Skip to content
Snippets Groups Projects
Commit 9d55d901 authored by Mark Salyzyn's avatar Mark Salyzyn Committed by android-build-merger
Browse files

bootstat: lock down *_boot_reason_prop am: 397b07b3 am: 67ec37a3

am: 23e37c3d

Change-Id: I852067275dee07b08dbdd4e4e65291e7a9503da1
parents dc420a1e 23e37c3d
No related branches found
No related tags found
No related merge requests found
...@@ -30,3 +30,31 @@ allow bootstat kernel:system syslog_read; ...@@ -30,3 +30,31 @@ allow bootstat kernel:system syslog_read;
read_logd(bootstat) read_logd(bootstat)
# ToDo: end # ToDo: end
neverallow {
domain
-bootanim
-bootstat
-dumpstate
-init
-recovery
-shell
-system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
# ... and refine, as these components should not set the last boot reason
neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
neverallow {
domain
-bootstat
-init
-system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
# ... and refine ... for a ro propertly no less ... keep this _tight_
neverallow system_server bootloader_boot_reason_prop:property_service set;
neverallow {
domain
-bootstat
-init
} system_boot_reason_prop:property_service set;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment