PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restrict netd fwk policy.

Browse Source 
Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b717)
This commit is contained in:
Tri Vo 2017-10-01 15:53:01 -07:00
parent 4bd0c6fcc3
commit 8dabc2ce74
4 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
private/compat/26.0/26.0.cil
View File

@ -569,6 +569,7 @@
sysfs_android_usb
sysfs_dm
sysfs_ipv4
sysfs_net
sysfs_power
sysfs_rtc
sysfs_switch

1
private/genfs_contexts
View File

@ -71,6 +71,7 @@ genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0

1
public/file.te
View File

@ -55,6 +55,7 @@ type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;

6
public/netd.te
View File

@ -38,9 +38,11 @@ r_dir_file(netd, proc_net)
allow netd proc_net:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
r_dir_file(netd, sysfs_type)
allow netd sysfs:dir r_dir_perms;
r_dir_file(netd, sysfs_net)
# Allows setting interface MTU
allow netd sysfs:file write;
allow netd sysfs_net:file w_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;