MiPad4/android_device_xiaomi_sdm660-common
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sdm660-common: sepolicy: don't do anything on untrusted_app

Browse source 
* allowing any extra permission for "untrustred_app" domain is DANGER
* the "untrustred_app" domain rule should ONLY be defined by aosp
* kill all don't audit except getopt for untrusted_app. it's a tool to show which app are evil, let it show in audit logs

Signed-off-by: pix106 <sbordenave@gmail.com>
This commit is contained in:
Alcatraz323 2023-10-25 13:32:58 +08:00 committed by pix106
parent bfa61a3f25
commit 14aa292b1a
3 changed files with 6 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
sepolicy/private/untrusted_app.te
View file

@ -1 +0,0 @@
allow untrusted_app zygote:unix_stream_socket { getopt };

10
sepolicy/vendor/dontaudit.te vendored
View file

@ -1,7 +1,3 @@
# Apps are no longer allowed open access to /dev/ashmem, unless they
# target API level < Q.
dontaudit untrusted_app ashmem_device:chr_file open;
dontaudit adbd self:capability sys_admin; dontaudit adbd self:capability sys_admin;
dontaudit blkid self:capability sys_admin; dontaudit blkid self:capability sys_admin;
dontaudit blkid_untrusted self:capability sys_admin; dontaudit blkid_untrusted self:capability sys_admin;
@ -30,6 +26,12 @@ dontaudit vendor_pd_mapper self:capability sys_admin;
dontaudit vendor_toolbox self:capability sys_admin; dontaudit vendor_toolbox self:capability sys_admin;
dontaudit vold_prepare_subdirs self:capability sys_admin; dontaudit vold_prepare_subdirs self:capability sys_admin;
dontaudit untrusted_app zygote:unix_stream_socket getopt;
dontaudit untrusted_app_25 zygote:unix_stream_socket getopt;
dontaudit untrusted_app_27 zygote:unix_stream_socket getopt;
dontaudit untrusted_app_29 zygote:unix_stream_socket getopt;
dontaudit untrusted_app_30 zygote:unix_stream_socket getopt;
# Neverallow: no domain should be allowed to ptrace init # Neverallow: no domain should be allowed to ptrace init
# at system/sepolicy/public/init.te # at system/sepolicy/public/init.te
dontaudit crash_dump init:process ptrace; dontaudit crash_dump init:process ptrace;

33
sepolicy/vendor/untrusted_app.te vendored
View file

@ -1,33 +0,0 @@
allow untrusted_app zygote:unix_stream_socket { getopt };
allow untrusted_app_25 zygote:unix_stream_socket getopt;
allow untrusted_app_27 zygote:unix_stream_socket getopt;
allow untrusted_app_29 zygote:unix_stream_socket getopt;
allow untrusted_app_30 zygote:unix_stream_socket getopt;
# dontaudit
dontaudit untrusted_app proc_zoneinfo: file { read };
dontaudit untrusted_app system_lib_file:file { execmod };
dontaudit untrusted_app proc_version:file { read };
dontaudit untrusted_app proc_net_tcp_udp:file { read };
dontaudit untrusted_app selinuxfs:file { read };
dontaudit untrusted_app serialno_prop:file { read };
dontaudit untrusted_app app_data_file:file { execute execute_no_trans };
dontaudit untrusted_app mnt_vendor_file:dir { search };
dontaudit untrusted_app proc:file { read };
dontaudit untrusted_app proc:file { open };
dontaudit untrusted_app proc_net_tcp_udp:file { open };
dontaudit untrusted_app_30 system_linker_exec:file { execmod };
allow untrusted_app rootfs:dir { read };
allow untrusted_app proc_kmsg:file { getattr };
allow untrusted_app proc_keys:file { getattr };
allow untrusted_app proc_swaps:file { getattr };
allow untrusted_app proc_modules:file { read };
get_prop(untrusted_app, wifi_hal_prop)
allow untrusted_app rootfs:dir { open };
allow untrusted_app sysfs:dir { read };
allow untrusted_app block_device:dir { search };