Skip to content
Snippets Groups Projects
Commit 525c2af7 authored by Nick Kralevich's avatar Nick Kralevich Committed by Android Git Automerger
Browse files

am cf8dc85f: am 0db95cce: unconfined: remove internet access 

* commit 'cf8dc85f':
  unconfined: remove internet access
parents 85d454a2 cf8dc85f
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
init.te
+ 3
0
View file @ 525c2af7
...@@ -86,6 +86,9 @@ allow init self:process { setexec setfscreate setsockcreate }; ...@@ -86,6 +86,9 @@ allow init self:process { setexec setfscreate setsockcreate };
allow init property_data_file:dir create_dir_perms; allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms; allow init property_data_file:file create_file_perms;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
### ###
### neverallow rules ### neverallow rules
### ###
......
unconfined.te
+ 18
4
View file @ 525c2af7
...@@ -45,7 +45,24 @@ allow unconfineddomain domain:fd *; ...@@ -45,7 +45,24 @@ allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms; allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms; allow unconfineddomain domain:lnk_file r_file_perms;
allow unconfineddomain domain:{ fifo_file file } rw_file_perms; allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
allow unconfineddomain domain:socket_class_set *; allow unconfineddomain domain:{
socket
netlink_socket
key_socket
unix_stream_socket
unix_dgram_socket
netlink_route_socket
netlink_firewall_socket
netlink_tcpdiag_socket
netlink_nflog_socket
netlink_xfrm_socket
netlink_selinux_socket
netlink_audit_socket
netlink_ip6fw_socket
netlink_dnrt_socket
netlink_kobject_uevent_socket
tun_socket
} *;
allow unconfineddomain domain:ipc_class_set *; allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *; allow unconfineddomain domain:key *;
allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
...@@ -89,10 +106,7 @@ allow unconfineddomain rootfs:file execute; ...@@ -89,10 +106,7 @@ allow unconfineddomain rootfs:file execute;
allow unconfineddomain contextmount_type:dir r_dir_perms; allow unconfineddomain contextmount_type:dir r_dir_perms;
allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms; allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
allow unconfineddomain node_type:node *; allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *; allow unconfineddomain netif_type:netif *;
allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv; allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
allow unconfineddomain { property_type -security_prop }:property_service set; allow unconfineddomain { property_type -security_prop }:property_service set;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment