aboutsummaryrefslogtreecommitdiffstats
path: root/public
diff options
context:
space:
mode:
authorJeff Vander Stoep2018-04-04 14:59:11 -0500
committerJeffrey Vander Stoep2018-04-04 15:26:18 -0500
commit9d28625fc4230b2bf466b0f8e3cde8c6b61eb416 (patch)
tree341f76a126a09a63b977a3571e7580ace6794914 /public
parent985db6d8dd2a2168a1e9ee741d89e03a0e3a76b9 (diff)
downloadsystem-sepolicy-9d28625fc4230b2bf466b0f8e3cde8c6b61eb416.tar.gz
system-sepolicy-9d28625fc4230b2bf466b0f8e3cde8c6b61eb416.tar.xz
system-sepolicy-9d28625fc4230b2bf466b0f8e3cde8c6b61eb416.zip
shell: move shell qtaguid perms to shell.te
Remove unecessary access to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid. Bug: 68774956 Test: atest CtsNativeNetTestCases Test: adb root; atest tagSocket Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92
Diffstat (limited to 'public')
-rw-r--r--public/app.te5
-rw-r--r--public/shell.te1
2 files changed, 2 insertions, 4 deletions
diff --git a/public/app.te b/public/app.te
index 0a9e1282..4bdd8bf8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -174,6 +174,7 @@ userdebug_or_eng(`
174 allow appdomain heapdump_data_file:file append; 174 allow appdomain heapdump_data_file:file append;
175') 175')
176 176
177r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
177# Write to /proc/net/xt_qtaguid/ctrl file. 178# Write to /proc/net/xt_qtaguid/ctrl file.
178allow { 179allow {
179 untrusted_app_25 180 untrusted_app_25
@@ -182,9 +183,7 @@ allow {
182 priv_app 183 priv_app
183 system_app 184 system_app
184 platform_app 185 platform_app
185 shell
186} proc_qtaguid_ctrl:file rw_file_perms; 186} proc_qtaguid_ctrl:file rw_file_perms;
187r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
188# read /proc/net/xt_qtguid/*stat* to per-app network data usage. 187# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
189# Exclude isolated app which may not use network sockets. 188# Exclude isolated app which may not use network sockets.
190r_dir_file({ 189r_dir_file({
@@ -194,7 +193,6 @@ r_dir_file({
194 priv_app 193 priv_app
195 system_app 194 system_app
196 platform_app 195 platform_app
197 shell
198}, proc_qtaguid_stat) 196}, proc_qtaguid_stat)
199# Everybody can read the xt_qtaguid resource tracking misc dev. 197# Everybody can read the xt_qtaguid resource tracking misc dev.
200# So allow all apps to read from /dev/xt_qtaguid. 198# So allow all apps to read from /dev/xt_qtaguid.
@@ -205,7 +203,6 @@ allow {
205 priv_app 203 priv_app
206 system_app 204 system_app
207 platform_app 205 platform_app
208 shell
209} qtaguid_device:chr_file r_file_perms; 206} qtaguid_device:chr_file r_file_perms;
210 207
211# Grant GPU access to all processes started by Zygote. 208# Grant GPU access to all processes started by Zygote.
diff --git a/public/shell.te b/public/shell.te
index 5e2745be..c5033ecf 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -121,6 +121,7 @@ allow shell {
121 proc_meminfo 121 proc_meminfo
122 proc_modules 122 proc_modules
123 proc_pid_max 123 proc_pid_max
124 proc_qtaguid_stat
124 proc_stat 125 proc_stat
125 proc_timer 126 proc_timer
126 proc_uptime 127 proc_uptime