From 9e012cde7bbb6aa66e6e8f1254a43567a328205b Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 18 Mar 2014 14:01:27 -0400
Subject: [PATCH] Remove write access to system_data_file from rild.

Anything writable by rild should be in radio_data_file or efs_file.
System data should be read-only.

Change-Id: I442a253c22f567a147d0591d623e97a6ee8b76e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 rild.te | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/rild.te b/rild.te
index 5bc267a77..424a61d7f 100644
--- a/rild.te
+++ b/rild.te
@@ -21,10 +21,8 @@ allow rild bluetooth_efs_file:dir r_dir_perms;
 allow rild radio_data_file:dir rw_dir_perms;
 allow rild radio_data_file:file create_file_perms;
 allow rild sdcard_type:dir r_dir_perms;
-allow rild system_data_file:dir create_dir_perms;
-allow rild system_data_file:file create_file_perms;
-auditallow rild system_data_file:dir { create reparent rmdir setattr write add_name remove_name };
-auditallow rild system_data_file:file { create setattr write append link unlink rename };
+allow rild system_data_file:dir r_dir_perms;
+allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
 dontaudit rild self:capability sys_admin;
 
-- 
GitLab