Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 0474b119ca75e92b20e74faea302037934a6a447^2..0474b119ca75e92b20e74faea302037934a6a447 / .
commit0474b119ca75e92b20e74faea302037934a6a447[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Fri Jun 22 20:24:26 2018 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Jun 22 20:24:26 2018 +0000
tree72a4d0621fe717f4d06259b60ff006625ec76531
parent4b9a3128fd6ae648ec2d33ac9e7a1b455b1c0790 [diff]
parent02be5975d6e2ec91ea02f4b4af37ff51418aa806 [diff]
Merge "Allow SurfaceFlinger to use Power HAL."
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf58278..5c4aa40 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -70,7 +70,7 @@
 
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
 neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
 neverallow all_untrusted_apps *:{
   socket netlink_socket packet_socket key_socket appletalk_socket
@@ -79,7 +79,11 @@
   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
-  netlink_rdma_socket netlink_crypto_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
 } *;
 
 # Do not allow untrusted apps access to /cache

diff --git a/private/net.te b/private/net.te
index f16daf9..2e6ced3 100644
--- a/private/net.te
+++ b/private/net.te

@@ -4,7 +4,8 @@
 
 # Use network sockets.
 allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.

diff --git a/public/domain.te b/public/domain.te
index 9dc3c18..3d35fab 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -262,7 +262,7 @@
 # defaults for all processes. Note that granting this whitelist to domain does
 # not grant the ioctl permission on these socket types. That must be granted
 # separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 # default whitelist for unix sockets.
 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }