On 11/26/2012 09:12 PM, William Roberts wrote:
I was asked this question and could not come up with a convincing answer.
shell.te defines the following:
allow shell property_socket:sock_file write;
allow shell shell_prop:property_service set;
where as vold:
unix_socket_connect(vold, property, init)
allow vold vold_prop:property_service set;
They both allow them to set the respective properties and also to
write the property_socket. However, vold has the additional allow vold
init:unix_stream_socket connectto;
How come vold requires this and shell does not?
The shell does need it; if you try doing a setprop from the shell,
you'll see a connectto denial. So that's a bug in policy; it should be
using the unix_sock_connect() macro rather than directly writing the
sock_file rule.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
