Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 642b80427ec2e95eb13cf03a74d814f240813e71
commit642b80427ec2e95eb13cf03a74d814f240813e71[log] [tgz]
authorNick Kralevich <nnk@google.com>Sun Sep 21 23:35:24 2014 -0700
committerNick Kralevich <nnk@google.com>Sun Sep 21 23:49:37 2014 -0700
tree7a5569f19674d23ccdce93fd864ac7869cdf8f76
parentdd053a9b891195439b1c0848cb0e8a6e17b4b9bc [diff]
relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets

Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.

Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.

Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.

No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.

Bug: 17525863
Change-Id: I3e538dc8096dc23b9678bcd20e3c1e742c21c967
2 files changed
tree: 7a5569f19674d23ccdce93fd864ac7869cdf8f76
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. attributes
  7. binderservicedomain.te
  8. bluetooth.te
  9. bootanim.te
  10. clatd.te
  11. debuggerd.te
  12. device.te
  13. dex2oat.te
  14. dhcp.te
  15. dnsmasq.te
  16. domain.te
  17. drmserver.te
  18. dumpstate.te
  19. file.te
  20. file_contexts
  21. fs_use
  22. genfs_contexts
  23. global_macros
  24. gpsd.te
  25. hci_attach.te
  26. healthd.te
  27. hostapd.te
  28. init.te
  29. init_shell.te
  30. initial_sid_contexts
  31. initial_sids
  32. inputflinger.te
  33. install_recovery.te
  34. installd.te
  35. isolated_app.te
  36. kernel.te
  37. keys.conf
  38. keystore.te
  39. lmkd.te
  40. logd.te
  41. mac_permissions.xml
  42. mdnsd.te
  43. mediaserver.te
  44. mls
  45. mls_macros
  46. mtp.te
  47. net.te
  48. netd.te
  49. nfc.te
  50. NOTICE
  51. platform_app.te
  52. policy_capabilities
  53. port_contexts
  54. ppp.te
  55. property.te
  56. property_contexts
  57. racoon.te
  58. radio.te
  59. README
  60. recovery.te
  61. rild.te
  62. roles
  63. runas.te
  64. sdcardd.te
  65. seapp_contexts
  66. security_classes
  67. selinux-network.sh
  68. service.te
  69. service_contexts
  70. servicemanager.te
  71. shared_relro.te
  72. shell.te
  73. su.te
  74. surfaceflinger.te
  75. system_app.te
  76. system_server.te
  77. te_macros
  78. tee.te
  79. ueventd.te
  80. unconfined.te
  81. uncrypt.te
  82. untrusted_app.te
  83. users
  84. vdc.te
  85. vold.te
  86. watchdogd.te
  87. wpa.te
  88. zygote.te