aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTreehugger Robot2018-04-11 16:51:37 -0500
committerGerrit Code Review2018-04-11 16:51:37 -0500
commit45b4704e01ec91f9103a044afeb60f37c678c3cd (patch)
tree72b11637d8d7a8c9c819fedc807cf1c280c216a8
parentbe79c7b223da36d1cfbb033682fdbdaf6278b7bc (diff)
parent7e5ec2bc3d1d1b45471898f446f1ba1d66b7d046 (diff)
downloadsystem-sepolicy-45b4704e01ec91f9103a044afeb60f37c678c3cd.tar.gz
system-sepolicy-45b4704e01ec91f9103a044afeb60f37c678c3cd.tar.xz
system-sepolicy-45b4704e01ec91f9103a044afeb60f37c678c3cd.zip
Merge changes If2413c30,Ic5d7c961
* changes: Suppress spurious denial Suppress spurious denial
-rw-r--r--private/netutils_wrapper.te6
-rw-r--r--private/zygote.te3
2 files changed, 9 insertions, 0 deletions
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f56e8d86..ea58814e 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -33,3 +33,9 @@ domain_auto_trans({
33 -coredomain 33 -coredomain
34 -appdomain 34 -appdomain
35}, netutils_wrapper_exec, netutils_wrapper) 35}, netutils_wrapper_exec, netutils_wrapper)
36
37# suppress spurious denials
38dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
39
40# netutils wrapper may only use the following capabilities.
41neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401dc..0a1a7c6b 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -114,6 +114,9 @@ allow zygote tmpfs:dir r_dir_perms;
114get_prop(zygote, overlay_prop) 114get_prop(zygote, overlay_prop)
115get_prop(zygote, exported_overlay_prop) 115get_prop(zygote, exported_overlay_prop)
116 116
117# ingore spurious denials
118dontaudit zygote self:capability sys_resource;
119
117### 120###
118### neverallow rules 121### neverallow rules
119### 122###