am 6f7de297: Merge "Do not allow apps to access network address file"

* commit '6f7de297': Do not allow apps to access network address file

am 6f7de297: Merge "Do not allow apps to access network address file"
278658c2 · Jeffrey Vander Stoep · Android Git Automerger · 4fe55e1e · 6f7de297 · 278658c2
Commit 278658c2 authored 9 years ago by Jeffrey Vander Stoep Committed by Android Git Automerger 9 years ago
--- a/file.te
+++ b/file.te
@@ -25,6 +25,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller

--- a/system_server.te
+++ b/system_server.te
@@ -153,6 +153,7 @@ selinux_check_access(system_server)
 allow system_server sysfs:file rw_file_perms;
 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server sysfs_devices_system_cpu:file w_file_perms;
+allow system_server sysfs_mac_address:file r_file_perms;
 # Access devices.
 allow system_server device:dir r_dir_perms;

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -154,3 +154,6 @@ neverallow untrusted_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure untrusted_app never has this
 # capability.
 neverallow untrusted_app file_type:file link;
+# Do not allow untrusted_app to access network MAC address file
+neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;