diff options
author | hqjiang <hqjiang1988@gmail.com> | 2012-07-19 11:07:04 -0700 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2012-07-19 16:11:24 -0400 |
commit | 4c06d273bc3d278e7061bf93cfa97fdf2a4e8ee3 (patch) | |
tree | af422127e590840b7dd3f4c0adb2f4346758c15d | |
parent | 20d6963ac27b3d401922450ce8dcb89749c20404 (diff) | |
download | sepolicy-4c06d273bc3d278e7061bf93cfa97fdf2a4e8ee3.tar.gz |
Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.
Actually, some of policies related to qtaguid have been there already, but
we refind existing ones and add new ones.
-rw-r--r-- | app.te | 6 | ||||
-rw-r--r-- | device.te | 1 | ||||
-rw-r--r-- | file.te | 2 | ||||
-rw-r--r-- | file_contexts | 1 | ||||
-rw-r--r-- | genfs_contexts | 2 | ||||
-rw-r--r-- | mediaserver.te | 4 | ||||
-rw-r--r-- | system.te | 3 |
7 files changed, 14 insertions, 5 deletions
@@ -42,7 +42,9 @@ allow media_app cache_file:file create_file_perms; # Access sdcard. allow media_app sdcard:dir create_dir_perms; allow media_app sdcard:file create_file_perms; - +# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid +allow media_app qtaguid_proc:file rw_file_perms; +allow media_app qtaguid_device:chr_file r_file_perms; # Apps signed with the shared key. type shared_app, domain; app_domain(shared_app) @@ -141,7 +143,7 @@ allow appdomain anr_data_file:dir search; allow appdomain anr_data_file:file { open append }; # Write to /proc/net/xt_qtaguid/ctrl file. -allow appdomain qtaguid:file write; +allow appdomain qtaguid_proc:file write; # Use the Binder. binder_use(appdomain) @@ -40,6 +40,7 @@ type zero_device, dev_type; type fuse_device, dev_type; type ion_device, dev_type; type gps_device, dev_type; +type qtaguid_device, dev_type; # All devices have a uart for the hci # attach service. The uart dev node @@ -4,7 +4,7 @@ type pipefs, fs_type; type sockfs, fs_type; type rootfs, fs_type; type proc, fs_type; -type qtaguid, fs_type, mlstrustedobject; +type qtaguid_proc, fs_type, mlstrustedobject; type selinuxfs, fs_type; type cgroup, fs_type, mlstrustedobject; type sysfs, fs_type, mlstrustedobject; diff --git a/file_contexts b/file_contexts index 39c4363..f7abbb7 100644 --- a/file_contexts +++ b/file_contexts @@ -77,6 +77,7 @@ /dev/urandom u:object_r:urandom_device:s0 /dev/vcs[0-9a-z]* u:object_r:vcs_device:s0 /dev/video[0-9]* u:object_r:video_device:s0 +/dev/xt_qtaguid u:object_r:qtaguid_device:s0 /dev/zero u:object_r:zero_device:s0 ############################# # System files diff --git a/genfs_contexts b/genfs_contexts index 103136c..ff633a7 100644 --- a/genfs_contexts +++ b/genfs_contexts @@ -2,7 +2,7 @@ genfscon rootfs / u:object_r:rootfs:s0 # proc labeling can be further refined (longest matching prefix). genfscon proc / u:object_r:proc:s0 -genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid:s0 +genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 diff --git a/mediaserver.te b/mediaserver.te index 8d37fb7..057e39d 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -35,3 +35,7 @@ allow mediaserver system:fifo_file r_file_perms; # Camera calibration allow mediaserver camera_calibration_file:dir r_dir_perms; allow mediaserver camera_calibration_file:file r_file_perms; + +# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid +allow mediaserver qtaguid_proc:file rw_file_perms; +allow mediaserver qtaguid_device:chr_file r_file_perms; @@ -89,7 +89,8 @@ allow system appdomain:dir r_dir_perms; allow system appdomain:{ file lnk_file } rw_file_perms; # Write to /proc/net/xt_qtaguid/ctrl. -allow system qtaguid:file rw_file_perms; +allow system qtaguid_proc:file rw_file_perms; +allow system qtaguid_device:chr_file rw_file_perms; # Notify init of death. allow system init:process sigchld; |