diff options
author | Nick Kralevich <nnk@google.com> | 2016-03-26 07:43:38 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2016-03-28 09:21:00 -0700 |
commit | 6937aa93ac0a36f19cb13b81a282dedcad324be5 (patch) | |
tree | 94df2c83e574833dc12d14f27786f70e467f9b35 /hostapd.te | |
parent | 4d19f98c728373860c5628d46fe5f4d664c601d2 (diff) | |
download | sepolicy-6937aa93ac0a36f19cb13b81a282dedcad324be5.tar.gz |
refine /data/misc/logd rules
Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa.
Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.
Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.
Add more neverallow rules covering misc_logd_file directories.
Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768
To see the net effect of this change, you can use the following
command line:
sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
out/target/product/bullhead/root/sepolicy
Before this change:
# userdebug builds
allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
allow shell misc_logd_file:dir { search read lock getattr ioctl open };
allow shell misc_logd_file:file { read lock ioctl open getattr };
# user builds
allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
allow init misc_logd_file:file relabelto;
allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
After this change:
# userdebug builds
allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
allow init misc_logd_file:file { relabelto getattr };
allow init misc_logd_file:lnk_file relabelto;
allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
allow shell misc_logd_file:dir { search read lock getattr ioctl open };
allow shell misc_logd_file:file { read lock ioctl open getattr };
# user builds
allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
allow init misc_logd_file:file { relabelto getattr };
allow init misc_logd_file:lnk_file relabelto;
Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
Diffstat (limited to 'hostapd.te')
0 files changed, 0 insertions, 0 deletions