Merge "Revert "ueventd.te: auditallow device:chr_file""
This commit is contained in:
Nick Kralevich
Gerrit Code Review
commit
8ee06cc44f
2 changed files with 2 additions and 8 deletions
|
|
@ -299,9 +299,8 @@ neverallow { domain -kernel -init -recovery } block_device:blk_file { open read
|
|||
# Don't allow raw read/write/open access to generic devices.
|
||||
# Rather force a relabel to a more specific type.
|
||||
# init is exempt from this as there are character devices that only it uses.
|
||||
# uevent historically was granted access, but this does not appear used.
|
||||
# Tightening candidate?
|
||||
neverallow { domain -init -ueventd } device:chr_file no_rw_file_perms;
|
||||
# ueventd is exempt from this, as it is managing these devices.
|
||||
neverallow { domain -init -ueventd } device:chr_file { open read write };
|
||||
|
||||
# Limit what domains can mount filesystems or change their mount flags.
|
||||
# sdcard_type / vfat is exempt as a larger set of domains need
|
||||
|
|
|
|||
|
|
@ -7,12 +7,7 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
|
|||
|
||||
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
||||
allow ueventd device:file create_file_perms;
|
||||
|
||||
# Read/write generically labeled /dev character device files.
|
||||
# TODO: this rule appears unnecessary. Delete?
|
||||
allow ueventd device:chr_file rw_file_perms;
|
||||
auditallow ueventd device:chr_file { read lock write ioctl open append };
|
||||
|
||||
r_dir_file(ueventd, sysfs_type)
|
||||
r_dir_file(ueventd, rootfs)
|
||||
allow ueventd sysfs:file w_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue