diff options
| author | Jessica Wagantall <jwagantall@cyngn.com> | 2016-07-07 11:51:08 -0700 |
|---|---|---|
| committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-07-07 14:15:15 -0700 |
| commit | 0d2bc4350ad290c0f5bdf69dbbc5baa716889b0b (patch) | |
| tree | 48623f02b3c030b2893f983da08852617c1a4537 | |
| parent | f00429df5685a46aa4f4694dab8f68d6d5645cd0 (diff) | |
| parent | abf0663ed884af7bc880a05e9529e6671eb58f39 (diff) | |
| download | android_external_sepolicy-0d2bc4350ad290c0f5bdf69dbbc5baa716889b0b.tar.gz android_external_sepolicy-0d2bc4350ad290c0f5bdf69dbbc5baa716889b0b.tar.bz2 android_external_sepolicy-0d2bc4350ad290c0f5bdf69dbbc5baa716889b0b.zip | |
Merge remote-tracking branch 'remotes/android-6.0.1_r52' into HEAD
Ticket: CYNGNOS-3020
Change-Id: Ia88a540cb0a5d2bf379d03053095a64cc4c73276
| -rw-r--r-- | bluetooth.te | 3 | ||||
| -rw-r--r-- | domain.te | 1 | ||||
| -rw-r--r-- | ioctl_macros | 10 | ||||
| -rw-r--r-- | isolated_app.te | 2 | ||||
| -rw-r--r-- | net.te | 2 | ||||
| -rw-r--r-- | te_macros | 2 | ||||
| -rw-r--r-- | untrusted_app.te | 2 |
7 files changed, 17 insertions, 5 deletions
diff --git a/bluetooth.te b/bluetooth.te index 338f2b2..816fcb3 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -25,7 +25,8 @@ allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms # TODO: This should no longer be needed with bluedroid for bluetooth # but may be getting used for other non-bluetooth sockets that has no # specific class defined. Consider taking to specific domains. -allow bluetoothdomain self:socket create_socket_perms; +allow { bluetoothdomain -untrusted_app -isolated_app -shell } self:socket create_socket_perms; +neverallow { untrusted_app isolated_app shell } { untrusted_app isolated_app shell }:socket *; # sysfs access. allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; @@ -35,6 +35,7 @@ allow domain self:lnk_file r_file_perms; allow domain self:{ fifo_file file } rw_file_perms; allow domain self:unix_dgram_socket { create_socket_perms sendto }; allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow domain domain:{ unix_dgram_socket unix_stream_socket } unpriv_unix_sock_ioctls; # Inherit or receive open files from others. allow domain init:fd use; diff --git a/ioctl_macros b/ioctl_macros index 6012568..e0ecbf0 100644 --- a/ioctl_macros +++ b/ioctl_macros @@ -13,3 +13,13 @@ define(`unpriv_sock_ioctls', ` # commonly used TTY ioctls 0x5411 0x5451 }') + +define(`TCGETS', `0x00005401') +define(`TIOCOUTQ', `0x00005411') +define(`TIOCGWINSZ', `0x00005413') +define(`TIOCSWINSZ', `0x00005414') +define(`FIONREAD', `0x0000541b') +define(`FIOCLEX', `0x00005451') + +# commonly used ioctls on unix sockets +define(`unpriv_unix_sock_ioctls', `{ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }') diff --git a/isolated_app.te b/isolated_app.te index 330f0af..535e5de 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -19,7 +19,7 @@ allow isolated_app activity_service:service_manager find; allow isolated_app display_service:service_manager find; # only allow unprivileged socket ioctl commands -allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; +allow isolated_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; ##### ##### Neverallow @@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind; allow netdomain port_type:udp_socket name_bind; allow netdomain port_type:tcp_socket name_bind; # See changes to the routing table. -allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read }; # Talks to netd via dnsproxyd socket. unix_socket_connect(netdomain, dnsproxyd, netd) @@ -202,7 +202,7 @@ allow $1 self:capability2 block_suspend; define(`selinux_check_access', ` allow $1 selinuxfs:file rw_file_perms; allow $1 kernel:security compute_av; -allow $1 self:netlink_selinux_socket *; +allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind }; ') ##################################### diff --git a/untrusted_app.te b/untrusted_app.te index fb76317..a17943f 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -102,7 +102,7 @@ allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; # only allow unprivileged socket ioctl commands -allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; +allow untrusted_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; # Allow GMS core to access perfprofd output, which is stored # in /data/misc/perfprofd/. GMS core will need to list all |