diff options
| author | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-01-18 10:22:38 +0800 |
|---|---|---|
| committer | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-01-18 10:22:38 +0800 |
| commit | 98b03044b9fc6e1e980fb15e62f4db94462d3779 (patch) | |
| tree | 43fbc44754e3a995956c11c66e4ff129e3dbf614 /r_non_plat/mtkrild.te | |
| parent | fca46a01f2174c0ae29f1919baddc80fa8dd13c5 (diff) | |
| download | wembley-sepolicy-98b03044b9fc6e1e980fb15e62f4db94462d3779.tar.gz | |
[ALPS04967689] SEPolicy: Add neverallow rule for proc
[Detail]
Do not allow access to the generic proc label. This is too broad.
Instead, if access to part of proc is desired, it should have a
more specific label.
TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
EX.
r_dir_file(hal_audio, proc)
hal_server_domain(mtk_hal_audio, hal_audio)
hal_client_domain(audioserver, hal_audio)
[Solution]
1.Add neverallow rule for proc.
2.Remove the conflicting SEPolicies.
MTK-Commit-Id: 4efc2b137c71b2b200e58bfa45c842290929caa4
Change-Id: Ie932149f8c642d4a05152117f1166daeaf9b2cff
CR-Id: ALPS04967689
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Diffstat (limited to 'r_non_plat/mtkrild.te')
| -rw-r--r-- | r_non_plat/mtkrild.te | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/r_non_plat/mtkrild.te b/r_non_plat/mtkrild.te index 4dd1490..b064169 100644 --- a/r_non_plat/mtkrild.te +++ b/r_non_plat/mtkrild.te @@ -52,9 +52,6 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms; # (radio data/system data/proc/etc) # Violate Android P rule allow mtkrild sdcardfs:dir r_dir_perms; -# Violate Android P rule -#allow mtkrild system_file:file x_file_perms; -#allow mtkrild proc:file rw_file_perms; allow mtkrild proc_net:file w_file_perms; # Set and get routes directly via netlink. |