From 39fd7818b34c5e1c7e6e27aaa064d83b24733307 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 9 Jan 2014 15:45:44 -0500 Subject: [PATCH] Remove domain init:unix_stream_socket connectto permission. We do not want to permit connecting to arbitrary unconfined services left running in the init domain. I do not know how this was originally triggered and thus cannot test that it is fixed. Possible causes: - another service was left running in init domain, e.g. dumpstate, - there was a socket entry for the service in the init.rc file and the service was launched via logwrapper and therefore init did not know how to label the socket. The former should be fixed. The latter can be solved either by removing use of logwrapper or by specifying the socket context explicitly in the init.rc file now. Change-Id: I09ececaaaea2ccafb7637ca08707566c1155a298 Signed-off-by: Stephen Smalley --- domain.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/domain.te b/domain.te index 103d690b0..75dbe7c3b 100644 --- a/domain.te +++ b/domain.te @@ -33,9 +33,6 @@ allow domain adbd:unix_stream_socket { getattr getopt read write shutdown }; ### allow domain debuggerd:process sigchld; allow domain debuggerd:unix_stream_socket connectto; -# b/9858255 - debuggerd sockets are not getting properly labeled. -# TODO: Remove this temporary workaround. -allow domain init:unix_stream_socket connectto; # Root fs. allow domain rootfs:dir r_dir_perms;