am 7d1b6c87: sepolicy: allow cross-user unnamed pipe access

* commit '7d1b6c87924a74e2163763a659fcca870a672e3c':
  sepolicy:  allow cross-user unnamed pipe access
This commit is contained in:
Stephen Smalley 2015-02-20 19:24:47 +00:00 committed by Android Git Automerger
commit 60c624b26c

7
mls
View file

@ -78,12 +78,13 @@ mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr appen
# Special case for FIFOs. # Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the # These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object" # creating process' label. Thus we also have an exemption when the "object"
# is a MLS trusted subject and can receive data at any level. # is a domain type, so that processes can communicate via unnamed pipes
# passed by binder or local socket IPC.
mlsconstrain fifo_file { read getattr } mlsconstrain fifo_file { read getattr }
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
mlsconstrain fifo_file { write setattr append unlink link rename } mlsconstrain fifo_file { write setattr append unlink link rename }
(l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
# #
# IPC constraints # IPC constraints