Loading Android.mk +1 −3 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ include $(CLEAR_VARS) # SELinux policy version. # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. # Must be within the compatibility range reported by checkpolicy -V. POLICYVERS ?= 30 POLICYVERS ?= 28 MLS_SENS=1 MLS_CATS=1024 Loading Loading @@ -143,8 +143,6 @@ sepolicy_build_files := security_classes \ policy_capabilities \ te_macros \ attributes \ ioctl_defines \ ioctl_macros \ *.te \ roles_decl \ roles \ Loading private/app_neverallows.te +0 −2 Original line number Diff line number Diff line Loading @@ -70,8 +70,6 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms; # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the # ioctl permission, or 3. disallow the socket class. neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl; neverallow all_untrusted_apps *:{ socket netlink_socket packet_socket key_socket appletalk_socket netlink_tcpdiag_socket netlink_nflog_socket Loading private/bluetooth.te +0 −3 Original line number Diff line number Diff line Loading @@ -8,9 +8,6 @@ net_domain(bluetooth) # Socket creation under /data/misc/bluedroid. type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; # Allow access to net_admin ioctls allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls; wakelock_use(bluetooth); # Data file accesses. Loading private/bluetoothdomain.te +1 −1 Original line number Diff line number Diff line # Allow clients to use a socket provided by the bluetooth app. allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; # allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; private/netutils_wrapper.te +0 −3 Original line number Diff line number Diff line Loading @@ -10,9 +10,6 @@ allow netutils_wrapper proc_net:file { open read getattr }; allow netutils_wrapper self:rawip_socket create_socket_perms; allow netutils_wrapper self:udp_socket create_socket_perms; allow netutils_wrapper self:global_capability_class_set net_admin; # ip utils need everything but ioctl allow netutils_wrapper self:netlink_route_socket ~ioctl; allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; # For netutils (ndc) to be able to talk to netd allow netutils_wrapper netd_socket:sock_file { open getattr read write append }; Loading Loading
Android.mk +1 −3 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ include $(CLEAR_VARS) # SELinux policy version. # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. # Must be within the compatibility range reported by checkpolicy -V. POLICYVERS ?= 30 POLICYVERS ?= 28 MLS_SENS=1 MLS_CATS=1024 Loading Loading @@ -143,8 +143,6 @@ sepolicy_build_files := security_classes \ policy_capabilities \ te_macros \ attributes \ ioctl_defines \ ioctl_macros \ *.te \ roles_decl \ roles \ Loading
private/app_neverallows.te +0 −2 Original line number Diff line number Diff line Loading @@ -70,8 +70,6 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms; # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the # ioctl permission, or 3. disallow the socket class. neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl; neverallow all_untrusted_apps *:{ socket netlink_socket packet_socket key_socket appletalk_socket netlink_tcpdiag_socket netlink_nflog_socket Loading
private/bluetooth.te +0 −3 Original line number Diff line number Diff line Loading @@ -8,9 +8,6 @@ net_domain(bluetooth) # Socket creation under /data/misc/bluedroid. type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; # Allow access to net_admin ioctls allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls; wakelock_use(bluetooth); # Data file accesses. Loading
private/bluetoothdomain.te +1 −1 Original line number Diff line number Diff line # Allow clients to use a socket provided by the bluetooth app. allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; # allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
private/netutils_wrapper.te +0 −3 Original line number Diff line number Diff line Loading @@ -10,9 +10,6 @@ allow netutils_wrapper proc_net:file { open read getattr }; allow netutils_wrapper self:rawip_socket create_socket_perms; allow netutils_wrapper self:udp_socket create_socket_perms; allow netutils_wrapper self:global_capability_class_set net_admin; # ip utils need everything but ioctl allow netutils_wrapper self:netlink_route_socket ~ioctl; allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; # For netutils (ndc) to be able to talk to netd allow netutils_wrapper netd_socket:sock_file { open getattr read write append }; Loading
