Skip to content
Snippets Groups Projects
Commit f4ede35c authored by Nick Kralevich's avatar Nick Kralevich Committed by Gerrit Code Review
Browse files

Merge "Assert executable content (mostly) only loaded from /system"

parents 8599e34b 629fbc95
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 14 additions and 0 deletions
domain.te
+ 14
0
View file @ f4ede35c
...@@ -232,3 +232,17 @@ neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read wri ...@@ -232,3 +232,17 @@ neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read wri
# sdcard_type / vfat is exempt as a larger set of domains need # sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains. # this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the /system partition except for a few whitelisted domains.
#
neverallow {
domain
-appdomain
-dumpstate
-shelldomain
userdebug_or_eng(`-su')
-system_server
-zygote
} { file_type -system_file -exec_type }:file execute;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment