Skip to content
Snippets Groups Projects
Commit b84c86b2 authored by dcashman's avatar dcashman
Browse files

DO NOT MERGE. Remove isolated_app's ability to read sysfs. 

untrusted_app lost the ability to read files labeled as sysfs to prevent
information leakage, but this is trivially bypassable by spawning an
isolated app, since this was not taken away from isolated app.
Privileges should not be gained by launching an isolated app, and this
one directly defeats that hardeneing. Remove this access.

Bug: 28722489
Change-Id: I61d3678eca515351c9dbe4444ee39d0c89db7a3e
parent 1cfdb12a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
domain_deprecated.te
+ 1
1
View file @ b84c86b2
...@@ -54,7 +54,7 @@ allow domain_deprecated ion_device:chr_file rw_file_perms; ...@@ -54,7 +54,7 @@ allow domain_deprecated ion_device:chr_file rw_file_perms;
# Read access to pseudo filesystems. # Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc) r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs) r_dir_file({ domain_deprecated -isolated_app }, sysfs)
r_dir_file(domain_deprecated, inotify) r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup) r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms; allow domain_deprecated proc_meminfo:file r_file_perms;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment