Move net.dns* to it's own label.
Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.
Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:
* system_server
* system_app (apps which run as UID=system)
* netmgrd
* radio
This change:
1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.
In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.
Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c0d2b93..b6a80da 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -21,6 +21,10 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+# b/34115651 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_app, net_dns_prop)
+
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)