On Mon, Jul 23, 2012 at 6:20 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
So an app is passing a socket fd to the system_server over Binder andOn Thu, 2012-07-19 at 14:49 -0700, Haiqing Jiang wrote:
> From: hqjiang <hqjiang1988@xxxxxxxxx>
>
> ---
> system.te | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/system.te b/system.te
> index a4065cf..5c34f81 100644
> --- a/system.te
> +++ b/system.te
> @@ -196,3 +196,6 @@ allow system domain:file r_file_perms;
> # to uart driver and ctrl proc entry
> allow system gps_device:chr_file rw_file_perms;
> allow system gps_control:file rw_file_perms;
> +
> +# system Read/Write udp_socket of untrusted_app
> +allow system untrusted_app:udp_socket { read write };
the system_server is then writing to the socket? Wonder why. Anyway,
rather than writing this only in terms of one app domain
(untrusted_app), cover all cases by using the appdomain attribute, i.e.
allow system appdomain:udp_socket { read write };
--
Stephen Smalley
National Security Agency
-----------------------------------
Haiqing Jiang, PH.D studentComputer Science Department, North Carolina State University
