Skip to content
Snippets Groups Projects
Commit 3927086d authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

kernel: neverallow dac_{override,read_search} perms 

The kernel should never be accessing files owned by other users.

Disallow this access.

Test: Marlin builds. Neverallow are build time assertions,
they do not policy on the device.

Change-Id: I6ba2eb27c0e2ecf46974059588508cd3223baceb
parent 6b28742a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 5 additions and 0 deletions
public/kernel.te
+ 5
0
View file @ 3927086d
...@@ -90,3 +90,8 @@ neverallow * kernel:process { transition dyntransition }; ...@@ -90,3 +90,8 @@ neverallow * kernel:process { transition dyntransition };
# - You are running an exploit which switched to the init task credentials # - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose! # and is then trying to exec a shell or other program. You lose!
neverallow kernel *:file { entrypoint execute_no_trans }; neverallow kernel *:file { entrypoint execute_no_trans };
# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
neverallow kernel self:capability { dac_override dac_read_search };
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment