diff options
author | Nick Kralevich <nnk@google.com> | 2015-01-14 14:12:14 -0800 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-01-14 22:18:24 +0000 |
commit | 99940d1af5719f1622fa2a17f8daf6cb21de3ad1 (patch) | |
tree | 2a9c86455c64d0e8452cb3379ddb4f43aca4ee12 | |
parent | 4a89cdfa89448c8660308a31bfcb517fffaa239e (diff) | |
download | android_external_sepolicy-99940d1af5719f1622fa2a17f8daf6cb21de3ad1.tar.gz android_external_sepolicy-99940d1af5719f1622fa2a17f8daf6cb21de3ad1.tar.bz2 android_external_sepolicy-99940d1af5719f1622fa2a17f8daf6cb21de3ad1.zip |
remove /proc/net read access from domain.te
SELinux domains wanting read access to /proc/net need to
explicitly declare it.
TODO: fixup the ListeningPortsTest cts test so that it's not
broken.
Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
-rw-r--r-- | app.te | 1 | ||||
-rw-r--r-- | clatd.te | 1 | ||||
-rw-r--r-- | dhcp.te | 3 | ||||
-rw-r--r-- | domain.te | 1 | ||||
-rw-r--r-- | dumpstate.te | 1 | ||||
-rw-r--r-- | init.te | 3 | ||||
-rw-r--r-- | mediaserver.te | 1 | ||||
-rw-r--r-- | netd.te | 3 | ||||
-rw-r--r-- | radio.te | 1 | ||||
-rw-r--r-- | system_server.te | 1 |
10 files changed, 12 insertions, 4 deletions
@@ -83,6 +83,7 @@ allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdow allow appdomain shell_data_file:file { write getattr }; # Write to /proc/net/xt_qtaguid/ctrl file. +allow appdomain proc_net:dir search; allow appdomain qtaguid_proc:file rw_file_perms; # Everybody can read the xt_qtaguid resource tracking misc dev. # So allow all apps to read from /dev/xt_qtaguid. @@ -15,6 +15,7 @@ allow clatd netd:udp_socket { read write }; allow clatd netd:unix_stream_socket { read write }; allow clatd netd:unix_dgram_socket { read write }; +r_dir_file(clatd, proc_net) allow clatd self:capability { net_admin net_raw setuid setgid }; allow clatd self:netlink_route_socket nlmsg_write; @@ -12,7 +12,8 @@ allow dhcp self:netlink_route_socket nlmsg_write; allow dhcp shell_exec:file rx_file_perms; allow dhcp system_file:file rx_file_perms; # For /proc/sys/net/ipv4/conf/*/promote_secondaries -allow dhcp proc_net:file write; +allow dhcp proc_net:file rw_file_perms; +allow dhcp proc_net:dir r_dir_perms; allow dhcp dhcp_prop:property_service set; allow dhcp pan_result_prop:property_service set; unix_socket_connect(dhcp, property, init) @@ -145,7 +145,6 @@ r_dir_file(domain, sysfs) r_dir_file(domain, sysfs_devices_system_cpu) r_dir_file(domain, inotify) r_dir_file(domain, cgroup) -r_dir_file(domain, proc_net) allow domain proc_cpuinfo:file r_file_perms; # debugfs access diff --git a/dumpstate.te b/dumpstate.te index 5f65eb0..2324c25 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -60,6 +60,7 @@ domain_auto_trans(dumpstate, vdc_exec, vdc) allow dumpstate sysfs:file w_file_perms; # Other random bits of data we want to collect +allow dumpstate proc_net:dir search; allow dumpstate qtaguid_proc:file r_file_perms; allow dumpstate debugfs:file r_file_perms; @@ -123,7 +123,8 @@ allow init proc_security:file rw_file_perms; allow init proc:file w_file_perms; # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. -allow init proc_net:file w_file_perms; +allow init proc_net:file rw_file_perms; +allow init proc_net:dir r_dir_perms; allow init self:capability net_admin; # Write to /proc/sysrq-trigger. diff --git a/mediaserver.te b/mediaserver.te index ec69aed..6e6c87d 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -61,6 +61,7 @@ allow mediaserver audio_data_file:dir ra_dir_perms; allow mediaserver audio_data_file:file create_file_perms; # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid +allow mediaserver proc_net:dir search; allow mediaserver qtaguid_proc:file rw_file_perms; allow mediaserver qtaguid_device:chr_file r_file_perms; @@ -23,7 +23,8 @@ allow netd system_file:file x_file_perms; allow netd devpts:chr_file rw_file_perms; # For /proc/sys/net/ipv[46]/route/flush. -allow netd proc_net:file write; +allow netd proc_net:file rw_file_perms; +allow netd proc_net:dir r_dir_perms; # For /sys/modules/bcmdhd/parameters/firmware_path # XXX Split into its own type. @@ -17,6 +17,7 @@ allow radio radio_data_file:notdevfile_class_set create_file_perms; allow radio alarm_device:chr_file rw_file_perms; +r_dir_file(radio, proc_net) allow radio net_data_file:dir search; allow radio net_data_file:file r_file_perms; diff --git a/system_server.te b/system_server.te index 6199eb7..45c4936 100644 --- a/system_server.te +++ b/system_server.te @@ -91,6 +91,7 @@ allow system_server appdomain:file write; # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. allow system_server qtaguid_proc:file rw_file_perms; allow system_server qtaguid_device:chr_file rw_file_perms; +r_dir_file(system_server, proc_net) # Write to /proc/sysrq-trigger. allow system_server proc_sysrq:file rw_file_perms; |