Skip to content
Snippets Groups Projects
Normal view Permalink
domain.te 34.5 KiB
Newer Older
  • Learn to ignore specific revisions
    • Calin Juravle's avatar
    Update permissions for the dedicated profile folders  
    Calin Juravle committed
    1001 1002 1003 1004 
      domain
  -installd
  -profman
} profman_exec:file no_x_file_perms;
    Jeff Vander Stoep's avatar
    Enforce restrictions on kernel module origin  
    Jeff Vander Stoep committed
    1005 1006 1007 1008 
    
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
    Jaesoo Lee's avatar
    allow to load kernel modules from vendor partition  
    Jaesoo Lee committed
    1009 
    neverallow * ~{ system_file vendor_file rootfs }:system module_load;
    William Roberts's avatar
    domain: neverallow on setfcap  
    William Roberts committed
    1010 1011 1012 1013 1014 1015 1016 
    
# Only allow filesystem caps to be set at build time or
# during upgrade by recovery.
neverallow {
  domain
  -recovery
} self:capability setfcap;
    Josh Gao's avatar
    Introduce crash_dump debugging helper.  
    Josh Gao committed
    1017 1018 1019 
    
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
    Alex Klyubin's avatar
    Assert apps can access only approved HwBinder services  
    Alex Klyubin committed
    1020 1021 1022 1023 1024 1025 1026 1027 1028 
    
# Do not permit non-core domains to register HwBinder services which are
# guaranteed to be provided by core domains only.
neverallow ~coredomain coredomain_hwservice:hwservice_manager add;

# Do not permit the registeration of HwBinder services which are guaranteed to
# be passthrough only (i.e., run in the process of their clients instead of a
# separate server process).
neverallow * same_process_hwservice:hwservice_manager add;
    Show full blame