Remove sdcard_type access from unconfineddomain.

Require sdcard_type access to be explicitly allowed to each domain. This is to both protect services from being killed by unsafe ejection and to protect SDcard data from access by rogue daemons. Change-Id: If3bdd50fd2be50bd98d755b2f252e0ae455b82c4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove sdcard_type access from unconfineddomain.
Require sdcard_type access to be explicitly allowed to each domain. This is to both protect services from being killed by unsafe ejection and to protect SDcard data from access by rogue daemons. Change-Id: If3bdd50fd2be50bd98d755b2f252e0ae455b82c4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ee615284 · Stephen Smalley · 631a5a8e · ee615284
Commit ee615284 authored 10 years ago by Stephen Smalley
--- a/unconfined.te
+++ b/unconfined.te
@@ -48,7 +48,7 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {
    file_type
@@ -72,6 +72,7 @@ allow unconfineddomain {
    -proc_security
    -contextmount_type
    -rootfs
+    -sdcard_type
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {