Skip to content
Snippets Groups Projects
Commit 479b5256 authored by dcashman's avatar dcashman
Browse files

resolve merge conflicts of 9c8f2e23 to nyc-dev-plus-aosp

Change-Id: If72ca993aeea08315539e0635a4489e3c917098b
parents 47a09d6b 9c8f2e23
No related branches found
No related tags found
No related merge requests found
......@@ -339,7 +339,13 @@ neverallow * default_android_service:service_manager add;
neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
neverallow {
domain
-init
-recovery
-system_server
-shell # Shell is further restricted in shell.te
} frp_block_device:blk_file rw_file_perms;
# No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
......
......@@ -141,6 +141,11 @@ allow shell dev_type:chr_file getattr;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
#
# filesystem test for insucre blk_file's is done
# via hostside test
#
allow shell dev_type:blk_file getattr;
###
### Neverallow rules
......@@ -164,3 +169,6 @@ neverallow shell {
hw_random_device
kmem_device
}:chr_file ~getattr;
# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment