Skip to content
Snippets Groups Projects
Commit 74df7f59 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

don't allow mounting on top of /system files/directories 

Change-Id: If311f53b9e5a1020f188ae2346dbf6466e6129ac
parent 5ec38c49
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 3 additions and 0 deletions
domain.te
+ 3
0
View file @ 74df7f59
...@@ -297,6 +297,9 @@ neverallow { domain -init } property_data_file:file no_w_file_perms; ...@@ -297,6 +297,9 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename }; { create write setattr relabelfrom relabelto append unlink link rename };
# Don't allow mounting on top of /system files or directories
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs. # Nothing should be writing to files in the rootfs.
neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment