grant appdomain rw perms to tun_device am: 2b935cd78d
am: 43412f6514
* commit '43412f6514a97572622e009e13f76a61c9d5f987':
grant appdomain rw perms to tun_device
This commit is contained in:
commit
02863a7ca7
4
app.te
4
app.te
@ -225,6 +225,10 @@ selinux_check_context(appdomain)
|
||||
auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
|
||||
auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
|
||||
|
||||
# Apps receive an open tun fd from the framework for
|
||||
# device traffic. Do not allow untrusted app to directly open tun_device
|
||||
allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
@ -29,10 +29,6 @@ bluetooth_domain(untrusted_app)
|
||||
# to their sandbox directory and then execute.
|
||||
allow untrusted_app app_data_file:file { rx_file_perms execmod };
|
||||
|
||||
# Third party vpn apps receive an open tun fd from the framework for
|
||||
# device traffic. Do not allow untrusted app to directly open tun_device
|
||||
allow untrusted_app tun_device:chr_file { read write getattr ioctl append };
|
||||
|
||||
# ASEC
|
||||
allow untrusted_app asec_apk_file:file r_file_perms;
|
||||
# Execute libs in asec containers.
|
||||
|
Loading…
Reference in New Issue
Block a user