Skip to content
Snippets Groups Projects
Commit d1fa4d3d authored by William Roberts's avatar William Roberts
Browse files

neverallow transitions to shell 


Only a few daemons need transition to shell. Prevent
misuse and over-privileging of shell domain.

Change-Id: Ib1a5611e356d7a66c2e008232c565035e3fc4956
Signed-off-by: default avatarWilliam Roberts <william.c.roberts@linux.intel.com>
parent 529a8634
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 13 additions and 0 deletions
domain.te
+ 13
0
View file @ d1fa4d3d
...@@ -429,3 +429,16 @@ neverallow { ...@@ -429,3 +429,16 @@ neverallow {
# do not grant anything greater than r_file_perms and relabelfrom unlink # do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd # to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
# script with differing privilege, define a domain and set up a transition.
#
neverallow {
domain
-adbd
-init
-runas
-zygote
} shell:process { transition dyntransition };
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment