diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-01-08 15:01:40 -0800 |
---|---|---|
committer | Jeff Vander Stoep <jeffv@google.com> | 2016-01-08 15:02:33 -0800 |
commit | 2b935cd78dae5db5035808f79b00c71be0e32b43 (patch) | |
tree | b7b7abe9d2e92cd9c9e1f19a82b8c671d7fae341 | |
parent | 0d8e9adf49a1db942ad3c556d87d25bde94e0df5 (diff) | |
download | sepolicy-brillo-m9-release.tar.gz |
grant appdomain rw perms to tun_devicebrillo-m9-releasebrillo-m9-dev
Previously granted to only untrusted_app, allow all apps except
isolated_app read write permissions to tun_device.
avc: denied { read write } for path="/dev/tun" dev="tmpfs" ino=8906 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file
Bug: 26462997
Change-Id: Id6f5b09cda26dc6c8651eb76f6791fb95640e4c7
-rw-r--r-- | app.te | 4 | ||||
-rw-r--r-- | untrusted_app.te | 4 |
2 files changed, 4 insertions, 4 deletions
@@ -222,6 +222,10 @@ selinux_check_context(appdomain) auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl }; auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms; +# Apps receive an open tun fd from the framework for +# device traffic. Do not allow untrusted app to directly open tun_device +allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append }; + ### ### Neverallow rules ### diff --git a/untrusted_app.te b/untrusted_app.te index 0558443..463745e 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -29,10 +29,6 @@ bluetooth_domain(untrusted_app) # to their sandbox directory and then execute. allow untrusted_app app_data_file:file { rx_file_perms execmod }; -# Third party vpn apps receive an open tun fd from the framework for -# device traffic. Do not allow untrusted app to directly open tun_device -allow untrusted_app tun_device:chr_file { read write getattr ioctl append }; - # ASEC allow untrusted_app asec_apk_file:file r_file_perms; # Execute libs in asec containers. |