Add new "procrank" SELinux domain.
/system/xbin/procrank is a setuid program run by adb shell on userdebug / eng devices. Allow it to work without running adb root. Bug: 18342188 Change-Id: I18d9f743e5588c26661eaa26e1b7e6980b15caf7
This commit is contained in:
parent
79e873c0f6
commit
a191398812
3 changed files with 22 additions and 1 deletions
|
@ -177,7 +177,14 @@ neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
||||||
|
|
||||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||||
# with other UIDs to these whitelisted domains.
|
# with other UIDs to these whitelisted domains.
|
||||||
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
|
neverallow {
|
||||||
|
domain
|
||||||
|
-debuggerd
|
||||||
|
-vold
|
||||||
|
-dumpstate
|
||||||
|
-system_server
|
||||||
|
userdebug_or_eng(`-procrank')
|
||||||
|
} self:capability sys_ptrace;
|
||||||
|
|
||||||
# Limit device node creation to these whitelisted domains.
|
# Limit device node creation to these whitelisted domains.
|
||||||
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
|
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
|
||||||
|
|
|
@ -156,6 +156,7 @@
|
||||||
/system/bin/tf_daemon u:object_r:tee_exec:s0
|
/system/bin/tf_daemon u:object_r:tee_exec:s0
|
||||||
/system/bin/racoon u:object_r:racoon_exec:s0
|
/system/bin/racoon u:object_r:racoon_exec:s0
|
||||||
/system/xbin/su u:object_r:su_exec:s0
|
/system/xbin/su u:object_r:su_exec:s0
|
||||||
|
/system/xbin/procrank u:object_r:procrank_exec:s0
|
||||||
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
|
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
|
||||||
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
|
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
|
||||||
/system/bin/hostapd u:object_r:hostapd_exec:s0
|
/system/bin/hostapd u:object_r:hostapd_exec:s0
|
||||||
|
|
13
procrank.te
Normal file
13
procrank.te
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# File types must be defined for file_contexts.
|
||||||
|
type procrank_exec, exec_type, file_type;
|
||||||
|
|
||||||
|
userdebug_or_eng(`
|
||||||
|
type procrank, domain, mlstrustedsubject;
|
||||||
|
|
||||||
|
domain_auto_trans(shell, procrank_exec, procrank)
|
||||||
|
allow procrank self:capability sys_ptrace;
|
||||||
|
allow procrank devpts:chr_file { read write getattr ioctl };
|
||||||
|
r_dir_file(procrank, domain)
|
||||||
|
allow procrank shell:fd use;
|
||||||
|
allow procrank adbd:process sigchld;
|
||||||
|
')
|
Loading…
Reference in a new issue