Skip to content
Snippets Groups Projects
Commit df545265 authored by Nick Kralevich's avatar Nick Kralevich Committed by Android (Google) Code Review
Browse files

Merge "sdcardd: ensure that init never executes sdcard daemon" into mnc-dev

parents 46452b84 50897feb
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 8 additions and 2 deletions
sdcardd.te
+ 8
2
View file @ df545265
type sdcardd, domain; type sdcardd, domain;
type sdcardd_exec, exec_type, file_type; type sdcardd_exec, exec_type, file_type;
init_daemon_domain(sdcardd) # TODO: deprecated in M
allow sdcardd cgroup:dir create_dir_perms; allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms; allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
...@@ -31,3 +29,11 @@ allow sdcardd vold:fifo_file { read write getattr }; ...@@ -31,3 +29,11 @@ allow sdcardd vold:fifo_file { read write getattr };
# Allow running on top of expanded storage # Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search; allow sdcardd mnt_expand_file:dir search;
###
### neverallow rules
###
# The sdcard daemon should no longer be started from init
neverallow init sdcardd_exec:file execute;
neverallow init sdcardd:process { transition dyntransition };
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment