3235f61aa8
Remove /data/security and setprop selinux.reload_policy access from unconfineddomain, and only add back what is needed to init (system_server already gets the required allow rules via the selinux_manage_policy macro). init (via init.rc post-fs-data) originally creates /data/security and may later restorecon it. init also sets the property (also from init.rc post-fs-data) to trigger a reload once /data is mounted. The system_server (SELinuxPolicyInstallReceiver in particular) creates subdirectories under /data/security for updates, writes files to these subdirectories, creates the /data/security/current symlink to the update directory, and sets the property to trigger a reload when an update bundle is received. Add neverallow rules to ensure that we do not allow undesired access to security_file or security_prop. This is only truly meaningful if the support for /data/security policies is restored, but is harmless otherwise. Also drop the persist.mmac property_contexts entry; it was never used in AOSP, only in our tree (for middleware MAC) and is obsolete. Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
59 lines
2.3 KiB
Text
59 lines
2.3 KiB
Text
##########################
|
|
# property service keys
|
|
#
|
|
#
|
|
net.rmnet u:object_r:radio_prop:s0
|
|
net.gprs u:object_r:radio_prop:s0
|
|
net.ppp u:object_r:radio_prop:s0
|
|
net.qmi u:object_r:radio_prop:s0
|
|
net.lte u:object_r:radio_prop:s0
|
|
net.cdma u:object_r:radio_prop:s0
|
|
gsm. u:object_r:radio_prop:s0
|
|
persist.radio u:object_r:radio_prop:s0
|
|
net.dns u:object_r:radio_prop:s0
|
|
sys.usb.config u:object_r:radio_prop:s0
|
|
|
|
ril. u:object_r:rild_prop:s0
|
|
ril.cdma u:object_r:radio_prop:s0
|
|
|
|
net. u:object_r:system_prop:s0
|
|
dev. u:object_r:system_prop:s0
|
|
runtime. u:object_r:system_prop:s0
|
|
hw. u:object_r:system_prop:s0
|
|
sys. u:object_r:system_prop:s0
|
|
sys.powerctl u:object_r:powerctl_prop:s0
|
|
service. u:object_r:system_prop:s0
|
|
wlan. u:object_r:system_prop:s0
|
|
dhcp. u:object_r:system_prop:s0
|
|
bluetooth. u:object_r:bluetooth_prop:s0
|
|
|
|
debug. u:object_r:debug_prop:s0
|
|
debug.db. u:object_r:debuggerd_prop:s0
|
|
log. u:object_r:shell_prop:s0
|
|
service.adb.root u:object_r:shell_prop:s0
|
|
service.adb.tcp.port u:object_r:shell_prop:s0
|
|
|
|
persist.audio. u:object_r:audio_prop:s0
|
|
persist.sys. u:object_r:system_prop:s0
|
|
persist.service. u:object_r:system_prop:s0
|
|
persist.service.bdroid. u:object_r:bluetooth_prop:s0
|
|
persist.security. u:object_r:system_prop:s0
|
|
|
|
# selinux non-persistent properties
|
|
selinux. u:object_r:security_prop:s0
|
|
|
|
# default property context
|
|
* u:object_r:default_prop:s0
|
|
|
|
# data partition encryption properties
|
|
vold. u:object_r:vold_prop:s0
|
|
crypto. u:object_r:vold_prop:s0
|
|
|
|
# ctl properties
|
|
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
|
|
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
|
|
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
|
|
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
|
|
ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
|
|
ctl.bugreport u:object_r:ctl_bugreport_prop:s0
|
|
ctl. u:object_r:ctl_default_prop:s0
|