Merge "Only allow toolbox exec where /system exec was already allowed."HEADmastermain

4 files changed, 7 insertions, 0 deletions

diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
index e831432..36243af 100644
--- a/sepolicy/bluetooth_loader.te
+++ b/sepolicy/bluetooth_loader.te
@@ -25,3 +25,4 @@ set_prop(bluetooth_loader, bluetooth_prop)
 
 # Allow getprop/setprop for init.mako.bt.sh
 allow bluetooth_loader system_file:file execute_no_trans;
+allow bluetooth_loader toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/conn_init.te b/sepolicy/conn_init.te
index 6491888..d5ff650 100644
--- a/sepolicy/conn_init.te
+++ b/sepolicy/conn_init.te
@@ -20,3 +20,4 @@ allow conn_init wlan_device:chr_file rw_file_perms;
 
 # init.mako.wifi.sh runs toolbox
 allow conn_init system_file:file execute_no_trans;
+allow conn_init toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te
index 93091cb..05be3d5 100644
--- a/sepolicy/kickstart.te
+++ b/sepolicy/kickstart.te
@@ -28,6 +28,7 @@ allow kickstart radio_efs_file:file r_file_perms;
 # Run dd from toolbox on firmware files
 allow kickstart shell_exec:file rx_file_perms;
 allow kickstart system_file:file execute_no_trans;
+allow kickstart toolbox_exec:file rx_file_perms;
 
 # Wake lock access
 wakelock_use(kickstart)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 37f85f6..c9b512e 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -31,5 +31,9 @@ allow netmgrd shell_exec:file rx_file_perms;
 # Runs /system/bin/ip addr flush dev <device> commands.
 allow netmgrd system_file:file rx_file_perms;
 
+# XXX Run toolbox.  Might not be needed.
+allow netmgrd toolbox_exec:file rx_file_perms;
+auditallow netmgrd toolbox_exec:file rx_file_perms;
+
 allow netmgrd proc_net:file r_file_perms;
 allow netmgrd proc_net:dir r_dir_perms;