Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / d581b812d61ea5ee6a267afe9ae28c0808fc8aa4^! / . / netd.te
commitd581b812d61ea5ee6a267afe9ae28c0808fc8aa4[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Mon Feb 24 13:00:59 2014 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Tue Feb 25 09:41:13 2014 -0500
treef93a3b10ca1681a1f8bfee5d812a719e10a1e06a
parent35102f584b81e2c38073863a368cd3209cf0a4c8 [diff] [blame]
Remove fsetid from netd.

fsetid checks are triggered by chmod on a directory or file owned by
a group other than one of the groups assigned to the current process
to see if the setgid bit should be cleared, regardless of whether the
setgid bit was even set.  We do not appear to truly need this
capability for netd to operate, so remove it.  Potential dontaudit
candidate.

Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/netd.te b/netd.te
index f8c9ffb..fb54bde 100644
--- a/netd.te
+++ b/netd.te

@@ -5,7 +5,16 @@
 init_daemon_domain(netd)
 net_domain(netd)
 
-allow netd self:capability { net_admin net_raw kill fsetid };
+allow netd self:capability { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set.  We do not appear to truly need this capability
+# for netd to operate.  Uncomment the dontaudit rule below after
+# sufficient testing of the fsetid removal.
+# dontaudit netd self:capability fsetid;
+
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;