domain.te · a730e50bd93cd058b271ce3a4affcc6ac75da58b · Werner Sembach / AndroidSystemSEPolicy

Something went wrong on our end

11 years ago

Don't allow zygote init:binder call · a730e50b

Nick Kralevich authored 11 years ago

init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50

a730e50b

History

Don't allow zygote init:binder call

Nick Kralevich authored 11 years ago

init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50