Skip to content
Snippets Groups Projects
Commit fb6a1ee0 authored by Nick Kralevich's avatar Nick Kralevich Committed by Android Git Automerger
Browse files

am 84a81d1e: Merge "Restrict ability to set checkreqprot."

* commit '84a81d1e':
  Restrict ability to set checkreqprot.
parents fdea4414 84a81d1e
No related branches found
No related tags found
No related merge requests found
...@@ -148,7 +148,7 @@ neverallow { domain -init } kernel:security load_policy; ...@@ -148,7 +148,7 @@ neverallow { domain -init } kernel:security load_policy;
# init starts in kernel domain and switches to init domain via setcon in # init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After # the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init. # switching domains, there is never any need to setenforce again by init.
neverallow { domain -kernel } kernel:security setenforce; neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
# Only init, ueventd and system_server should be able to access HW RNG # Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
......
...@@ -9,3 +9,6 @@ allow kernel unlabeled:filesystem mount; ...@@ -9,3 +9,6 @@ allow kernel unlabeled:filesystem mount;
# Initial setenforce by init prior to switching to init domain. # Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce; allow kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
...@@ -17,7 +17,7 @@ ...@@ -17,7 +17,7 @@
###################################################### ######################################################
allow unconfineddomain self:capability_class_set *; allow unconfineddomain self:capability_class_set *;
allow unconfineddomain kernel:security ~{ load_policy setenforce }; allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
allow unconfineddomain kernel:system *; allow unconfineddomain kernel:system *;
allow unconfineddomain domain:process ~ptrace; allow unconfineddomain domain:process ~ptrace;
allow unconfineddomain domain:fd *; allow unconfineddomain domain:fd *;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment