Merge "Device SELinux policy for secure persistent netd storage" into…

… oc-dr1-dev
Flohack74 · Jul 12, 2017 · 4293069 · 4293069
2 parents 6544bd5 + 77e8a62
commit 4293069
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/sepolicy/private/netd.te b/sepolicy/private/netd.te
@@ -0,0 +1,10 @@
+# TODO: delete this once it's in common sepolicy.
+set_prop(netd, netd_stable_secret_prop)
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/sepolicy/private/property.te b/sepolicy/private/property.te
@@ -0,0 +1,2 @@
+# TODO: delete this once it's in common sepolicy.
+type netd_stable_secret_prop, property_type;
diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts
@@ -0,0 +1,2 @@
+# TODO: delete this once it's in common sepolicy.
+persist.netd.stable_secret    u:object_r:netd_stable_secret_prop:s0
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# TODO: delete this once it's in common sepolicy.
		type netd_stable_secret_prop, property_type;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# TODO: delete this once it's in common sepolicy.
		persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0