From c0493c8dfe78284c683184a7f3aefba6982bce40 Mon Sep 17 00:00:00 2001 From: Stephen Smalley <sds@tycho.nsa.gov> Date: Wed, 8 Jan 2014 10:21:22 -0500 Subject: [PATCH] Drop extra _system_file types. They serve no purpose; these directories/files are normally accessible in the same way as the rest of /system. Also one of them has the wrong attributes (data_file_type), thereby making it writable by some domains, and under current policy, shell and apps cannot do ls -l /etc/ppp /etc/dhcpcd. Change-Id: I0c1baa434fe78373684f4eaab40a41fddf2bdd79 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- dhcp.te | 3 --- file_contexts | 2 -- ppp.te | 1 - 3 files changed, 6 deletions(-) diff --git a/dhcp.te b/dhcp.te index e7103608f..2baca81a9 100644 --- a/dhcp.te +++ b/dhcp.te @@ -2,7 +2,6 @@ type dhcp, domain; permissive dhcp; type dhcp_exec, exec_type, file_type; type dhcp_data_file, file_type, data_file_type; -type dhcp_system_file, file_type, data_file_type; init_daemon_domain(dhcp) net_domain(dhcp) @@ -16,8 +15,6 @@ allow dhcp system_file:file rx_file_perms; # For /proc/sys/net/ipv4/conf/*/promote_secondaries allow dhcp proc_net:file write; allow dhcp system_prop:property_service set ; -allow dhcp dhcp_system_file:file rx_file_perms; -allow dhcp dhcp_system_file:dir r_dir_perms; unix_socket_connect(dhcp, property, init) allow dhcp owntty_device:chr_file rw_file_perms; diff --git a/file_contexts b/file_contexts index 6c530a66e..f1c306b90 100644 --- a/file_contexts +++ b/file_contexts @@ -138,8 +138,6 @@ /system/bin/pppd u:object_r:ppp_exec:s0 /system/bin/tf_daemon u:object_r:tee_exec:s0 /system/bin/racoon u:object_r:racoon_exec:s0 -/system/etc/ppp(/.*)? u:object_r:ppp_system_file:s0 -/system/etc/dhcpcd(/.*)? u:object_r:dhcp_system_file:s0 /system/xbin/su u:object_r:su_exec:s0 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0 /system/bin/dnsmasq u:object_r:dnsmasq_exec:s0 diff --git a/ppp.te b/ppp.te index bc1bafcb8..1f61fdd9a 100644 --- a/ppp.te +++ b/ppp.te @@ -2,6 +2,5 @@ type ppp, domain; type ppp_device, dev_type; type ppp_exec, exec_type, file_type; -type ppp_system_file, file_type; unconfined_domain(ppp) domain_auto_trans(mtp, ppp_exec, ppp) -- GitLab