Google Git
Sign in
android / platform / external / sepolicy / bf626ce94452813e44433c40fb3d80f8b4b00ff5
commitbf626ce94452813e44433c40fb3d80f8b4b00ff5[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Jan 28 17:46:30 2015 -0800
committerNick Kralevich <nnk@google.com>Thu Jan 29 15:02:54 2015 -0800
tree2506f6c2f35004be4f5f0bf039e580caa2ef9dfe
parent7ef348b1bac77418862f7c22ecefb51ec3517808 [diff]
appdomain: relax netlink_socket neverallow rule

Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

(cherry picked from commit d31936f89c49bc5c54b84bd5095f3c417da14935)

Bug: 19198997
Change-Id: Icfed1ee66f082df1117b090341f62981f01bc849
2 files changed
tree: 2506f6c2f35004be4f5f0bf039e580caa2ef9dfe
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. attributes
  7. binderservicedomain.te
  8. bluetooth.te
  9. bootanim.te
  10. clatd.te
  11. debuggerd.te
  12. device.te
  13. dex2oat.te
  14. dhcp.te
  15. dnsmasq.te
  16. domain.te
  17. drmserver.te
  18. dumpstate.te
  19. file.te
  20. file_contexts
  21. fs_use
  22. genfs_contexts
  23. global_macros
  24. gpsd.te
  25. hci_attach.te
  26. healthd.te
  27. hostapd.te
  28. init.te
  29. init_shell.te
  30. initial_sid_contexts
  31. initial_sids
  32. inputflinger.te
  33. install_recovery.te
  34. installd.te
  35. isolated_app.te
  36. kernel.te
  37. keys.conf
  38. keystore.te
  39. lmkd.te
  40. logd.te
  41. mac_permissions.xml
  42. mdnsd.te
  43. mediaserver.te
  44. mls
  45. mls_macros
  46. mtp.te
  47. net.te
  48. netd.te
  49. nfc.te
  50. NOTICE
  51. platform_app.te
  52. policy_capabilities
  53. port_contexts
  54. ppp.te
  55. property.te
  56. property_contexts
  57. racoon.te
  58. radio.te
  59. README
  60. recovery.te
  61. rild.te
  62. roles
  63. runas.te
  64. sdcardd.te
  65. seapp_contexts
  66. security_classes
  67. selinux-network.sh
  68. service.te
  69. service_contexts
  70. servicemanager.te
  71. shared_relro.te
  72. shell.te
  73. su.te
  74. surfaceflinger.te
  75. system_app.te
  76. system_server.te
  77. te_macros
  78. tee.te
  79. ueventd.te
  80. unconfined.te
  81. uncrypt.te
  82. untrusted_app.te
  83. users
  84. vdc.te
  85. vold.te
  86. watchdogd.te
  87. wpa.te
  88. zygote.te