Merge pull request #1 from jhector/bug-1136032-selinux

Bug 1136032 - Part 2: Exclude b2g from some neverallow rules r=kang
mozilla-b2g · Aug 3, 2015 · 3f6be48 · 3f6be48
2 parents 37e296f + 39ef6a1
commit 3f6be48
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/domain.te b/domain.te
@@ -175,7 +175,7 @@ neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set c
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
-neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
+neverallow { domain -debuggerd -vold -dumpstate -system_server -b2g } self:capability sys_ptrace;
 
 # Limit device node creation to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
@@ -211,7 +211,7 @@ neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom re
 # system_server is for creating subdirectories under /data/security.
 neverallow { domain -init -system_server } security_file:dir { create setattr };
 # Only system_server can create subdirectories and files under /data/security.
-neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
+neverallow { domain -system_server -b2g } security_file:dir { rename write add_name remove_name rmdir };
 neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
 neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
 
@@ -259,7 +259,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } b
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # ueventd is exempt from this, as its managing these devices.
-neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write };
+neverallow { domain -unconfineddomain -ueventd -recovery -b2g } device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
@@ -286,8 +286,8 @@ neverallow {
 } { fs_type -rootfs }:file execute;
 
 # Only the init property service should write to /data/property.
-neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
-neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
+neverallow { domain -init -b2g } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
+neverallow { domain -init -b2g } property_data_file:file { create setattr relabelfrom write append unlink link rename };
 
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
@@ -311,6 +311,6 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
 # system_app_service rather than the generic type.
 # New service_types are defined in service.te and new mappings
 # from service name to service_type are defined in service_contexts.
-neverallow domain default_android_service:service_manager add;
+neverallow { domain -b2g } default_android_service:service_manager add;
 
 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
diff --git a/keystore.te b/keystore.te
@@ -18,11 +18,11 @@ allow keystore tee:unix_stream_socket connectto;
 ### Protect ourself from others
 ###
 
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -keystore -b2g } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
 
-neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
-neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
+neverallow { domain -keystore -init -kernel -recovery -b2g } keystore_data_file:dir *;
+neverallow { domain -keystore -init -kernel -recovery -b2g } keystore_data_file:notdevfile_class_set *;
 
 neverallow domain keystore:process ptrace;