diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2015-09-29 09:46:03 -0700 |
---|---|---|
committer | The Android Automerger <android-build@google.com> | 2015-09-29 16:02:47 -0700 |
commit | a5b68cb7a2c1f74a38077e53e6f87d48914d1247 (patch) | |
tree | b69955a8ad28c72db36735a41222a108a6a70a2d | |
parent | fc16233e96f926bbb13d896bb36b1df3777c3328 (diff) | |
download | bullhead-a5b68cb7a2c1f74a38077e53e6f87d48914d1247.tar.gz |
selinux: grant rx perms to toolbox_exec where needed
AOSP commit a3c97a7660ba ("Only allow toolbox exec where /system
exec was already allowed.") removed domain's rx perms to
toolbox_exec. This breaks a number of domains on bullhead. Restore
rx perms for toolbox_exec where needed.
Bug: 24341811
Change-Id: I991c66a9746a4b29f454cb7a1b5e7ba1180ed94f
-rw-r--r-- | sepolicy/bullhead-sh.te | 3 | ||||
-rw-r--r-- | sepolicy/init-power-sh.te | 3 | ||||
-rw-r--r-- | sepolicy/netmgrd.te | 2 |
3 files changed, 8 insertions, 0 deletions
diff --git a/sepolicy/bullhead-sh.te b/sepolicy/bullhead-sh.te index 41a10db..5f21eb9 100644 --- a/sepolicy/bullhead-sh.te +++ b/sepolicy/bullhead-sh.te @@ -16,3 +16,6 @@ allow bullhead-sh firmware_file:file r_file_perms; allow bullhead-sh firmware_file:dir r_dir_perms; allow bullhead-sh shell_exec:file r_file_perms; + +# execute toybox/toolbox +allow bullhead-sh toolbox_exec:file rx_file_perms; diff --git a/sepolicy/init-power-sh.te b/sepolicy/init-power-sh.te index 2c8aa63..03308f4 100644 --- a/sepolicy/init-power-sh.te +++ b/sepolicy/init-power-sh.te @@ -18,3 +18,6 @@ allow init-power-sh sysfs_power_management:file w_file_perms; # and symlinks to sysfs_devices_system_cpu allow init-power-sh sysfs:{ dir file lnk_file } relabelfrom; allow init-power-sh sysfs_devices_system_cpu:{ dir file lnk_file } relabelto; + +# execute toybox/toolbox +allow init-power-sh toolbox_exec:file rx_file_perms; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index 5349e89..3da9fba 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -57,3 +57,5 @@ allow netmgrd kernel:system module_request; # talk to cnd unix_socket_connect(netmgrd, cnd, cnd) +# execute toybox/toolbox +allow netmgrd toolbox_exec:file rx_file_perms; |