From f295758caeab2628d671d06d983088eaf25a493c Mon Sep 17 00:00:00 2001
From: Peter Enderborg <peter.enderborg@sony.com>
Date: Wed, 30 Aug 2017 11:34:39 +0200
Subject: [PATCH] Restrict functions for vold

Raw sockets usually imply advanced parsers that might
have flaws. If vold need such odd thing, force it to have
that in a other domain like filesystem checks. Debug
features like ptrace does not belong to vold.

Bug: 64791922
Test: Manual
Change-Id: I75c62d13f998621f80b2049bce0505442862bf0b
---
 public/vold.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/public/vold.te b/public/vold.te
index 99f0bb384..118244a14 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -190,3 +190,5 @@ neverallow { domain -vold -init } restorecon_prop:property_service set;
 
 neverallow vold fsck_exec:file execute_no_trans;
 neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;
-- 
GitLab