Merge "Do not allow untrusted apps any access to kernel configuration" into oc-dev

393c8e94 · TreeHugger Robot · Android (Google) Code Review · 8d567da2 · 2da9cfdf · 393c8e94
Commit 393c8e94 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -98,6 +98,9 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 # Create a more specific label if needed
 neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };

+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;