Skip to content
Snippets Groups Projects
Commit 5207ca6a authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Enforce assumptions around metadata_block_device 

Add a compile time assertion that only authorized SELinux domains are
allowed to touch the metadata_block_device. This domain may be wiped at
will, and we want to ensure that we're not inadvertently destroying
other people's data.

Test: policy compiles.
Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6
parent 0046853f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 6 additions and 0 deletions
public/domain.te
+ 6
0
View file @ 5207ca6a
...@@ -383,6 +383,12 @@ neverallow { ...@@ -383,6 +383,12 @@ neverallow {
-ueventd # Further restricted in ueventd.te -ueventd # Further restricted in ueventd.te
} frp_block_device:blk_file rw_file_perms; } frp_block_device:blk_file rw_file_perms;
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
{ append link rename write open read ioctl lock };
# No domain other than recovery and update_engine can write to system partition(s). # No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file write; neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment