diff options
author | Nick Kralevich <nnk@google.com> | 2016-02-10 09:33:08 -0800 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2016-02-10 09:41:40 -0800 |
commit | eb43e6548e1c23d9b47b98d6dd429f9887223dfa (patch) | |
tree | 79ed7f631002de7f2f37f7f65b5eae5dcf92c318 | |
parent | 3ec34ceb43b15c30e9c7bf1720ebea24f868d07a (diff) | |
download | sepolicy-eb43e6548e1c23d9b47b98d6dd429f9887223dfa.tar.gz |
uncrypt: drop generic block_device allow rules
Currently, uncrypt has write access to "block_device". This is
the generic label used for a file in /dev/block which doesn't
have a more specific label assigned to it.
This is an overly broad grant. Commit a10f789d286d0f28c85488629cc92f5ab6ca8e00
started the process of deprecating "block_device" access in favor
of "misc_block_device".
This change completes the deprecation and removes the overly
broad grant. Also update the neverallow rules so that
this overly broad rule cannot be reintroduced into uncrypt.
Bug: 25091603
Change-Id: Ifc5fa412db2f95726ae89c32c577a6659885ae55
-rw-r--r-- | domain.te | 2 | ||||
-rw-r--r-- | uncrypt.te | 2 |
2 files changed, 1 insertions, 3 deletions
@@ -238,7 +238,7 @@ neverallow * init:binder *; # Don't allow raw read/write/open access to block_device # Rather force a relabel to a more specific type -neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write }; +neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. @@ -26,8 +26,6 @@ set_prop(uncrypt, powerctl_prop) # Raw writes to block device allow uncrypt self:capability sys_rawio; -allow uncrypt block_device:blk_file w_file_perms; -auditallow uncrypt block_device:blk_file w_file_perms; allow uncrypt misc_block_device:blk_file w_file_perms; allow uncrypt block_device:dir r_dir_perms; |