diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-24 15:06:11 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-25 12:41:23 -0500 |
commit | 1601132086b054adc70e7f8f38ed24574c90bc37 (patch) | |
tree | f56a30d82df78952b6cb537a5535e54baa9d40d2 /racoon.te | |
parent | 85708ec4f91fd70b215dc69e00b80e0e7a7d4686 (diff) | |
download | android_external_sepolicy-1601132086b054adc70e7f8f38ed24574c90bc37.tar.gz android_external_sepolicy-1601132086b054adc70e7f8f38ed24574c90bc37.tar.bz2 android_external_sepolicy-1601132086b054adc70e7f8f38ed24574c90bc37.zip |
Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.
Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.
For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.
Delete legacy rule for b/12061011.
This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.
Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'racoon.te')
-rw-r--r-- | racoon.te | 8 |
1 files changed, 4 insertions, 4 deletions
@@ -6,17 +6,17 @@ type racoon_exec, exec_type, file_type; init_daemon_domain(racoon) typeattribute racoon mlstrustedsubject; +net_domain(racoon) + binder_call(racoon, servicemanager) binder_call(racoon, keystore) allow racoon tun_device:chr_file r_file_perms; allow racoon cgroup:dir { add_name create }; allow racoon kernel:system module_request; -allow racoon port:udp_socket name_bind; -allow racoon node:udp_socket node_bind; -allow racoon self:{ key_socket udp_socket } create_socket_perms; -allow racoon self:tun_socket create; +allow racoon self:key_socket create_socket_perms; +allow racoon self:tun_socket create_socket_perms; allow racoon self:capability { net_admin net_bind_service net_raw setuid }; # XXX: should we give ip-up-vpn its own label (currently racoon domain) |