diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-04-26 11:29:14 -0700 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-07-07 11:08:13 -0700 |
commit | 972f86ffcb929592f28947ea207bb70d0f390b37 (patch) | |
tree | 894bbceeed736980cf3ca48528e354502fe8184c /untrusted_app.te | |
parent | 7ef1cb3e6a10cbba717ad388901ea75eecb7dc80 (diff) | |
download | android_external_sepolicy-972f86ffcb929592f28947ea207bb70d0f390b37.tar.gz android_external_sepolicy-972f86ffcb929592f28947ea207bb70d0f390b37.tar.bz2 android_external_sepolicy-972f86ffcb929592f28947ea207bb70d0f390b37.zip |
Further restrict socket ioctls available to apps
Restrict unix_dgram_socket and unix_stream_socket to a whitelist
for all domains. Remove ioctl permission for netlink_selinux_socket and
netlink_route_socket for netdomain.
Bug: 28171804
Bug: 27424603
Ticket: CYNGNOS-3020
Change-Id: I650639115b8179964ae690a39e4766ead0032d2e
(cherry picked from commit ce6d5e008aae91a793aaa471c20cd8d347f68faf)
Diffstat (limited to 'untrusted_app.te')
-rw-r--r-- | untrusted_app.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/untrusted_app.te b/untrusted_app.te index fb76317..a17943f 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -102,7 +102,7 @@ allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; # only allow unprivileged socket ioctl commands -allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; +allow untrusted_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; # Allow GMS core to access perfprofd output, which is stored # in /data/misc/perfprofd/. GMS core will need to list all |