Revert "Revert "netd: restrict netd binder access to system_server""
This reverts commit b5594c2781
.
Bug: 27239233
Change-Id: I407a2f3a313f3de801080f9bae46f6bac1a803c2
This commit is contained in:
parent
f723f5f986
commit
9119f12ee3
@ -38,7 +38,8 @@ userdebug_or_eng(`
|
|||||||
allow domain su:fd use;
|
allow domain su:fd use;
|
||||||
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
|
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
|
||||||
|
|
||||||
binder_call({ domain -init }, su)
|
allow { domain -init } su:binder { call transfer };
|
||||||
|
allow { domain -init } su:fd use;
|
||||||
|
|
||||||
# Running something like "pm dump com.android.bluetooth" requires
|
# Running something like "pm dump com.android.bluetooth" requires
|
||||||
# fifo writes
|
# fifo writes
|
||||||
|
@ -113,7 +113,7 @@ allow dumpstate tombstone_data_file:file r_file_perms;
|
|||||||
allow dumpstate cache_recovery_file:dir r_dir_perms;
|
allow dumpstate cache_recovery_file:dir r_dir_perms;
|
||||||
allow dumpstate cache_recovery_file:file r_file_perms;
|
allow dumpstate cache_recovery_file:file r_file_perms;
|
||||||
|
|
||||||
allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
|
allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
|
||||||
allow dumpstate servicemanager:service_manager list;
|
allow dumpstate servicemanager:service_manager list;
|
||||||
|
|
||||||
allow dumpstate devpts:chr_file rw_file_perms;
|
allow dumpstate devpts:chr_file rw_file_perms;
|
||||||
|
6
netd.te
6
netd.te
@ -57,7 +57,6 @@ set_prop(netd, ctl_mdnsd_prop)
|
|||||||
|
|
||||||
# Allow netd to publish a binder service and make binder calls.
|
# Allow netd to publish a binder service and make binder calls.
|
||||||
binder_use(netd)
|
binder_use(netd)
|
||||||
binder_service(netd)
|
|
||||||
allow netd netd_service:service_manager add;
|
allow netd netd_service:service_manager add;
|
||||||
|
|
||||||
# Allow netd to call into the system server so it can check permissions.
|
# Allow netd to call into the system server so it can check permissions.
|
||||||
@ -84,3 +83,8 @@ neverallow netd system_file:dir_file_class_set write;
|
|||||||
|
|
||||||
# Write to files in /data/data or system files on /data
|
# Write to files in /data/data or system files on /data
|
||||||
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
|
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
|
||||||
|
|
||||||
|
# only system_server may interact with netd over binder
|
||||||
|
neverallow { domain -system_server } netd_service:service_manager find;
|
||||||
|
neverallow { domain -system_server } netd:binder call;
|
||||||
|
neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
|
||||||
|
2
shell.te
2
shell.te
@ -83,7 +83,7 @@ allow shell kernel:system syslog_read;
|
|||||||
# allow shell access to services
|
# allow shell access to services
|
||||||
allow shell servicemanager:service_manager list;
|
allow shell servicemanager:service_manager list;
|
||||||
# don't allow shell to access GateKeeper service
|
# don't allow shell to access GateKeeper service
|
||||||
allow shell { service_manager_type -gatekeeper_service }:service_manager find;
|
allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
|
||||||
|
|
||||||
# allow shell to look through /proc/ for ps, top, netstat
|
# allow shell to look through /proc/ for ps, top, netstat
|
||||||
r_dir_file(shell, proc)
|
r_dir_file(shell, proc)
|
||||||
|
@ -43,7 +43,7 @@ allow system_app anr_data_file:file create_file_perms;
|
|||||||
allow system_app asec_apk_file:file r_file_perms;
|
allow system_app asec_apk_file:file r_file_perms;
|
||||||
|
|
||||||
allow system_app servicemanager:service_manager list;
|
allow system_app servicemanager:service_manager list;
|
||||||
allow system_app service_manager_type:service_manager find;
|
allow system_app { service_manager_type -netd_service }:service_manager find;
|
||||||
|
|
||||||
allow system_app keystore:keystore_key {
|
allow system_app keystore:keystore_key {
|
||||||
get_state
|
get_state
|
||||||
|
Loading…
Reference in New Issue
Block a user