1601132086
Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
48 lines
1.7 KiB
Text
48 lines
1.7 KiB
Text
# rild - radio interface layer daemon
|
|
type rild, domain;
|
|
permissive_or_unconfined(rild)
|
|
type rild_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(rild)
|
|
net_domain(rild)
|
|
allow rild self:netlink_route_socket nlmsg_write;
|
|
allow rild kernel:system module_request;
|
|
unix_socket_connect(rild, property, init)
|
|
unix_socket_connect(rild, qemud, qemud)
|
|
allow rild self:capability { setuid net_admin net_raw };
|
|
allow rild alarm_device:chr_file rw_file_perms;
|
|
allow rild cgroup:dir create_dir_perms;
|
|
allow rild radio_device:chr_file rw_file_perms;
|
|
allow rild radio_device:blk_file r_file_perms;
|
|
allow rild qemu_device:chr_file rw_file_perms;
|
|
allow rild mtd_device:dir search;
|
|
allow rild efs_file:dir create_dir_perms;
|
|
allow rild efs_file:file create_file_perms;
|
|
allow rild shell_exec:file rx_file_perms;
|
|
allow rild bluetooth_efs_file:file r_file_perms;
|
|
allow rild bluetooth_efs_file:dir r_dir_perms;
|
|
allow rild radio_data_file:dir rw_dir_perms;
|
|
allow rild radio_data_file:file create_file_perms;
|
|
allow rild sdcard_type:dir r_dir_perms;
|
|
allow rild system_data_file:dir create_dir_perms;
|
|
allow rild system_data_file:file create_file_perms;
|
|
allow rild system_file:file x_file_perms;
|
|
dontaudit rild self:capability sys_admin;
|
|
|
|
# property service
|
|
allow rild rild_prop:property_service set;
|
|
allow rild radio_prop:property_service set;
|
|
|
|
# Read/Write to uart driver (for GPS)
|
|
allow rild gps_device:chr_file rw_file_perms;
|
|
|
|
allow rild tty_device:chr_file rw_file_perms;
|
|
|
|
# Allow rild to create and use netlink sockets.
|
|
allow rild self:netlink_socket create_socket_perms;
|
|
allow rild self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
# Access to wake locks
|
|
allow rild sysfs_wake_lock:file rw_file_perms;
|
|
|
|
allow rild self:socket create_socket_perms;
|