Skip to content
Snippets Groups Projects
Commit 50897feb authored by Nick Kralevich's avatar Nick Kralevich
Browse files

sdcardd: ensure that init never executes sdcard daemon 

Only vold should execute the sdcard daemon. Remove old code which
allows this, and add a neverallow rule to ensure that nobody tries
running with this old configuration.

Change-Id: I6d0133e65948ae69e3c48f7b5f21fc7956fe8168
parent 73f7e768
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 8 additions and 2 deletions
sdcardd.te
+ 8
2
View file @ 50897feb
type sdcardd, domain; type sdcardd, domain;
type sdcardd_exec, exec_type, file_type; type sdcardd_exec, exec_type, file_type;
init_daemon_domain(sdcardd) # TODO: deprecated in M
allow sdcardd cgroup:dir create_dir_perms; allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms; allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
...@@ -31,3 +29,11 @@ allow sdcardd vold:fifo_file { read write getattr }; ...@@ -31,3 +29,11 @@ allow sdcardd vold:fifo_file { read write getattr };
# Allow running on top of expanded storage # Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search; allow sdcardd mnt_expand_file:dir search;
###
### neverallow rules
###
# The sdcard daemon should no longer be started from init
neverallow init sdcardd_exec:file execute;
neverallow init sdcardd:process { transition dyntransition };
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment