Do not allow untrusted_app to open tun_device
Third party vpn apps must receive open tun fd from the framework for device traffic. neverallow untrusted_app open perm and auditallow bluetooth access to see if the neverallow rule can be expanded to include all of appdomain. Bug: 24677682 Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
This commit is contained in:
parent
a10f789d28
commit
de53051a82
@ -14,8 +14,12 @@ allow bluetooth bluetooth_socket:sock_file create_file_perms;
|
||||
# bluetooth factory file accesses.
|
||||
r_dir_file(bluetooth, bluetooth_efs_file)
|
||||
|
||||
# Device accesses.
|
||||
# TODO why does bluetooth require access to tun_device? If not,
|
||||
# remove access and tighten down neverallow rule so that appdomain is
|
||||
# not allowed to open (as opposed to just untrusted_app)
|
||||
# Device accesses. b/24744295
|
||||
allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
|
||||
auditallow bluetooth tun_device:chr_file rw_file_perms;
|
||||
|
||||
# Other domains that can create and use bluetooth sockets.
|
||||
# SELinux does not presently define a specific socket class for
|
||||
|
@ -29,7 +29,9 @@ bluetooth_domain(untrusted_app)
|
||||
# to their sandbox directory and then execute.
|
||||
allow untrusted_app app_data_file:file { rx_file_perms execmod };
|
||||
|
||||
allow untrusted_app tun_device:chr_file rw_file_perms;
|
||||
# Third party vpn apps receive an open tun fd from the framework for
|
||||
# device traffic. Do not allow untrusted app to directly open tun_device
|
||||
allow untrusted_app tun_device:chr_file { read write getattr ioctl append };
|
||||
|
||||
# ASEC
|
||||
allow untrusted_app asec_apk_file:file r_file_perms;
|
||||
@ -157,3 +159,6 @@ neverallow untrusted_app file_type:file link;
|
||||
|
||||
# Do not allow untrusted_app to access network MAC address file
|
||||
neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
|
||||
|
||||
# Do not allow untrusted app to directly open tun_device
|
||||
neverallow untrusted_app tun_device:chr_file open;
|
||||
|
Loading…
Reference in New Issue
Block a user