Skip to content

Commit

Permalink
Update language to comply with Android's inclusive language guidance …
Browse files Browse the repository at this point in the history
…am: a0e7a6d

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1382607

Change-Id: I334e3430d48521b0124f76e87c781e752fc84fac
  • Loading branch information
Jeff Sharkey authored and android-build-merge-worker-robot committed Jul 31, 2020
2 parents ce416b0 + a0e7a6d commit bf4ffe3
Show file tree
Hide file tree
Showing 67 changed files with 150 additions and 150 deletions.
4 changes: 2 additions & 2 deletions prebuilts/api/26.0/private/app.te
Original file line number Diff line number Diff line change
Expand Up @@ -494,7 +494,7 @@ neverallow appdomain {
tmpfs
}:lnk_file no_w_file_perms;

# Blacklist app domains not allowed to execute from /data
# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
Expand All @@ -515,7 +515,7 @@ neverallow {
-shell # bugreport
} input_device:chr_file ~getattr;

# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/26.0/private/domain.te
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;

# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/26.0/private/incidentd.te
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ allow incidentd shell_exec:file rx_file_perms;
# TODO control_logd(incidentd)

# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
Expand Down
4 changes: 2 additions & 2 deletions prebuilts/api/26.0/private/system_server.te
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ allow system_server zygote:unix_stream_socket { getopt getattr };

# system server gets network and bluetooth permissions.
net_domain(system_server)
# in addition to ioctls whitelisted for all domains, also allow system_server
# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
Expand Down Expand Up @@ -92,7 +92,7 @@ allow system_server config_gz:file { read open };
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
# whitelisted.
# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;

# Set and get routes directly via netlink.
Expand Down
26 changes: 13 additions & 13 deletions prebuilts/api/26.0/public/domain.te
Original file line number Diff line number Diff line change
Expand Up @@ -195,19 +195,19 @@ allow domain debugfs_trace_marker:file w_file_perms;
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;

# Restrict all domains to a whitelist for common socket types. Additional
# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
# defaults for all processes. Note that granting this whitelist to domain does
# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default whitelist for unix sockets.
# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;

# Restrict PTYs to only whitelisted ioctls.
# Note that granting this whitelist to domain does
# Restrict PTYs to only allowlisted ioctls.
# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
Expand All @@ -223,7 +223,7 @@ allow { domain -domain } vndservice_manager_type:service_manager { add find };
### neverallow rules
###

# All socket ioctls must be restricted to a whitelist.
# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };

# TIOCSTI is only ever used for exploits. Block it.
Expand All @@ -234,7 +234,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI;
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;

# Limit device node creation to these whitelisted domains.
# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
Expand All @@ -243,7 +243,7 @@ neverallow {
-vold
} self:capability mknod;

# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
Expand Down Expand Up @@ -343,7 +343,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre

#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
Expand Down Expand Up @@ -445,7 +445,7 @@ neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;

# Do not allow reading device's serial number from system properties except form
# a few whitelisted domains.
# a few allowlisted domains.
neverallow {
domain
-adbd
Expand Down Expand Up @@ -668,7 +668,7 @@ full_treble_only(`
')

# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
Expand Down Expand Up @@ -722,7 +722,7 @@ full_treble_only(`
} vendor_shell_exec:file { execute execute_no_trans };

# Do not allow vendor components to execute files from system
# except for the ones whitelist here.
# except for the ones allowlist here.
neverallow {
domain
-coredomain
Expand Down Expand Up @@ -923,7 +923,7 @@ neverallow {

# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-whitelisted domains should
# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/26.0/public/hal_wifi_supplicant.te
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;

# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;

r_dir_file(hal_wifi_supplicant, sysfs_type)
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/26.0/public/netd.te
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject;
type netd_exec, exec_type, file_type;

net_domain(netd)
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;

r_dir_file(netd, cgroup)
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/26.0/public/vendor_toolbox.te
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
# to vendor toolbox except for the whitelisted domains.
# to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
Expand Down
4 changes: 2 additions & 2 deletions prebuilts/api/27.0/private/app.te
Original file line number Diff line number Diff line change
Expand Up @@ -512,7 +512,7 @@ neverallow appdomain {
tmpfs
}:lnk_file no_w_file_perms;

# Blacklist app domains not allowed to execute from /data
# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
Expand All @@ -533,7 +533,7 @@ neverallow {
-shell # bugreport
} input_device:chr_file ~getattr;

# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/27.0/private/domain.te
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;

# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/27.0/private/incidentd.te
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ allow incidentd shell_exec:file rx_file_perms;
# TODO control_logd(incidentd)

# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/27.0/private/isolated_app.te
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ neverallow isolated_app *:hwservice_manager *;
neverallow isolated_app vndbinder_device:chr_file *;

# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
# except the find actions for services whitelisted below.
# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;

# b/17487348
Expand Down
4 changes: 2 additions & 2 deletions prebuilts/api/27.0/private/system_server.te
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ allow system_server zygote:unix_stream_socket { getopt getattr };

# system server gets network and bluetooth permissions.
net_domain(system_server)
# in addition to ioctls whitelisted for all domains, also allow system_server
# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
Expand Down Expand Up @@ -95,7 +95,7 @@ allow system_server config_gz:file { read open };
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
# whitelisted.
# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;

# Set and get routes directly via netlink.
Expand Down
26 changes: 13 additions & 13 deletions prebuilts/api/27.0/public/domain.te
Original file line number Diff line number Diff line change
Expand Up @@ -195,19 +195,19 @@ allow domain debugfs_trace_marker:file w_file_perms;
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;

# Restrict all domains to a whitelist for common socket types. Additional
# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
# defaults for all processes. Note that granting this whitelist to domain does
# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default whitelist for unix sockets.
# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;

# Restrict PTYs to only whitelisted ioctls.
# Note that granting this whitelist to domain does
# Restrict PTYs to only allowlisted ioctls.
# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
Expand All @@ -226,7 +226,7 @@ with_asan(`allow domain system_data_file:dir getattr;')
### neverallow rules
###

# All socket ioctls must be restricted to a whitelist.
# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };

# TIOCSTI is only ever used for exploits. Block it.
Expand All @@ -237,7 +237,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI;
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;

# Limit device node creation to these whitelisted domains.
# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
Expand All @@ -246,7 +246,7 @@ neverallow {
-vold
} self:capability mknod;

# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
Expand Down Expand Up @@ -347,7 +347,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre

#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
Expand Down Expand Up @@ -448,7 +448,7 @@ neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;

# Do not allow reading device's serial number from system properties except form
# a few whitelisted domains.
# a few allowlisted domains.
neverallow {
domain
-adbd
Expand Down Expand Up @@ -664,7 +664,7 @@ full_treble_only(`
')

# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
Expand Down Expand Up @@ -718,7 +718,7 @@ full_treble_only(`
} vendor_shell_exec:file { execute execute_no_trans };

# Do not allow vendor components to execute files from system
# except for the ones whitelist here.
# except for the ones allowlist here.
neverallow {
domain
-coredomain
Expand Down Expand Up @@ -916,7 +916,7 @@ neverallow {

# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-whitelisted domains should
# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/27.0/public/hal_wifi_supplicant.te
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;

# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;

r_dir_file(hal_wifi_supplicant, sysfs_type)
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/27.0/public/netd.te
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject;
type netd_exec, exec_type, file_type;

net_domain(netd)
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;

r_dir_file(netd, cgroup)
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/27.0/public/vendor_toolbox.te
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
# to vendor toolbox except for the whitelisted domains.
# to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/28.0/private/domain.te
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;

# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/28.0/private/incidentd.te
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)

# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/28.0/private/isolated_app.te
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ neverallow isolated_app *:hwservice_manager *;
neverallow isolated_app vndbinder_device:chr_file *;

# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
# except the find actions for services whitelisted below.
# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;

# b/17487348
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/28.0/private/perfetto.te
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.

Expand Down
Loading

0 comments on commit bf4ffe3

Please sign in to comment.