Merge "add selinux rules for mini-keyctl"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
3581f45667
5 changed files with 21 additions and 0 deletions
|
|
@ -1377,6 +1377,7 @@
|
|||
(typeattributeset priv_app_28_0 (priv_app))
|
||||
(typeattributeset proc_28_0
|
||||
( proc
|
||||
proc_keys
|
||||
proc_slabinfo))
|
||||
(typeattributeset proc_abi_28_0 (proc_abi))
|
||||
(typeattributeset proc_asound_28_0 (proc_asound))
|
||||
|
|
|
|||
|
|
@ -192,6 +192,7 @@
|
|||
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
|
||||
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
|
||||
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
|
||||
/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
|
||||
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
|
||||
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
|
||||
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ genfscon proc /diskstats u:object_r:proc_diskstats:s0
|
|||
genfscon proc /filesystems u:object_r:proc_filesystems:s0
|
||||
genfscon proc /interrupts u:object_r:proc_interrupts:s0
|
||||
genfscon proc /iomem u:object_r:proc_iomem:s0
|
||||
genfscon proc /keys u:object_r:proc_keys:s0
|
||||
genfscon proc /kmsg u:object_r:proc_kmsg:s0
|
||||
genfscon proc /loadavg u:object_r:proc_loadavg:s0
|
||||
genfscon proc /meminfo u:object_r:proc_meminfo:s0
|
||||
|
|
|
|||
17
private/mini_keyctl.te
Normal file
17
private/mini_keyctl.te
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
type mini-keyctl, domain, coredomain;
|
||||
type mini-keyctl_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
init_daemon_domain(mini-keyctl)
|
||||
|
||||
allow mini-keyctl proc_keys:file r_file_perms;
|
||||
|
||||
# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
|
||||
dontaudit mini-keyctl init:key view;
|
||||
dontaudit mini-keyctl vold:key view;
|
||||
allow mini-keyctl kernel:key { view search write };
|
||||
allow mini-keyctl mini-keyctl:key { view search write };
|
||||
|
||||
# When kernel requests an algorithm, the crypto API first looks for an
|
||||
# already registered algorithm with that name. If it fails, the kernel creates
|
||||
# an implementation of the algorithm from templates.
|
||||
dontaudit mini-keyctl kernel:system module_request;
|
||||
|
|
@ -28,6 +28,7 @@ type proc_hostname, fs_type, proc_type;
|
|||
type proc_hung_task, fs_type, proc_type;
|
||||
type proc_interrupts, fs_type, proc_type;
|
||||
type proc_iomem, fs_type, proc_type;
|
||||
type proc_keys, fs_type, proc_type;
|
||||
type proc_kmsg, fs_type, proc_type;
|
||||
type proc_loadavg, fs_type, proc_type;
|
||||
type proc_max_map_count, fs_type, proc_type;
|
||||
|
|
|
|||
Loading…
Reference in a new issue