From 3f951ce093d88eb384e031cd06e284241c8f2683 Mon Sep 17 00:00:00 2001 From: Vachounet Date: Mon, 2 Apr 2018 10:41:10 +0200 Subject: [PATCH] sanders: address some denials Change-Id: I90239f922aea3b7684b492ea34f137ef31577221 --- sepolicy/netd.te | 2 ++ sepolicy/untrusted_app.te | 9 +++++++++ sepolicy/untrusted_app_25.te | 4 ++++ 3 files changed, 15 insertions(+) create mode 100644 sepolicy/netd.te diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..465ec2f --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,2 @@ +allow netd untrusted_app_25:unix_stream_socket { read write }; + diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te index 50e45cf..a3c4026 100644 --- a/sepolicy/untrusted_app.te +++ b/sepolicy/untrusted_app.te @@ -2,3 +2,12 @@ get_prop(untrusted_app, camera_prop); get_prop(untrusted_app_25, camera_prop); allow untrusted_app sysfs_zram:dir { search read }; allow untrusted_app sysfs_zram:file { open read getattr }; + +get_prop(untrusted_app, net_dns_prop); + +allow untrusted_app firmware_file:dir read; +allow untrusted_app fsg_file:dir read; +allow untrusted_app net_dns_prop:file read; +allow untrusted_app persist_file:dir getattr; +allow untrusted_app persist_file:filesystem getattr; +allow untrusted_app rootfs:dir read; diff --git a/sepolicy/untrusted_app_25.te b/sepolicy/untrusted_app_25.te index 091bdfc..24dbfc7 100644 --- a/sepolicy/untrusted_app_25.te +++ b/sepolicy/untrusted_app_25.te @@ -4,3 +4,7 @@ allow untrusted_app_25 init:unix_stream_socket { read write }; +allow untrusted_app_25 proc_stat:file read; +allow untrusted_app_25 qemu_hw_mainkeys_prop:file read; +allow untrusted_app_25 self:udp_socket ioctl; +allow untrusted_app_25 vold_exec:file read;