Skip to content
Snippets Groups Projects
Commit a045ca42 authored by Nick Kralevich's avatar Nick Kralevich Committed by Android Git Automerger
Browse files

am 87f3802a: appdomain: relax netlink_socket neverallow rule

* commit '87f3802a':
  appdomain: relax netlink_socket neverallow rule
parents b5dd69a1 87f3802a
No related branches found
No related tags found
No related merge requests found
......@@ -229,8 +229,7 @@ neverallow appdomain tee_device:chr_file { read write };
# Privileged netlink socket interfaces.
neverallow appdomain
self:{
netlink_socket
domain:{
netlink_firewall_socket
netlink_tcpdiag_socket
netlink_nflog_socket
......@@ -243,7 +242,7 @@ neverallow appdomain
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
neverallow appdomain self:netlink_kobject_uevent_socket { write append };
neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
......
......@@ -69,7 +69,10 @@ allow untrusted_app cache_file:file create_file_perms;
###
# Receive or send uevent messages.
neverallow untrusted_app self:netlink_kobject_uevent_socket *;
neverallow untrusted_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow untrusted_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment