diff options
| author | Nick Kralevich <nnk@google.com> | 2015-08-25 23:27:40 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2015-08-25 23:27:40 +0000 |
| commit | 74c97c70caa4140ce22b9b9c44e6948164bdcdc1 (patch) | |
| tree | 84c564427ca68d16c42f4468337a3ae32a1e57b8 | |
| parent | db892f22d2c992eca9193f4a4b1706a9e9c9f321 (diff) | |
| parent | 078640e52120e9f86e83104de1e90f7b6608bc82 (diff) | |
| download | flo-74c97c70caa4140ce22b9b9c44e6948164bdcdc1.tar.gz | |
Merge "Only allow toolbox exec where /system exec was already allowed."
| -rw-r--r-- | sepolicy/bluetooth_loader.te | 1 | ||||
| -rw-r--r-- | sepolicy/conn_init.te | 1 | ||||
| -rw-r--r-- | sepolicy/kickstart.te | 1 | ||||
| -rw-r--r-- | sepolicy/netmgrd.te | 4 |
4 files changed, 7 insertions, 0 deletions
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te index 928b26a..5c06225 100644 --- a/sepolicy/bluetooth_loader.te +++ b/sepolicy/bluetooth_loader.te @@ -26,3 +26,4 @@ set_prop(bluetooth_loader, bluetooth_prop) # Allow getprop/setprop for init.flo.bt.sh allow bluetooth_loader system_file:file execute_no_trans; +allow bluetooth_loader toolbox_exec:file rx_file_perms; diff --git a/sepolicy/conn_init.te b/sepolicy/conn_init.te index da693f2..76fd70d 100644 --- a/sepolicy/conn_init.te +++ b/sepolicy/conn_init.te @@ -20,3 +20,4 @@ allow conn_init wlan_device:chr_file rw_file_perms; # init.flo.wifi.sh runs toolbox allow conn_init system_file:file execute_no_trans; +allow conn_init toolbox_exec:file rx_file_perms; diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te index 6ddc78a..e194211 100644 --- a/sepolicy/kickstart.te +++ b/sepolicy/kickstart.te @@ -33,6 +33,7 @@ allow kickstart radio_efs_file:file r_file_perms; # Run dd from toolbox on firmware files allow kickstart shell_exec:file rx_file_perms; allow kickstart system_file:file execute_no_trans; +allow kickstart toolbox_exec:file rx_file_perms; # Wake lock access wakelock_use(kickstart) diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index c10e509..1434f6b 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -27,6 +27,10 @@ allow netmgrd shell_exec:file rx_file_perms; # Runs /system/bin/ip addr flush dev <device> commands. allow netmgrd system_file:file rx_file_perms; +# XXX Run toolbox. Might not be needed. +allow netmgrd toolbox_exec:file rx_file_perms; +auditallow netmgrd toolbox_exec:file rx_file_perms; + allow netmgrd proc_net:file r_file_perms; allow netmgrd proc_net:dir r_dir_perms; |