Merge "Further restrict access to tun_device"
This commit is contained in:
Jeffrey Vander Stoep
Gerrit Code Review
commit
98c3f9971f
3 changed files with 4 additions and 9 deletions
3
app.te
3
app.te
|
|
@ -396,3 +396,6 @@ neverallow appdomain {
|
|||
security_file
|
||||
tmpfs
|
||||
}:lnk_file no_w_file_perms;
|
||||
|
||||
# Do not allow Apps to directly open tun_device
|
||||
neverallow appdomain tun_device:chr_file open;
|
||||
|
|
|
|||
|
|
@ -16,12 +16,7 @@ allow bluetooth bluetooth_socket:sock_file create_file_perms;
|
|||
# bluetooth factory file accesses.
|
||||
r_dir_file(bluetooth, bluetooth_efs_file)
|
||||
|
||||
# TODO why does bluetooth require access to tun_device? If not,
|
||||
# remove access and tighten down neverallow rule so that appdomain is
|
||||
# not allowed to open (as opposed to just untrusted_app)
|
||||
# Device accesses. b/24744295
|
||||
allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
|
||||
auditallow bluetooth tun_device:chr_file rw_file_perms;
|
||||
allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
|
||||
|
||||
# sysfs access.
|
||||
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -145,9 +145,6 @@ neverallow untrusted_app file_type:file link;
|
|||
# Do not allow untrusted_app to access network MAC address file
|
||||
neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
|
||||
|
||||
# Do not allow untrusted app to directly open tun_device
|
||||
neverallow untrusted_app tun_device:chr_file open;
|
||||
|
||||
# Do not allow untrusted_app access to /cache
|
||||
neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
|
||||
neverallow untrusted_app cache_file:file ~{ read getattr };
|
||||
|
|
|
|||
Loading…
Reference in a new issue