diff options
| author | myfluxi <linflux@arcor.de> | 2015-11-05 22:50:08 +0100 |
|---|---|---|
| committer | myfluxi <linflux@arcor.de> | 2015-11-05 23:53:50 +0100 |
| commit | 85017716079d2646cb29b8a3c5538ac1ccaf5cb3 (patch) | |
| tree | 1dd23d9859b2fb3896f99fd834168ab2de01e01b /sepolicy/su.te | |
| parent | 48f0b94fff0fa09a203107844973e7972f720147 (diff) | |
| download | vendor_replicant-85017716079d2646cb29b8a3c5538ac1ccaf5cb3.zip vendor_replicant-85017716079d2646cb29b8a3c5538ac1ccaf5cb3.tar.gz vendor_replicant-85017716079d2646cb29b8a3c5538ac1ccaf5cb3.tar.bz2 | |
sepolicy: Make superuser_device and sudaemon mlstrustedobjects
Address:
avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0
tclass=sock_file permissive=0
avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon"
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0
tclass=unix_stream_socket permissive=0
And thus fix su.
Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27
Diffstat (limited to 'sepolicy/su.te')
| -rw-r--r-- | sepolicy/su.te | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sepolicy/su.te b/sepolicy/su.te index 9b7d098..4e34dc9 100644 --- a/sepolicy/su.te +++ b/sepolicy/su.te @@ -1,10 +1,12 @@ -type superuser_device, file_type; +type superuser_device, file_type, mlstrustedobject; ## Perms for the daemon userdebug_or_eng(` domain_trans(init, su_exec, sudaemon) + typeattribute sudaemon domain, mlstrustedsubject; + type_transition sudaemon socket_device:sock_file superuser_device; # The userspace app uses /dev sockets to control per-app access allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink }; |