domain_deprecated.te: remove /proc/net access
Remove /proc/net access to domain_deprecated. Add it to domains where it was missing before. Other than these domains, SELinux denial monitoring hasn't picked up any denials related to /proc/net Bug: 28760354 Test: Device boots Test: No unexpected denials in denial collection logs. Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
This commit is contained in:
parent
839c7ded30
commit
dd649da84b
@ -80,7 +80,6 @@ r_dir_file(domain_deprecated, proc)
|
||||
r_dir_file(domain_deprecated, sysfs)
|
||||
r_dir_file(domain_deprecated, cgroup)
|
||||
allow domain_deprecated proc_meminfo:file r_file_perms;
|
||||
r_dir_file(domain_deprecated, proc_net)
|
||||
#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
|
||||
auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:file r_file_perms;
|
||||
auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
|
||||
@ -120,19 +119,6 @@ auditallow {
|
||||
-zygote
|
||||
} cgroup:{ file lnk_file } r_file_perms;
|
||||
auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
|
||||
auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-clatd
|
||||
-dumpstate
|
||||
-init
|
||||
-netd
|
||||
-system_server
|
||||
-vold
|
||||
-wpa
|
||||
-zygote
|
||||
} proc_net:{ file lnk_file } r_file_perms;
|
||||
|
||||
# Get SELinux enforcing status.
|
||||
allow domain_deprecated selinuxfs:dir r_dir_perms;
|
||||
|
@ -29,6 +29,7 @@ allow netd shell_exec:file rx_file_perms;
|
||||
allow netd system_file:file x_file_perms;
|
||||
allow netd devpts:chr_file rw_file_perms;
|
||||
|
||||
r_dir_file(netd, proc_net)
|
||||
# For /proc/sys/net/ipv[46]/route/flush.
|
||||
allow netd proc_net:file rw_file_perms;
|
||||
|
||||
|
@ -5,6 +5,8 @@ type ppp_exec, exec_type, file_type;
|
||||
|
||||
net_domain(ppp)
|
||||
|
||||
r_dir_file(ppp, proc_net)
|
||||
|
||||
allow ppp mtp:socket rw_socket_perms_no_ioctl;
|
||||
allow ppp mtp:unix_dgram_socket rw_socket_perms;
|
||||
allow ppp ppp_device:chr_file rw_file_perms;
|
||||
|
@ -44,6 +44,7 @@ allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
wakelock_use(rild)
|
||||
|
||||
r_dir_file(rild, proc)
|
||||
r_dir_file(rild, proc_net)
|
||||
r_dir_file(rild, sysfs_type)
|
||||
r_dir_file(rild, system_file)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user