Skip to content
Snippets Groups Projects
Commit 623579ae authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

Merge "tighten up some neverallow rules." am: dbe5086f am: 63c66766 

am: 9462739e

Change-Id: I0917cb660acf1410a1cbdeb028f28318284a5686
parents f73b714e 9462739e
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 2 additions and 2 deletions
public/domain.te
+ 2
2
View file @ 623579ae
...@@ -481,10 +481,10 @@ neverallow { domain -init -recovery -vold } metadata_block_device:blk_file ...@@ -481,10 +481,10 @@ neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
{ append link rename write open read ioctl lock }; { append link rename write open read ioctl lock };
# No domain other than recovery and update_engine can write to system partition(s). # No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file write; neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
# No domains other than install_recovery or recovery can write to recovery. # No domains other than install_recovery or recovery can write to recovery.
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
# No domains other than a select few can access the misc_block_device. This # No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use. # block device is reserved for OTA use.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment