Skip to content
Snippets Groups Projects
Commit 883d1a18 authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

shell.te: revoke syslog(2) access to shell user 

am: c9630dc6

Change-Id: I81c7f5b62ad2b057a586148ff6ce4cc7654be98a
parents bbf21a4f c9630dc6
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
public/app.te
+ 1
4
View file @ 883d1a18
...@@ -425,10 +425,7 @@ neverallow appdomain ...@@ -425,10 +425,7 @@ neverallow appdomain
proc:dir_file_class_set write; proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg. # Access to syslog(2) or /proc/kmsg.
neverallow { appdomain -system_app } neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
kernel:system { syslog_mod syslog_console };
neverallow { appdomain -system_app -shell }
kernel:system syslog_read;
# Ability to perform any filesystem operation other than statfs(2). # Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc. # i.e. no mount(2), unmount(2), etc.
......
public/shell.te
+ 0
3
View file @ 883d1a18
...@@ -85,9 +85,6 @@ userdebug_or_eng(` ...@@ -85,9 +85,6 @@ userdebug_or_eng(`
set_prop(shell, persist_debug_prop) set_prop(shell, persist_debug_prop)
') ')
# allow shell to run dmesg
allow shell kernel:system syslog_read;
# allow shell access to services # allow shell access to services
allow shell servicemanager:service_manager list; allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service # don't allow shell to access GateKeeper service
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment