| author | Liang Ji <liang.ji@amlogic.com> | 2020-06-22 11:36:04 (GMT) |
|---|---|---|
| committer | Liang Ji <liang.ji@amlogic.com> | 2020-06-23 08:21:29 (GMT) |
| commit | c65188525b0845c2a632aaa020e3de198515c0a6 (patch) | |
| tree | 614103b95bdc68d6e761a3dbfa20b271ccc4867e | |
| parent | 6fb3cc7d5660859ba0946c668fe4ccc4456fd02e (diff) | |
| download | common-c65188525b0845c2a632aaa020e3de198515c0a6.zip common-c65188525b0845c2a632aaa020e3de198515c0a6.tar.gz common-c65188525b0845c2a632aaa020e3de198515c0a6.tar.bz2 | |
selinux: selinux policy regarding /mnt/vendor/factory [1/1]
PD#GH-495
BUG=159573308
Problem:
security review of sepolicy for /mnt/vendor accesses
Solution:
Separate the /mnt/vendor/factory from the /mnt/vendor/*
Verify:
Sabrina
Signed-off-by: Liang Ji <liang.ji@amlogic.com>
Merged-In: I73d96f9457f4e80f96918330dd745821d8004d0e
Change-Id: I73d96f9457f4e80f96918330dd745821d8004d0e
| -rwxr-xr-x | sepolicy/file.te | 3 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 2 | ||||
| -rw-r--r-- | sepolicy/init.te | 1 | ||||
| -rwxr-xr-x | sepolicy/tee.te | 3 |
4 files changed, 7 insertions, 2 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te index b4bbaec..1540b69 100755 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -30,7 +30,6 @@ type fastboot_aml_file, file_type; #boot type boot_data_file, file_type; -type factory_data_file, file_type; type misc_data_file, file_type; #power @@ -92,3 +91,5 @@ type sysfs_stb, fs_type, sysfs_type; type aml_debugfs, fs_type, debugfs_type; type sysfs_dmc, fs_type, sysfs_type; type sysfs_reboot, fs_type, sysfs_type; + +type factory_vendor_file, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 8fb8405..84ac38b 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -129,7 +129,6 @@ # boot files # /boot(/.*)? u:object_r:boot_data_file:s0 -/factory(/.*)? u:object_r:factory_data_file:s0 /misc(/.*)? u:object_r:misc_data_file:s0 /sys/devices/platform/bt-dev/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 @@ -283,6 +282,7 @@ /param(/.*)? u:object_r:param_tv_file:s0 /mnt/vendor/tee(/.*)? u:object_r:tee_vendor_file:s0 /mnt/vendor/param(/.*)? u:object_r:param_tv_file:s0 +/mnt/vendor/factory(/.*)? u:object_r:factory_vendor_file:s0 /dev/usb-ffs/fastboot(/.*)? u:object_r:fastboot_aml_file:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te index 6167999..0402a46 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -35,6 +35,7 @@ allow init debugfs:dir { mounton }; allow init mnt_vendor_file:dir mounton; allow init tee_vendor_file:dir mounton; +allow init factory_vendor_file:dir mounton; allow init socket_device:sock_file { create setattr unlink }; diff --git a/sepolicy/tee.te b/sepolicy/tee.te index 4560c4c..681d3a2 100755 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -27,3 +27,6 @@ allow tee tee:tcp_socket { create bind listen accept }; allow tee tee:capability { net_raw }; allow tee port:tcp_socket { name_bind }; allow tee node:tcp_socket { node_bind }; + +allow tee factory_vendor_file:dir create_dir_perms; +allow tee factory_vendor_file:file r_file_perms; |