Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • Stephen Smalley's avatar
    39fd7818
    Remove domain init:unix_stream_socket connectto permission. · 39fd7818
    Stephen Smalley authored 
    
We do not want to permit connecting to arbitrary unconfined services
left running in the init domain.  I do not know how this was originally
triggered and thus cannot test that it is fixed.  Possible causes:
- another service was left running in init domain, e.g. dumpstate,
- there was a socket entry for the service in the init.rc file
and the service was launched via logwrapper and therefore init did
not know how to label the socket.

The former should be fixed.  The latter can be solved either by
removing use of logwrapper or by specifying the socket context
explicitly in the init.rc file now.

Change-Id: I09ececaaaea2ccafb7637ca08707566c1155a298
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    39fd7818
    History
    Remove domain init:unix_stream_socket connectto permission.
    Stephen Smalley authored 
    
We do not want to permit connecting to arbitrary unconfined services
left running in the init domain.  I do not know how this was originally
triggered and thus cannot test that it is fixed.  Possible causes:
- another service was left running in init domain, e.g. dumpstate,
- there was a socket entry for the service in the init.rc file
and the service was launched via logwrapper and therefore init did
not know how to label the socket.

The former should be fixed.  The latter can be solved either by
removing use of logwrapper or by specifying the socket context
explicitly in the init.rc file now.

Change-Id: I09ececaaaea2ccafb7637ca08707566c1155a298
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
domain.te 5.93 KiB