Skip to content
Snippets Groups Projects
Commit 040b21d9 authored by Stephen Smalley's avatar Stephen Smalley Committed by Android Git Automerger
Browse files

am ad0d0fc7: Protect /data/property. 

* commit 'ad0d0fc7':
  Protect /data/property.
parents 8c49978f ad0d0fc7
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
domain.te
+ 4
0
View file @ 040b21d9
......@@ -246,3 +246,7 @@ neverallow {
-system_server
-zygote
} { file_type -system_file -exec_type }:file execute;
# Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
file.te
+ 2
0
View file @ 040b21d9
......@@ -64,6 +64,8 @@ type dalvikcache_profiles_data_file, file_type, data_file_type;
type shell_data_file, file_type, data_file_type;
# /data/gps
type gps_data_file, file_type, data_file_type;
# /data/property
type property_data_file, file_type, data_file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
......
file_contexts
+ 1
0
View file @ 040b21d9
......@@ -184,6 +184,7 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/property(/.*)? u:object_r:property_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
......
init.te
+ 4
0
View file @ 040b21d9
......@@ -34,3 +34,7 @@ allow init keystore_data_file:file { getattr };
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
unconfined.te
+ 2
2
View file @ 040b21d9
......@@ -28,10 +28,10 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
allow unconfineddomain domain:socket_class_set *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
allow unconfineddomain {fs_type dev_type file_type -keystore_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type dev_type file_type -keystore_data_file -property_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {file_type -keystore_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {file_type -keystore_data_file -property_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain { rootfs system_file exec_type }:file execute;
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment