From 5e6d60a2a5b2a12a677824fd8f41af5885fa565b Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Wed, 9 Dec 2020 09:16:51 +0100 Subject: [PATCH] drmserver: audit permissions for /data/app We would like to assert that only PackageManager can make modifications to /data/app. However, I first need to remove some existing permissions that seem like they are no longer used (as per jtinker@). Add audit statements to confirm. Test: build Change-Id: Ie5ec5199f7e2f862c4d16d8c86b9b0db6fbe481c --- public/drmserver.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/public/drmserver.te b/public/drmserver.te index e2c66383d..a24ad41ba 100644 --- a/public/drmserver.te +++ b/public/drmserver.te @@ -30,7 +30,9 @@ type drmserver_socket, file_type; # /data/app/tlcd_sock socket file. # Clearly, /data/app is the most logical place to create a socket. Not. allow drmserver apk_data_file:dir rw_dir_perms; +auditallow drmserver apk_data_file:dir { add_name write }; allow drmserver drmserver_socket:sock_file create_file_perms; +auditallow drmserver drmserver_socket:sock_file create; # Delete old socket file if present. allow drmserver apk_data_file:sock_file unlink;