Skip to content
Snippets Groups Projects
Commit 6c300161 authored by William Roberts's avatar William Roberts
Browse files

neverallow cache_file and derivatives execute 


Change-Id: I45002cfd05e4e184bfc66039b3ae9a4af057adb1
Signed-off-by: default avatarWilliam Roberts <william.c.roberts@linux.intel.com>
parent e5916eb6
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 0 deletions
domain.te
+ 2
0
View file @ 6c300161
...@@ -294,6 +294,8 @@ neverallow { ...@@ -294,6 +294,8 @@ neverallow {
-appdomain # for oemfs -appdomain # for oemfs
-recovery # for /tmp/update_binary in tmpfs -recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute; } { fs_type -rootfs }:file execute;
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file }:file execute;
# Only the init property service should write to /data/property. # Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir no_w_dir_perms; neverallow { domain -init } property_data_file:dir no_w_dir_perms;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment