4e404290e4
Move net.dns* from net_radio_prop to the newly created label net_dns_prop. This allows finer grain control over this specific property. Prior to this change, this property was readable to all SELinux domains, and writable by the following SELinux domains: * system_server * system_app (apps which run as UID=system) * netmgrd * radio This change: 1) Removes read access to this property to everyone EXCEPT untrusted_app and system_server. 2) Limit write access to system_server. In particular, this change removes read access to priv_apps. Any priv_app which ships with the system should not be reading this property. Bug: 34115651 Test: Device boots, wifi turns on, no problems browsing the internet Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
88 lines
3 KiB
Text
88 lines
3 KiB
Text
type audio_prop, property_type, core_property_type;
|
|
type boottime_prop, property_type;
|
|
type bluetooth_prop, property_type;
|
|
type config_prop, property_type, core_property_type;
|
|
type cppreopt_prop, property_type, core_property_type;
|
|
type ctl_bootanim_prop, property_type;
|
|
type ctl_bugreport_prop, property_type;
|
|
type ctl_console_prop, property_type;
|
|
type ctl_default_prop, property_type;
|
|
type ctl_dumpstate_prop, property_type;
|
|
type ctl_fuse_prop, property_type;
|
|
type ctl_mdnsd_prop, property_type;
|
|
type ctl_rildaemon_prop, property_type;
|
|
type dalvik_prop, property_type, core_property_type;
|
|
type debuggerd_prop, property_type, core_property_type;
|
|
type debug_prop, property_type, core_property_type;
|
|
type default_prop, property_type, core_property_type;
|
|
type device_logging_prop, property_type;
|
|
type dhcp_prop, property_type, core_property_type;
|
|
type dumpstate_options_prop, property_type;
|
|
type dumpstate_prop, property_type, core_property_type;
|
|
type ffs_prop, property_type, core_property_type;
|
|
type fingerprint_prop, property_type, core_property_type;
|
|
type firstboot_prop, property_type;
|
|
type hwservicemanager_prop, property_type;
|
|
type logd_prop, property_type, core_property_type;
|
|
type logpersistd_logging_prop, property_type;
|
|
type log_prop, property_type, log_property_type;
|
|
type log_tag_prop, property_type, log_property_type;
|
|
type mmc_prop, property_type;
|
|
type net_dns_prop, property_type;
|
|
type net_radio_prop, property_type, core_property_type;
|
|
type nfc_prop, property_type, core_property_type;
|
|
type overlay_prop, property_type;
|
|
type pan_result_prop, property_type, core_property_type;
|
|
type persist_debug_prop, property_type, core_property_type;
|
|
type powerctl_prop, property_type, core_property_type;
|
|
type radio_prop, property_type, core_property_type;
|
|
type restorecon_prop, property_type, core_property_type;
|
|
type safemode_prop, property_type;
|
|
type serialno_prop, property_type;
|
|
type shell_prop, property_type, core_property_type;
|
|
type system_prop, property_type, core_property_type;
|
|
type system_radio_prop, property_type, core_property_type;
|
|
type hal_binderization_prop, property_type;
|
|
type vold_prop, property_type, core_property_type;
|
|
type wifi_log_prop, property_type, log_property_type;
|
|
type wifi_prop, property_type;
|
|
|
|
allow property_type tmpfs:filesystem associate;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# core_property_type should not be used for new properties or
|
|
# device specific properties. Properties with this attribute
|
|
# are readable to everyone, which is overly broad and should
|
|
# be avoided.
|
|
# New properties should have appropriate read / write access
|
|
# control rules written.
|
|
|
|
neverallow * {
|
|
core_property_type
|
|
-audio_prop
|
|
-config_prop
|
|
-cppreopt_prop
|
|
-dalvik_prop
|
|
-debuggerd_prop
|
|
-debug_prop
|
|
-default_prop
|
|
-dhcp_prop
|
|
-dumpstate_prop
|
|
-ffs_prop
|
|
-fingerprint_prop
|
|
-logd_prop
|
|
-net_radio_prop
|
|
-nfc_prop
|
|
-pan_result_prop
|
|
-persist_debug_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
-restorecon_prop
|
|
-shell_prop
|
|
-system_prop
|
|
-system_radio_prop
|
|
-vold_prop
|
|
}:file no_rw_file_perms;
|