Allow netmgrd to execute sh.

It invokes helper programs such as /system/bin/ip via sh -c. In the future, look at reworking netmgrd to directly invoke the helper programs and/or to transition to a different domain upon sh invocation to shed unnecessary permissions. Also rewrite the system_file rule for /system/bin/ip to use the rx_file_perms macro for consistency. Change-Id: I407d4503868e928dd876cce932fe6a96fcbd4e0d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2014-04-09 08:18:48 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> 2014-04-09 08:18:48 -0400
commit: a0433acb4c8f07838f038b696752bea7753ba3a0 (patch)
tree: 571a59ad290faf9dacabb40fdebca4dc1e7b6dc5 /sepolicy
parent: 2dd914ee943783e96f9e65af2e6e373013dde66c (diff)
download: mako-a0433acb4c8f07838f038b696752bea7753ba3a0.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 360ba2c..7a326d3 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -23,5 +23,9 @@ allow netmgrd { radio_prop system_prop }:property_service set;
 # Talk to qmuxd (qmux_radio)
 qmux_socket(netmgrd)
 
+# Runs commands via sh.
+# TODO:  Convert to direct exec of /system/bin/ip and any other helpers.
+allow netmgrd shell_exec:file rx_file_perms;
+
 # Runs /system/bin/ip addr flush dev <device> commands.
-allow netmgrd system_file:file execute_no_trans;
+allow netmgrd system_file:file rx_file_perms;
author	Stephen Smalley <sds@tycho.nsa.gov>	2014-04-09 08:18:48 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	2014-04-09 08:18:48 -0400
commit	a0433acb4c8f07838f038b696752bea7753ba3a0 (patch)
tree	571a59ad290faf9dacabb40fdebca4dc1e7b6dc5 /sepolicy
parent	2dd914ee943783e96f9e65af2e6e373013dde66c (diff)
download	mako-a0433acb4c8f07838f038b696752bea7753ba3a0.tar.gz