Skip to content
Snippets Groups Projects
Select Git revision
20 results

neverallow_macros

Blame
    • Nick Kralevich's avatar
      acc0842c
      system_server: neverallow blk_file read/write · acc0842c
      Nick Kralevich authored 
      With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
      acc0842c
      History
      system_server: neverallow blk_file read/write
      Nick Kralevich authored 
      With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c