tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove -kernel -recovery from keystore_data_file neverallow.

Browse source 
Aside from the keystore daemon itself, only init needs any access
to keystore_data_file (in order to create and potentially restorecon
/data/misc/keystore).  The exceptions for the kernel and recovery domains
are unnecessary; no allow rule permits this access in current policy.

Change-Id: I5cf6f29ec08174017ac8f5fb36fef166ce360ca0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2014-10-22 11:13:17 -04:00
parent 0d08d4721a
commit d4731ad8c7
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
keystore.te
View file

@ -21,8 +21,8 @@ allow keystore tee:unix_stream_socket connectto;
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;