01d95c23ab
Define new netlink socket security classes introduced by upstream kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes"). This was merged in Linux 4.2 and is therefore only required for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch of the kernel/common tree). Add the new socket classes to socket_class_set. Add an initial set of allow rules although further refinement will likely be necessary. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one or more of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
16 lines
512 B
Plaintext
16 lines
512 B
Plaintext
##
|
|
# trusted execution environment (tee) daemon
|
|
#
|
|
type tee, domain, domain_deprecated;
|
|
type tee_exec, exec_type, file_type;
|
|
type tee_device, dev_type;
|
|
type tee_data_file, file_type, data_file_type;
|
|
|
|
init_daemon_domain(tee)
|
|
allow tee self:capability { dac_override };
|
|
allow tee tee_device:chr_file rw_file_perms;
|
|
allow tee tee_data_file:dir rw_dir_perms;
|
|
allow tee tee_data_file:file create_file_perms;
|
|
allow tee self:netlink_socket create_socket_perms;
|
|
allow tee self:netlink_generic_socket create_socket_perms;
|