summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksander Morgado <aleksander@aleksander.es>2017-08-12 00:50:27 +0200
committerRobert Foss <robert.foss@collabora.com>2017-08-16 16:05:36 +0200
commit58bdfd081e16baeabebdcfbcf72bad24b5d18a32 (patch)
tree844fab24ca572b9145fcee1b0d50c98c98fd45cf
parent731c3e822c0001ec243eecb6a660fed005429b9a (diff)
downloadandroid-device-linaro-generic-android-etnaviv.tar.gz
android-device-linaro-generic-android-etnaviv.tar.xz
ethernet,rdu2: update SELinux policyandroid-etnaviv
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
-rw-r--r--ethernet/sepolicy/file_contexts5
-rw-r--r--ethernet/sepolicy/init_net_rdu2.te17
2 files changed, 13 insertions, 9 deletions
diff --git a/ethernet/sepolicy/file_contexts b/ethernet/sepolicy/file_contexts
index 7798993..b4e1b56 100644
--- a/ethernet/sepolicy/file_contexts
+++ b/ethernet/sepolicy/file_contexts
@@ -1,4 +1 @@
-/system/bin/init-net-rdu2\.sh u:object_r:init_net_rdu2_exec:s0
-/system/bin/ip u:object_r:init_net_rdu2_exec:s0
-/system/bin/brctl u:object_r:init_net_rdu2_exec:s0
-/system/bin/sleep u:object_r:init_net_rdu2_exec:s0
+/system/bin/init-net-rdu2\.sh u:object_r:net_rdu2_exec:s0
diff --git a/ethernet/sepolicy/init_net_rdu2.te b/ethernet/sepolicy/init_net_rdu2.te
index bbf835f..e3931d2 100644
--- a/ethernet/sepolicy/init_net_rdu2.te
+++ b/ethernet/sepolicy/init_net_rdu2.te
@@ -1,8 +1,15 @@
-type init_net_rdu2, domain, domain_deprecated;
-type init_net_rdu2_exec, exec_type, file_type;
+type net_rdu2, domain, domain_deprecated;
+type net_rdu2_exec, exec_type, file_type;
-init_daemon_domain(init_net_rdu2)
+init_daemon_domain(net_rdu2)
-allow init_net_rdu2 shell_exec:file rx_file_perms;
-allow init_net_rdu2 init_net_rdu2_exec:file rx_file_perms;
+allow net_rdu2 shell_exec:file rx_file_perms;
+allow net_rdu2 net_rdu2_exec:file rx_file_perms;
+allow net_rdu2 dhcp_exec:file { execute execute_no_trans getattr open read };
+allow net_rdu2 system_file:file execute_no_trans;
+allow net_rdu2 toolbox_exec:file { execute execute_no_trans open read };
+# Only allow entry from init via the init-net-rdu2 script.
+neverallow { domain -init } net_rdu2:process transition;
+neverallow domain net_rdu2:process dyntransition;
+neverallow net_rdu2 { file_type fs_type -net_rdu2_exec}:file entrypoint;