On 06/16/2015 11:27 AM, Jeffrey Vander Stoep wrote:
>> Shouldn't they use the final/upstream version instead, i.e.
>> https://android-review.googlesource.com/#/c/152510/
>>
>
> It looks like Android M will remain on the previous version of the
> patches. Future versions will move to the final version that Stephen
> linked to. I plan on merging the final version into AOSP master once M
> is forked.
That's a bit troubling; it means that M will ship with a forked
policy.30 format that can't be handled by any upstream SELinux tools...
>
> The commit messages on the patches that I linked to contain examples
> on how to use the feature.
>
> Here is an example of a rule I wrote:
>
> # only allow unprivileged socket ioctl commands
> allow untrusted_app self:{ rawip_socket tcp_socket udp_socket }
> unpriv_sock_ioctls;
>
> Where unpriv_sock_ioctls was definined as:
>
> # socket ioctls allowed to unprivileged apps
> define(`unpriv_sock_ioctls', `
> {
> # all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
> 0x8900-0x8926 0x8928-0x89ff
> # all wireless extensions ioctls except get/set essid
> # IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
> 0x8B00-0x8B09 0x8B1C-0x8BFF
> # commonly used TTY ioctls
> 0x5411 0x5451
> }')
>
>
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
