bff9801521
Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
19 lines
702 B
Text
19 lines
702 B
Text
##
|
|
# trusted execution environment (tee) daemon
|
|
#
|
|
type tee, domain, domain_deprecated;
|
|
type tee_exec, exec_type, file_type;
|
|
type tee_device, dev_type;
|
|
type tee_data_file, file_type, data_file_type;
|
|
|
|
init_daemon_domain(tee)
|
|
allow tee self:capability { dac_override };
|
|
allow tee tee_device:chr_file rw_file_perms;
|
|
allow tee tee_data_file:dir rw_dir_perms;
|
|
allow tee tee_data_file:file create_file_perms;
|
|
allow tee self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow tee ion_device:chr_file r_file_perms;
|
|
r_dir_file(tee, sysfs_type)
|
|
allow tee system_data_file:file { getattr read };
|
|
allow tee system_data_file:lnk_file r_file_perms;
|