diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-24 10:48:03 -0500 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-25 17:26:06 +0000 |
| commit | 85708ec4f91fd70b215dc69e00b80e0e7a7d4686 (patch) | |
| tree | 7436b76c3443f03a17f5d0efd1b2c3eac69d90f3 /mtp.te | |
| parent | 96ff4c053a238e04373fcc1f11d769418e8ce238 (diff) | |
| download | android_external_sepolicy-85708ec4f91fd70b215dc69e00b80e0e7a7d4686.tar.gz android_external_sepolicy-85708ec4f91fd70b215dc69e00b80e0e7a7d4686.tar.bz2 android_external_sepolicy-85708ec4f91fd70b215dc69e00b80e0e7a7d4686.zip | |
Resolve overlapping rules between app.te and net.te.
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain. Resolve this overlap by:
1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.
Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.
Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.
Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'mtp.te')
0 files changed, 0 insertions, 0 deletions