Skip to content
Snippets Groups Projects
Commit 47a09d6b authored by dcashman's avatar dcashman
Browse files

resolve merge conflicts of 9221e737 to nyc-dev-plus-aosp 

Change-Id: I4afb6e977955af3d8a74ada7df6705746f83bc6d
parents 7180307c 9221e737
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
domain.te
+ 17
4
View file @ 47a09d6b
......@@ -212,15 +212,27 @@ neverallow * kernel:security setbool;
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
# Only init, ueventd, shell and system_server should be able to access HW RNG
neverallow {
domain
-init
-shell # For CTS and is restricted to getattr in shell.te
-system_server
-ueventd
} hw_random_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
neverallow {
domain
-init
-kernel
-shell # For CTS and is restricted to getattr in shell.te
-ueventd
} kmem_device:chr_file *;
neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
......@@ -575,6 +587,7 @@ neverallow {
-priv_app
-recovery
-sdcardd
-shell # Restricted by shell.te to only getattr
-system_server
-ueventd
-vold
......
shell.te
+ 19
0
View file @ 47a09d6b
......@@ -131,6 +131,17 @@ allow shell ion_device:chr_file rw_file_perms;
allow shell media_rw_data_file:dir create_dir_perms;
allow shell media_rw_data_file:file create_file_perms;
#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
###
### Neverallow rules
###
......@@ -145,3 +156,11 @@ neverallow shell file_type:file link;
# Do not allow privileged socket ioctl commands
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
fuse_device
hw_random_device
kmem_device
}:chr_file ~getattr;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment