Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AndroidSystemSEPolicy
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Werner Sembach
AndroidSystemSEPolicy
Commits
b299e593
Commit
b299e593
authored
Feb 16, 2017
by
Nick Kralevich
Committed by
Android (Google) Code Review
Feb 16, 2017
Browse files
Options
Downloads
Plain Diff
Merge "system_server: replace sys_resource with sys_ptrace"
parents
fcec2a8f
44866954
Branches
Branches containing commit
Tags
Tags containing commit
No related merge requests found
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
private/system_server.te
+9
-4
9 additions, 4 deletions
private/system_server.te
with
9 additions
and
4 deletions
private/system_server.te
+
9
−
4
View file @
b299e593
...
@@ -68,16 +68,13 @@ allow system_server self:capability {
...
@@ -68,16 +68,13 @@ allow system_server self:capability {
net_raw
net_raw
sys_boot
sys_boot
sys_nice
sys_nice
sys_
resour
ce
sys_
ptra
ce
sys_time
sys_time
sys_tty_config
sys_tty_config
};
};
wakelock_use(system_server)
wakelock_use(system_server)
# Triggered by /proc/pid accesses, not allowed.
dontaudit system_server self:capability sys_ptrace;
# Trigger module auto-load.
# Trigger module auto-load.
allow system_server kernel:system module_request;
allow system_server kernel:system module_request;
...
@@ -697,3 +694,11 @@ neverallow system_server system_server_tmpfs:file execute;
...
@@ -697,3 +694,11 @@ neverallow system_server system_server_tmpfs:file execute;
# dexoptanalyzer is currently used only for secondary dex files which
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
# No ptracing others
neverallow system_server { domain -system_server }:process ptrace;
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
# This neverallow can be removed after b/34951864 is fixed.
neverallow system_server system_server:capability sys_resource;
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment