Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / cbaa2b7d37c0810009cc0ffa4026334b4bf3096e
commitcbaa2b7d37c0810009cc0ffa4026334b4bf3096e[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Tue Dec 22 10:39:34 2015 -0800
committerJeff Vander Stoep <jeffv@google.com>Mon Jan 04 12:15:19 2016 -0800
treeb80e3517f274cd80d81c1474454e28f5e1d57aa0
parente02e6c03a59d1f60f07affa8540b74aca077a6c8 [diff]
Reduce socket ioctl perms

Reduce the socket ioctl commands available to untrusted/isolated apps.
Neverallow accessing sensitive information or setting of network parameters.
Neverallow access to device private ioctls i.e. device specific
customizations as these are a common source of driver bugs.

Define common ioctl commands in ioctl_defines.

Bug: 26267358
Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
3 files changed
tree: b80e3517f274cd80d81c1474454e28f5e1d57aa0
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. atrace.te
  7. attributes
  8. audioserver.te
  9. autoplay_app.te
  10. binderservicedomain.te
  11. blkid.te
  12. blkid_untrusted.te
  13. bluetooth.te
  14. bluetoothdomain.te
  15. bootanim.te
  16. clatd.te
  17. CleanSpec.mk
  18. debuggerd.te
  19. device.te
  20. dex2oat.te
  21. dhcp.te
  22. dnsmasq.te
  23. domain.te
  24. domain_deprecated.te
  25. drmserver.te
  26. dumpstate.te
  27. file.te
  28. file_contexts
  29. file_contexts_asan
  30. fingerprintd.te
  31. fs_use
  32. fsck.te
  33. fsck_untrusted.te
  34. gatekeeperd.te
  35. genfs_contexts
  36. global_macros
  37. gpsd.te
  38. hci_attach.te
  39. healthd.te
  40. hostapd.te
  41. idmap.te
  42. init.te
  43. initial_sid_contexts
  44. initial_sids
  45. inputflinger.te
  46. install_recovery.te
  47. installd.te
  48. ioctl_defines
  49. ioctl_macros
  50. isolated_app.te
  51. kernel.te
  52. keys.conf
  53. keystore.te
  54. lmkd.te
  55. logd.te
  56. mac_permissions.xml
  57. mdnsd.te
  58. mediaextractor.te
  59. mediaserver.te
  60. mls
  61. mls_macros
  62. MODULE_LICENSE_PUBLIC_DOMAIN
  63. mtp.te
  64. net.te
  65. netd.te
  66. neverallow_macros
  67. nfc.te
  68. NOTICE
  69. perfprofd.te
  70. platform_app.te
  71. policy_capabilities
  72. port_contexts
  73. ppp.te
  74. priv_app.te
  75. property.te
  76. property_contexts
  77. racoon.te
  78. radio.te
  79. README
  80. recovery.te
  81. rild.te
  82. roles
  83. runas.te
  84. sdcardd.te
  85. seapp_contexts
  86. security_classes
  87. service.te
  88. service_contexts
  89. servicemanager.te
  90. sgdisk.te
  91. shared_relro.te
  92. shell.te
  93. slideshow.te
  94. su.te
  95. surfaceflinger.te
  96. system_app.te
  97. system_server.te
  98. te_macros
  99. tee.te
  100. toolbox.te
  101. tzdatacheck.te
  102. ueventd.te
  103. uncrypt.te
  104. untrusted_app.te
  105. update_engine.te
  106. update_verifier.te
  107. users
  108. vdc.te
  109. vold.te
  110. watchdogd.te
  111. wpa.te
  112. zygote.te