diff options
author | Nick Kralevich <nnk@google.com> | 2013-07-12 21:28:41 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2013-07-12 21:28:41 -0700 |
commit | 9a19885c4cbb2ded4dd0833d38636e6bd2c2c802 (patch) | |
tree | 93db7dfe7f85566afd0e2b060e0ce4a2e0c78179 /netd.te | |
parent | 748fdef626d1dda2a0a727ea35d85d04363f5307 (diff) | |
download | android_external_sepolicy-9a19885c4cbb2ded4dd0833d38636e6bd2c2c802.tar.gz android_external_sepolicy-9a19885c4cbb2ded4dd0833d38636e6bd2c2c802.tar.bz2 android_external_sepolicy-9a19885c4cbb2ded4dd0833d38636e6bd2c2c802.zip |
remove "self:process ptrace" from domain, netd neverallow rules
Remove "self:process ptrace" from all SELinux enforced domains.
In general, a process should never need to ptrace itself.
We can add this back to more narrowly scoped domains as needed.
Add a bunch of neverallow assertions to netd.te, to verify that netd
never gets unexpected capabilities.
Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
Diffstat (limited to 'netd.te')
-rw-r--r-- | netd.te | 28 |
1 files changed, 27 insertions, 1 deletions
@@ -3,7 +3,6 @@ type netd, domain; type netd_exec, exec_type, file_type; init_daemon_domain(netd) -typeattribute netd mlstrustedsubject; allow netd self:capability { net_admin net_raw kill }; allow netd self:netlink_kobject_uevent_socket *; allow netd self:netlink_route_socket *; @@ -52,3 +51,30 @@ allow netd dnsmasq:process signal; # TODO: prune this back further allow netd ctl_default_prop:property_service set; allow netd device:sock_file write; + +### +### Neverallow rules +### +### netd should NEVER do any of this + +# Block device access. +neverallow netd dev_type:blk_file { read write }; + +# Kernel memory access. +neverallow netd kmem_device:chr_file { read write }; + +# Setting SELinux enforcing status or booleans. +# Conditionally allowed to system_app for SEAndroidManager. +neverallow netd kernel:security { setenforce setbool }; + +# Load security policy. +neverallow netd kernel:security load_policy; + +# ptrace any other app +neverallow netd { domain }:process ptrace; + +# Write to /system. +neverallow netd system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow netd { app_data_file system_data_file }:dir_file_class_set write; |