Merge "Grants clatd privs since forked by system server"
This commit is contained in:
Maciej Żenczykowski
Gerrit Code Review
commit
1ebfb867a8
3 changed files with 10 additions and 13 deletions
|
|
@ -4,10 +4,10 @@ type clatd_exec, system_file_type, exec_type, file_type;
|
|||
|
||||
net_domain(clatd)
|
||||
|
||||
# Access objects inherited from netd.
|
||||
allow clatd netd:fd use;
|
||||
allow clatd netd:packet_socket { read write };
|
||||
allow clatd netd:rawip_socket { read write };
|
||||
# Access objects inherited from system_server.
|
||||
allow clatd system_server:fd use;
|
||||
allow clatd system_server:packet_socket { read write };
|
||||
allow clatd system_server:rawip_socket { read write };
|
||||
|
||||
allow clatd self:netlink_route_socket nlmsg_write;
|
||||
allow clatd tun_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -6,13 +6,6 @@ init_daemon_domain(netd)
|
|||
# Allow netd to spawn dnsmasq in it's own domain
|
||||
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
|
||||
|
||||
# Allow netd to start clatd in its own domain and kill it
|
||||
domain_auto_trans(netd, clatd_exec, clatd)
|
||||
allow netd clatd:process signal;
|
||||
|
||||
# Allow netd to setup packet socket and pass to clatd
|
||||
allow netd self:packet_socket { bind create setopt };
|
||||
|
||||
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
|
||||
# the map created by bpfloader
|
||||
allow netd bpfloader:bpf { prog_run map_read map_write };
|
||||
|
|
|
|||
|
|
@ -1150,6 +1150,10 @@ allow system_server bpfloader:bpf { map_read map_write prog_run };
|
|||
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
||||
allow system_server self:key_socket create;
|
||||
|
||||
# Allow system_server to start clatd in its own domain and kill it.
|
||||
domain_auto_trans(system_server, clatd_exec, clatd)
|
||||
allow system_server clatd:process signal;
|
||||
|
||||
# ART Profiles.
|
||||
# Allow system_server to open profile snapshots for read.
|
||||
# System server never reads the actual content. It passes the descriptor to
|
||||
|
|
@ -1237,8 +1241,8 @@ neverallow system_server {
|
|||
}:file execute_no_trans;
|
||||
|
||||
# Ensure that system_server doesn't perform any domain transitions other than
|
||||
# transitioning to the crash_dump domain when a crash occurs.
|
||||
neverallow system_server { domain -crash_dump }:process transition;
|
||||
# transitioning to the crash_dump domain when a crash occurs or fork clatd.
|
||||
neverallow system_server { domain -clatd -crash_dump }:process transition;
|
||||
neverallow system_server *:process dyntransition;
|
||||
|
||||
# Only allow crash_dump to connect to system_ndebug_socket.
|
||||
|
|
|
|||
Loading…
Reference in a new issue