89e379e9a94ddcfc5f47a299c89f9a931d73e41c - platform/external/sepolicy

commit	89e379e9a94ddcfc5f47a299c89f9a931d73e41c	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Tue Jan 05 07:42:16 2016 -0800
committer	Jeffrey Vander Stoep <jeffv@google.com>	Tue Jan 05 16:15:54 2016 +0000
tree	bb342f18ffeb20e24ba526ae0d3e557e3826e0a4
parent	e97bd887ca353ae02dd1641687431786d7d60cd6 [diff]

shell: Reduce socket ioctl perms

Only allow shell to access the same subset of ioctl commands as
untrusted_app. This reduces the attack surface of the kernel
available to a local attacker.

Bug: 26324307
Bug: 26267358
Change-Id: Ib8ecb9546af5fb480d2622149d4e00ec50cd4cde

shell.te[diff]

1 file changed

tree: bb342f18ffeb20e24ba526ae0d3e557e3826e0a4

tools/
access_vectors
adbd.te
Android.mk
app.te
atrace.te
attributes
audioserver.te
autoplay_app.te
binderservicedomain.te
blkid.te
blkid_untrusted.te
bluetooth.te
bluetoothdomain.te
bootanim.te
clatd.te
CleanSpec.mk
debuggerd.te
device.te
dex2oat.te
dhcp.te
dnsmasq.te
domain.te
domain_deprecated.te
drmserver.te
dumpstate.te
file.te
file_contexts
file_contexts_asan
fingerprintd.te
fs_use
fsck.te
fsck_untrusted.te
gatekeeperd.te
genfs_contexts
global_macros
gpsd.te
hci_attach.te
healthd.te
hostapd.te
idmap.te
init.te
initial_sid_contexts
initial_sids
inputflinger.te
install_recovery.te
installd.te
ioctl_defines
ioctl_macros
isolated_app.te
kernel.te
keys.conf
keystore.te
lmkd.te
logd.te
mac_permissions.xml
mdnsd.te
mediaextractor.te
mediaserver.te
mls
mls_macros
MODULE_LICENSE_PUBLIC_DOMAIN
mtp.te
net.te
netd.te
neverallow_macros
nfc.te
NOTICE
perfprofd.te
platform_app.te
policy_capabilities
port_contexts
ppp.te
priv_app.te
property.te
property_contexts
racoon.te
radio.te
README
recovery.te
rild.te
roles
runas.te
sdcardd.te
seapp_contexts
security_classes
service.te
service_contexts
servicemanager.te
sgdisk.te
shared_relro.te
shell.te
slideshow.te
su.te
surfaceflinger.te
system_app.te
system_server.te
te_macros
tee.te
toolbox.te
tzdatacheck.te
ueventd.te
uncrypt.te
untrusted_app.te
update_engine.te
update_verifier.te
users
vdc.te
vold.te
watchdogd.te
wpa.te
zygote.te