From 84ae870bb8c1ec46fc5c3f6ce4cf46d5fd9fc64e Mon Sep 17 00:00:00 2001 From: Aayush Gupta Date: Mon, 18 Jan 2021 19:00:40 +0530 Subject: [PATCH] non_plat: Label and address stroke binary denials Signed-off-by: Aayush Gupta Change-Id: I65a085ae9023f9788f780f28246b5297d1682c6e --- non_plat/epdg_wod.te | 2 ++ non_plat/file_contexts | 1 + non_plat/stroke_exec.te | 1 + 3 files changed, 4 insertions(+) create mode 100644 non_plat/stroke_exec.te diff --git a/non_plat/epdg_wod.te b/non_plat/epdg_wod.te index e237880..cbe9266 100644 --- a/non_plat/epdg_wod.te +++ b/non_plat/epdg_wod.te @@ -3,6 +3,8 @@ type epdg_wod_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(epdg_wod) +domain_auto_trans(epdg_wod, stroke_exec, ipsec) + allow epdg_wod self:tun_socket { create relabelfrom relabelto }; allow epdg_wod self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; allow epdg_wod self:netlink_xfrm_socket { read write create getattr bind setopt nlmsg_write }; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index 96fad42..3025104 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -719,6 +719,7 @@ /dev/socket/volte_imsvt1(/.*)? u:object_r:volte_imsvt1_socket:s0 /(system\/vendor|vendor)/bin/bip u:object_r:bip_exec:s0 /(system\/vendor|vendor)/bin/epdg_wod u:object_r:epdg_wod_exec:s0 +/(system\/vendor|vendor)/bin/stroke u:object_r:stroke_exec:s0 /(system\/vendor|vendor)/bin/volte_imsm_93 u:object_r:volte_imsm_93_exec:s0 /(system\/vendor|vendor)/bin/volte_md_status u:object_r:volte_md_status_exec:s0 /(system\/vendor|vendor)/bin/volte_ua u:object_r:volte_ua_exec:s0 diff --git a/non_plat/stroke_exec.te b/non_plat/stroke_exec.te new file mode 100644 index 0000000..75ee1dd --- /dev/null +++ b/non_plat/stroke_exec.te @@ -0,0 +1 @@ +type stroke_exec, file_type, exec_type, vendor_file_type;