Skip to content
Snippets Groups Projects
Commit 2c8bf56f authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Only auditallow unlabeled accesses not allowed elsewhere. 

https://android-review.googlesource.com/#/c/95900/

 added further
unlabeled rules for installd and added explicit unlabeled rules for
vold and system_server.  Exclude these permissions from the auditallow
rules on unlabeled so that we only see the ones that would be denied if
we were to remove the allow domain rules here.

Change-Id: I2b9349ad6606bcb6a74a7e67343a8a9e5d70174c
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent f85c1fc2
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 11 additions and 4 deletions
domain.te
+ 11
4
View file @ 2c8bf56f
...@@ -150,11 +150,18 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; ...@@ -150,11 +150,18 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
# #
allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
allow domain unlabeled:dir { create_dir_perms relabelfrom }; allow domain unlabeled:dir { create_dir_perms relabelfrom };
auditallow { domain -init -installd } unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; auditallow { domain -init -installd -vold -system_server } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
auditallow { domain -init -kernel -installd } unlabeled:dir { create_dir_perms relabelfrom }; auditallow { domain -init -kernel -installd -vold -system_server } unlabeled:dir { create_dir_perms relabelfrom };
auditallow kernel unlabeled:dir ~search; auditallow kernel unlabeled:dir ~search;
auditallow installd unlabeled:dir ~{ getattr search relabelfrom }; auditallow installd unlabeled:dir ~{ getattr search relabelfrom rw_dir_perms rmdir };
auditallow installd unlabeled:notdevfile_class_set ~{ getattr relabelfrom }; auditallow installd unlabeled:file ~{ r_file_perms getattr relabelfrom rename unlink setattr };
auditallow installd unlabeled:{ lnk_file sock_file fifo_file } ~{ getattr relabelfrom rename unlink setattr };
auditallow vold unlabeled:dir ~{ r_dir_perms setattr relabelfrom };
auditallow vold unlabeled:file ~{ r_file_perms setattr relabelfrom };
auditallow vold unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
auditallow system_server unlabeled:dir ~r_dir_perms;
auditallow system_server unlabeled:file ~r_file_perms;
auditallow system_server unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
### ###
### neverallow rules ### neverallow rules
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment