d8843d1c2e
Denial log:
1. 10-30 11:02:50.279 wifi 1119 1119 W HwBinder:1119_1:
type=1400 audit(0.0:113): avc: denied { transfer } for
scontext=u:r:wificond:s0 tcontext=u:r:keystore:s0
tclass=binder permissive=0
2. 01-15 16:24:04.214 W/keystore( 1007): type=1400
audit(0.0:109): avc: denied { call } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0
3. 01-16 12:11:19.704 W/keystore( 1021): type=1400
audit(0.0:163): avc: denied { transfer } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0
Bug: 143638513
Bug: 145310496
Test: Installed CA and wifi certificates and connects
to enterprise network.
No selinux denial seen from wificond and keystore.
Change-Id: I9727add13844b1ff1875e493b777e3a294e00ffa
37 lines
1.1 KiB
Plaintext
37 lines
1.1 KiB
Plaintext
type keystore, domain;
|
|
type keystore_exec, system_file_type, exec_type, file_type;
|
|
|
|
# keystore daemon
|
|
typeattribute keystore mlstrustedsubject;
|
|
binder_use(keystore)
|
|
binder_service(keystore)
|
|
binder_call(keystore, system_server)
|
|
binder_call(keystore, wificond)
|
|
|
|
allow keystore keystore_data_file:dir create_dir_perms;
|
|
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
|
allow keystore keystore_exec:file { getattr };
|
|
|
|
add_service(keystore, keystore_service)
|
|
allow keystore sec_key_att_app_id_provider_service:service_manager find;
|
|
allow keystore dropbox_service:service_manager find;
|
|
|
|
# Check SELinux permissions.
|
|
selinux_check_access(keystore)
|
|
|
|
r_dir_file(keystore, cgroup)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### Protect ourself from others
|
|
###
|
|
|
|
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
|
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
neverallow { domain -keystore -init } keystore_data_file:dir *;
|
|
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
|
|
|
|
neverallow * keystore:process ptrace;
|