From a0433acb4c8f07838f038b696752bea7753ba3a0 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 9 Apr 2014 08:18:48 -0400
Subject: Allow netmgrd to execute sh.

It invokes helper programs such as /system/bin/ip via sh -c.
In the future, look at reworking netmgrd to directly invoke
the helper programs and/or to transition to a different domain
upon sh invocation to shed unnecessary permissions.

Also rewrite the system_file rule for /system/bin/ip to use
the rx_file_perms macro for consistency.

Change-Id: I407d4503868e928dd876cce932fe6a96fcbd4e0d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 sepolicy/netmgrd.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sepolicy')

diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 360ba2c..7a326d3 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -23,5 +23,9 @@ allow netmgrd { radio_prop system_prop }:property_service set;
 # Talk to qmuxd (qmux_radio)
 qmux_socket(netmgrd)
 
+# Runs commands via sh.
+# TODO:  Convert to direct exec of /system/bin/ip and any other helpers.
+allow netmgrd shell_exec:file rx_file_perms;
+
 # Runs /system/bin/ip addr flush dev <device> commands.
-allow netmgrd system_file:file execute_no_trans;
+allow netmgrd system_file:file rx_file_perms;
-- 
cgit v1.2.3