diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2015-08-25 11:49:46 -0400 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2015-08-25 11:49:46 -0400 |
| commit | e4e8abd3d506957521d09d57021b59d9ae48f1a5 (patch) | |
| tree | 906c7f4975475ac8ddf9c8c4c1f96db514ef8b12 | |
| parent | 543f02ae4a032a4c794617b93c796f4c7b2310d4 (diff) | |
| download | mako-e4e8abd3d506957521d09d57021b59d9ae48f1a5.tar.gz | |
Only allow toolbox exec where /system exec was already allowed.
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage. However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain. Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.
Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
| -rw-r--r-- | sepolicy/bluetooth_loader.te | 1 | ||||
| -rw-r--r-- | sepolicy/conn_init.te | 1 | ||||
| -rw-r--r-- | sepolicy/kickstart.te | 1 | ||||
| -rw-r--r-- | sepolicy/netmgrd.te | 4 |
4 files changed, 7 insertions, 0 deletions
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te index e831432..36243af 100644 --- a/sepolicy/bluetooth_loader.te +++ b/sepolicy/bluetooth_loader.te @@ -25,3 +25,4 @@ set_prop(bluetooth_loader, bluetooth_prop) # Allow getprop/setprop for init.mako.bt.sh allow bluetooth_loader system_file:file execute_no_trans; +allow bluetooth_loader toolbox_exec:file rx_file_perms; diff --git a/sepolicy/conn_init.te b/sepolicy/conn_init.te index 6491888..d5ff650 100644 --- a/sepolicy/conn_init.te +++ b/sepolicy/conn_init.te @@ -20,3 +20,4 @@ allow conn_init wlan_device:chr_file rw_file_perms; # init.mako.wifi.sh runs toolbox allow conn_init system_file:file execute_no_trans; +allow conn_init toolbox_exec:file rx_file_perms; diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te index 93091cb..05be3d5 100644 --- a/sepolicy/kickstart.te +++ b/sepolicy/kickstart.te @@ -28,6 +28,7 @@ allow kickstart radio_efs_file:file r_file_perms; # Run dd from toolbox on firmware files allow kickstart shell_exec:file rx_file_perms; allow kickstart system_file:file execute_no_trans; +allow kickstart toolbox_exec:file rx_file_perms; # Wake lock access wakelock_use(kickstart) diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index 37f85f6..c9b512e 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -31,5 +31,9 @@ allow netmgrd shell_exec:file rx_file_perms; # Runs /system/bin/ip addr flush dev <device> commands. allow netmgrd system_file:file rx_file_perms; +# XXX Run toolbox. Might not be needed. +allow netmgrd toolbox_exec:file rx_file_perms; +auditallow netmgrd toolbox_exec:file rx_file_perms; + allow netmgrd proc_net:file r_file_perms; allow netmgrd proc_net:dir r_dir_perms; |