tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "selinux - netd - tighten down bpf policy" am: b3b12729f4

Browse source 
am: 59c7ccf0ca

Change-Id: Iacb4e97a4e7d6740ee6296a58976826bc9d3cc3b
This commit is contained in:
Maciej Żenczykowski 2019-05-03 17:24:36 -07:00 committed by android-build-merger
commit 0db05b8cd4
2 changed files with 4 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/bpfloader.te
View file

@ -17,8 +17,8 @@ allow bpfloader self:global_capability_class_set sys_admin;
###
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps

7
public/netd.te
View file

@ -57,8 +57,8 @@ allow netd sysfs_usb:file write;
r_dir_file(netd, cgroup_bpf)
allow netd fs_bpf:dir create_dir_perms;
allow netd fs_bpf:file create_file_perms;
allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write setattr };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
@ -151,9 +151,6 @@ neverallow {
-netutils_wrapper
} dnsresolver_service:service_manager find;
# only netd can create the bpf maps
neverallow { domain -netd } netd:bpf { map_create };
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;