Skip to content
Snippets Groups Projects
Commit 0abe8cdb authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

neverallow debugfs access 

am: 96b1c9ca

* commit '96b1c9ca':
  neverallow debugfs access
parents a490ec3a 96b1c9ca
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
domain.te
+ 6
0
View file @ 0abe8cdb
...@@ -508,3 +508,9 @@ neverallow domain ~property_type:property_service set; ...@@ -508,3 +508,9 @@ neverallow domain ~property_type:property_service set;
# $ grep mydaemon file_contexts # $ grep mydaemon file_contexts
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
neverallow domain domain:file { execute execute_no_trans entrypoint }; neverallow domain domain:file { execute execute_no_trans entrypoint };
# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
untrusted_app.te
+ 1
1
View file @ 0abe8cdb
...@@ -112,7 +112,7 @@ neverallow untrusted_app domain:netlink_socket *; ...@@ -112,7 +112,7 @@ neverallow untrusted_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security # Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable. # best practice to ensure these files aren't readable.
neverallow untrusted_app debugfs:file read; neverallow untrusted_app debugfs_type:file read;
# Do not allow untrusted apps to register services. # Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering # Only trusted components of Android should be registering
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment