Skip to content
Snippets Groups Projects
Commit 64620270 authored by William Roberts's avatar William Roberts Committed by Nick Kralevich
Browse files

neverallow transitions to shell


Only a few daemons need transition to shell. Prevent
misuse and over-privileging of shell domain.

Signed-off-by: default avatarWilliam Roberts <william.c.roberts@linux.intel.com>
(cherry picked from commit d1fa4d3d)

Bug: 21924438
Change-Id: I013143cc5ab1e95bf3f7388ce51619e0e3b18425
parent 7c065a9f
No related branches found
No related tags found
No related merge requests found
...@@ -443,3 +443,16 @@ neverallow { ...@@ -443,3 +443,16 @@ neverallow {
# do not grant anything greater than r_file_perms and relabelfrom unlink # do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd # to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
# script with differing privilege, define a domain and set up a transition.
#
neverallow {
domain
-adbd
-init
-runas
-zygote
} shell:process { transition dyntransition };
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment