Remove ping domain.
ping in Android no longer requires any additional privileges beyond the caller. Drop the ping domain and executable file type entirely. Also add net_domain() to shell domain so that it can create and use network sockets. Change-Id: If51734abe572aecf8f510f1a55782159222e5a67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
5f29026459
commit
396015c395
3
app.te
3
app.te
@ -67,7 +67,6 @@ allow appdomain system_data_file:file { execute execute_no_trans open };
|
||||
# Execute the shell or other system executables.
|
||||
allow appdomain shell_exec:file rx_file_perms;
|
||||
allow appdomain system_file:file rx_file_perms;
|
||||
allow appdomain ping_exec:file rx_file_perms;
|
||||
|
||||
# Read/write wallpaper file (opened by system).
|
||||
allow appdomain wallpaper_file:file { read write };
|
||||
@ -268,7 +267,7 @@ neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
|
||||
{ sigkill sigstop signal };
|
||||
|
||||
# Transition to a non-app domain.
|
||||
# Exception for the shell domain, can transition to runas, ping, etc.
|
||||
# Exception for the shell domain, can transition to runas, etc.
|
||||
neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
|
||||
{ transition dyntransition };
|
||||
|
||||
|
||||
@ -142,7 +142,6 @@
|
||||
/system/etc/dhcpcd(/.*)? u:object_r:dhcp_system_file:s0
|
||||
/system/xbin/su u:object_r:su_exec:s0
|
||||
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
|
||||
/system/bin/ping u:object_r:ping_exec:s0
|
||||
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
|
||||
/system/bin/hostapd u:object_r:hostapd_exec:s0
|
||||
/system/bin/clatd u:object_r:clatd_exec:s0
|
||||
|
||||
17
ping.te
17
ping.te
@ -1,17 +0,0 @@
|
||||
type ping, domain;
|
||||
permissive ping;
|
||||
type ping_exec, exec_type, file_type;
|
||||
domain_auto_trans(shell, ping_exec, ping)
|
||||
domain_auto_trans(dumpstate, ping_exec, ping)
|
||||
|
||||
allow ping self:capability net_raw;
|
||||
allow ping self:rawip_socket create_socket_perms;
|
||||
allow ping self:udp_socket create_socket_perms;
|
||||
allow ping node:rawip_socket node_bind;
|
||||
allow ping dnsproxyd_socket:sock_file write;
|
||||
allow ping netd:unix_stream_socket connectto;
|
||||
allow ping devpts:chr_file rw_file_perms;
|
||||
allow ping shell:fd use;
|
||||
|
||||
allow ping dumpstate:fd use;
|
||||
allow ping dumpstate:unix_stream_socket { read write };
|
||||
3
shell.te
3
shell.te
@ -2,6 +2,9 @@
|
||||
type shell, domain, shelldomain, mlstrustedsubject;
|
||||
type shell_exec, exec_type, file_type;
|
||||
|
||||
# Create and use network sockets.
|
||||
net_domain(shell)
|
||||
|
||||
# Run app_process.
|
||||
# XXX Transition into its own domain?
|
||||
app_domain(shell)
|
||||
|
||||
@ -2,6 +2,9 @@
|
||||
type shell, domain, shelldomain, mlstrustedsubject;
|
||||
type shell_exec, exec_type, file_type;
|
||||
|
||||
# Create and use network sockets.
|
||||
net_domain(shell)
|
||||
|
||||
# Run app_process.
|
||||
# XXX Transition into its own domain?
|
||||
app_domain(shell)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user