summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ethernet/sepolicy/file_contexts5
-rw-r--r--ethernet/sepolicy/init_net_rdu2.te17
2 files changed, 13 insertions, 9 deletions
diff --git a/ethernet/sepolicy/file_contexts b/ethernet/sepolicy/file_contexts
index 7798993..b4e1b56 100644
--- a/ethernet/sepolicy/file_contexts
+++ b/ethernet/sepolicy/file_contexts
@@ -1,4 +1 @@
-/system/bin/init-net-rdu2\.sh u:object_r:init_net_rdu2_exec:s0
-/system/bin/ip u:object_r:init_net_rdu2_exec:s0
-/system/bin/brctl u:object_r:init_net_rdu2_exec:s0
-/system/bin/sleep u:object_r:init_net_rdu2_exec:s0
+/system/bin/init-net-rdu2\.sh u:object_r:net_rdu2_exec:s0
diff --git a/ethernet/sepolicy/init_net_rdu2.te b/ethernet/sepolicy/init_net_rdu2.te
index bbf835f..e3931d2 100644
--- a/ethernet/sepolicy/init_net_rdu2.te
+++ b/ethernet/sepolicy/init_net_rdu2.te
@@ -1,8 +1,15 @@
-type init_net_rdu2, domain, domain_deprecated;
-type init_net_rdu2_exec, exec_type, file_type;
+type net_rdu2, domain, domain_deprecated;
+type net_rdu2_exec, exec_type, file_type;
-init_daemon_domain(init_net_rdu2)
+init_daemon_domain(net_rdu2)
-allow init_net_rdu2 shell_exec:file rx_file_perms;
-allow init_net_rdu2 init_net_rdu2_exec:file rx_file_perms;
+allow net_rdu2 shell_exec:file rx_file_perms;
+allow net_rdu2 net_rdu2_exec:file rx_file_perms;
+allow net_rdu2 dhcp_exec:file { execute execute_no_trans getattr open read };
+allow net_rdu2 system_file:file execute_no_trans;
+allow net_rdu2 toolbox_exec:file { execute execute_no_trans open read };
+# Only allow entry from init via the init-net-rdu2 script.
+neverallow { domain -init } net_rdu2:process transition;
+neverallow domain net_rdu2:process dyntransition;
+neverallow net_rdu2 { file_type fs_type -net_rdu2_exec}:file entrypoint;