diff options
author | Jeff Vander Stoep | 2018-04-04 14:59:11 -0500 |
---|---|---|
committer | Jeffrey Vander Stoep | 2018-04-04 15:26:18 -0500 |
commit | 9d28625fc4230b2bf466b0f8e3cde8c6b61eb416 (patch) | |
tree | 341f76a126a09a63b977a3571e7580ace6794914 /public | |
parent | 985db6d8dd2a2168a1e9ee741d89e03a0e3a76b9 (diff) | |
download | system-sepolicy-9d28625fc4230b2bf466b0f8e3cde8c6b61eb416.tar.gz system-sepolicy-9d28625fc4230b2bf466b0f8e3cde8c6b61eb416.tar.xz system-sepolicy-9d28625fc4230b2bf466b0f8e3cde8c6b61eb416.zip |
shell: move shell qtaguid perms to shell.te
Remove unecessary access to /proc/net/xt_qtaguid/ctrl and
/dev/xt_qtaguid.
Bug: 68774956
Test: atest CtsNativeNetTestCases
Test: adb root; atest tagSocket
Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92
Diffstat (limited to 'public')
-rw-r--r-- | public/app.te | 5 | ||||
-rw-r--r-- | public/shell.te | 1 |
2 files changed, 2 insertions, 4 deletions
diff --git a/public/app.te b/public/app.te index 0a9e1282..4bdd8bf8 100644 --- a/public/app.te +++ b/public/app.te | |||
@@ -174,6 +174,7 @@ userdebug_or_eng(` | |||
174 | allow appdomain heapdump_data_file:file append; | 174 | allow appdomain heapdump_data_file:file append; |
175 | ') | 175 | ') |
176 | 176 | ||
177 | r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net) | ||
177 | # Write to /proc/net/xt_qtaguid/ctrl file. | 178 | # Write to /proc/net/xt_qtaguid/ctrl file. |
178 | allow { | 179 | allow { |
179 | untrusted_app_25 | 180 | untrusted_app_25 |
@@ -182,9 +183,7 @@ allow { | |||
182 | priv_app | 183 | priv_app |
183 | system_app | 184 | system_app |
184 | platform_app | 185 | platform_app |
185 | shell | ||
186 | } proc_qtaguid_ctrl:file rw_file_perms; | 186 | } proc_qtaguid_ctrl:file rw_file_perms; |
187 | r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net) | ||
188 | # read /proc/net/xt_qtguid/*stat* to per-app network data usage. | 187 | # read /proc/net/xt_qtguid/*stat* to per-app network data usage. |
189 | # Exclude isolated app which may not use network sockets. | 188 | # Exclude isolated app which may not use network sockets. |
190 | r_dir_file({ | 189 | r_dir_file({ |
@@ -194,7 +193,6 @@ r_dir_file({ | |||
194 | priv_app | 193 | priv_app |
195 | system_app | 194 | system_app |
196 | platform_app | 195 | platform_app |
197 | shell | ||
198 | }, proc_qtaguid_stat) | 196 | }, proc_qtaguid_stat) |
199 | # Everybody can read the xt_qtaguid resource tracking misc dev. | 197 | # Everybody can read the xt_qtaguid resource tracking misc dev. |
200 | # So allow all apps to read from /dev/xt_qtaguid. | 198 | # So allow all apps to read from /dev/xt_qtaguid. |
@@ -205,7 +203,6 @@ allow { | |||
205 | priv_app | 203 | priv_app |
206 | system_app | 204 | system_app |
207 | platform_app | 205 | platform_app |
208 | shell | ||
209 | } qtaguid_device:chr_file r_file_perms; | 206 | } qtaguid_device:chr_file r_file_perms; |
210 | 207 | ||
211 | # Grant GPU access to all processes started by Zygote. | 208 | # Grant GPU access to all processes started by Zygote. |
diff --git a/public/shell.te b/public/shell.te index 5e2745be..c5033ecf 100644 --- a/public/shell.te +++ b/public/shell.te | |||
@@ -121,6 +121,7 @@ allow shell { | |||
121 | proc_meminfo | 121 | proc_meminfo |
122 | proc_modules | 122 | proc_modules |
123 | proc_pid_max | 123 | proc_pid_max |
124 | proc_qtaguid_stat | ||
124 | proc_stat | 125 | proc_stat |
125 | proc_timer | 126 | proc_timer |
126 | proc_uptime | 127 | proc_uptime |