From e96c3abe2e86f3ecdfdb7770629e9f73ff1e96d1 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 14 Apr 2015 11:21:46 -0700
Subject: [PATCH] Add neverallow for mounting on proc

Change-Id: Ie19ac00f2e96836667e8a5c18fafeaf6b6eadb25
---
 domain.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/domain.te b/domain.te
index 87ec2ee66..c7fe3be7a 100644
--- a/domain.te
+++ b/domain.te
@@ -397,3 +397,5 @@ neverallow domain {
 # TODO: prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
 # neverallow { domain -appdomain } file_type:file execmod;
+
+neverallow { domain -init } proc:{ file dir } mounton;
-- 
GitLab