_perms mounton }; +allow ntfs_3g mnt_media_rw_file:file create_file_perms; + +allow ntfs_3g proc:file { open read getattr }; + +#init_daemon_domain(ntfs-3g) + diff --git a/common/sepolicy/platform_app.te b/common/sepolicy/platform_app.te index 37d09a7..3a00268 100644 --- a/common/sepolicy/platform_app.te +++ b/common/sepolicy/platform_app.te @@ -14,8 +14,8 @@ #allow platform_app udf:dir { search open read getattr }; #allow platform_app udf:file { open read getattr }; # -#allow platform_app fuseblk:dir create_dir_perms; -#allow platform_app fuseblk:file create_file_perms; +allow platform_app fuseblk:dir create_dir_perms; +allow platform_app fuseblk:file create_file_perms; # #allow platform_app tvserver_service:service_manager find; #allow system_app unlabeled:dir { search read write getattr }; diff --git a/common/sepolicy/service.te b/common/sepolicy/service.te index 52f1a75..234033f 100644 --- a/common/sepolicy/service.te +++ b/common/sepolicy/service.te @@ -7,3 +7,4 @@ type pppoe_service, service_manager_type; type screenmediasource_service, service_manager_type; type tee_service, service_manager_type; type tv_remote_service,system_server_service, service_manager_type; +type droidmount_service, service_manager_type; diff --git a/common/sepolicy/service_contexts b/common/sepolicy/service_contexts index 9617d41..7050e2b 100644 --- a/common/sepolicy/service_contexts +++ b/common/sepolicy/service_contexts @@ -7,4 +7,4 @@ tvservice u:object_r:tvserver_service:s0 media.screenmediasource u:object_r:screenmediasource_service:s0 tee_supplicant u:object_r:tee_service:s0 tv_remote u:object_r:tv_remote_service:s0 -droidmount u:object_r:mount_service:s0 +droidmount u:object_r:droidmount_service:s0 diff --git a/common/sepolicy/system_app.te b/common/sepolicy/system_app.te index f9dd27b..1ffe0b0 100644 --- a/common/sepolicy/system_app.te +++ b/common/sepolicy/system_app.te @@ -73,3 +73,8 @@ allow system_app mnt_media_rw_file:dir r_dir_perms; allow system_app { systemcontrol_hwservice hdmicecd_hwservice }:hwservice_manager { find }; allow system_app { system_control hdmicecd }:binder { call transfer }; + +allow system_app droidvold_hwservice:hwservice_manager { find }; +allow system_app droidvold:binder { call transfer }; + +allow system_app droidmount_service:service_manager { add }; diff --git a/common/sepolicy/vold.te b/common/sepolicy/vold.te index cccd57c..5b6d691 100644 --- a/common/sepolicy/vold.te +++ b/common/sepolicy/vold.te @@ -29,7 +29,7 @@ allow vold tee_data_file:dir { open read ioctl }; -#allow vold vold_block_device:blk_file { create read open ioctl unlink }; +allow vold vold_block_device:blk_file { create read open ioctl unlink }; #for hw keymaster allow vold drm_device:chr_file {open read write ioctl}; diff --git a/p212/manifest.xml b/p212/manifest.xml index 153af53..47ff9b8 100644 --- a/p212/manifest.xml +++ b/p212/manifest.xml @@ -169,6 +169,15 @@ <instance>default</instance> </interface> </hal> + <hal format="hidl"> + <name>vendor.amlogic.hardware.droidvold</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IDroidVold</name> + <instance>default</instance> + </interface> + </hal> <hal> <name>vendor.amlogic.hardware.hdmicec</name> <transport>hwbinder</transport> diff --git a/p230/manifest.xml b/p230/manifest.xml index 1bf74e9..c53f6e0 100644 --- a/p230/manifest.xml +++ b/p230/manifest.xml @@ -169,6 +169,15 @@ <instance>default</instance> </interface> </hal> + <hal format="hidl"> + <name>vendor.amlogic.hardware.droidvold</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IDroidVold</name> + <instance>default</instance> + </interface> + </hal> <hal> <name>vendor.amlogic.hardware.hdmicec</name> <transport>hwbinder</transport> |