Skip to content
Snippets Groups Projects
Commit a824fa33 authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

neverallow some /proc file reads

am: 0b7506ff

Change-Id: I8093d316ef2f0e5839073b88351bca4eace75b7b
parents 1d18ef44 0b7506ff
No related branches found
No related tags found
No related merge requests found
......@@ -116,3 +116,7 @@ neverallow ephemeral_app gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow ephemeral_app sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
......@@ -109,3 +109,7 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote_socket:sock_file write;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
......@@ -193,3 +193,7 @@ neverallow untrusted_app tun_device:chr_file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow untrusted_app anr_data_file:file ~{ open append };
neverallow untrusted_app anr_data_file:dir ~search;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow untrusted_app proc:file { no_rw_file_perms no_x_file_perms };
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment