diff options
author | Steve Kondik <steve@cyngn.com> | 2016-03-10 18:16:06 -0800 |
---|---|---|
committer | Steve Kondik <steve@cyngn.com> | 2016-03-10 18:16:06 -0800 |
commit | 014562f13339d69f3b4c0cec4f555a8a5e962d55 (patch) | |
tree | cd0607e937896875c1ebca2b51c24f85084ed5de | |
parent | 62438c86c8912ef97236d645b2e8f67bf89c286e (diff) | |
parent | d76ccadb97b94277c65a9f1660ae763bce250132 (diff) | |
download | android_external_sepolicy-staging/cm-13.0+r22.tar.gz android_external_sepolicy-staging/cm-13.0+r22.tar.bz2 android_external_sepolicy-staging/cm-13.0+r22.zip |
Merge tag 'android-6.0.1_r22' of https://android.googlesource.com/platform/external/sepolicy into cm-13.0staging/cm-13.0+r22
Android 6.0.1 release 22
-rw-r--r-- | bluetooth.te | 2 | ||||
-rw-r--r-- | ioctl_macros | 14 | ||||
-rw-r--r-- | shell.te | 3 | ||||
-rw-r--r-- | system_server.te | 4 |
4 files changed, 17 insertions, 6 deletions
diff --git a/bluetooth.te b/bluetooth.te index f77bd0d..338f2b2 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -3,6 +3,8 @@ type bluetooth, domain; app_domain(bluetooth) net_domain(bluetooth) +wakelock_use(bluetooth); + # Data file accesses. allow bluetooth bluetooth_data_file:dir create_dir_perms; allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; diff --git a/ioctl_macros b/ioctl_macros index e71e0ce..6012568 100644 --- a/ioctl_macros +++ b/ioctl_macros @@ -1,11 +1,15 @@ # socket ioctls allowed to unprivileged apps define(`unpriv_sock_ioctls', ` { -# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927 -0x8900-0x8926 0x8928-0x89ff -# all wireless extensions ioctls except get/set essid -# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B -0x8B00-0x8B09 0x8B1C-0x8BFF +# all socket ioctls except: +# 1) the Mac address SIOCGIFHWADDR 0x8927 +# 2) device private SIOCDEVPRIVATE-SIOCDEVPRIVLAST 0x89F0-0x89FF +# 3) protocol private SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST 0x89E0-0x89EF +0x8900-0x8926 0x8928-0x89DF +# all wireless extensions ioctls except: +# 1) get/set essid IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B +# 2) device private ioctls SIOCIWFIRSTPRIV-SIOCIWLASTPRIV 0x8BE0-0x8BFF +0x8B00-0x8B09 0x8B1C-0x8BDF # commonly used TTY ioctls 0x5411 0x5451 }') @@ -77,6 +77,9 @@ allow shell domain:process getattr; allow shell bootchart_data_file:dir rw_dir_perms; allow shell bootchart_data_file:file create_file_perms; +# only allow unprivileged socket ioctl commands +allow shell self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; + # Do not allow shell to hard link to any files. # In particular, if shell hard links to app data # files, installd will not be able to guarantee the deletion diff --git a/system_server.te b/system_server.te index 36c36e9..a25ab21 100644 --- a/system_server.te +++ b/system_server.te @@ -438,7 +438,9 @@ allow system_server sdcard_type:dir { getattr search }; allow system_server mnt_expand_file:dir r_dir_perms; # Allow system process to relabel the fingerprint directory after mkdir -allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto}; +# and delete the directory and files when no longer needed +allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; +allow system_server fingerprintd_data_file:file { getattr unlink }; ### ### Neverallow rules |