a3c97a7660
When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
19 lines
625 B
Text
19 lines
625 B
Text
# Point to Point Protocol daemon
|
|
type ppp, domain;
|
|
type ppp_device, dev_type;
|
|
type ppp_exec, exec_type, file_type;
|
|
domain_auto_trans(mtp, ppp_exec, ppp)
|
|
|
|
net_domain(ppp)
|
|
|
|
allow ppp mtp:socket rw_socket_perms;
|
|
allow ppp mtp:unix_dgram_socket rw_socket_perms;
|
|
allow ppp ppp_device:chr_file rw_file_perms;
|
|
allow ppp self:capability net_admin;
|
|
allow ppp system_file:file rx_file_perms;
|
|
# XXX Run toolbox. Might not be needed.
|
|
allow ppp toolbox_exec:file rx_file_perms;
|
|
auditallow ppp toolbox_exec:file rx_file_perms;
|
|
allow ppp vpn_data_file:dir w_dir_perms;
|
|
allow ppp vpn_data_file:file create_file_perms;
|
|
allow ppp mtp:fd use;
|