tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/app.te

227 lines
8.7 KiB
Text
Raw Normal View History

app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
###
### Domain for all zygote spawned apps
###
### This file is the base policy for all zygote spawned apps.
### Other policy files, such as isolated_app.te, untrusted_app.te, etc
### extend from this policy. Only policies which should apply to ALL
### zygote spawned apps should be added here.
###
Initial selinux policy support for memfd Move all app tmpfs types to appdomain_tmpfs. These are still protected by mls categories and DAC. TODO clean up other app tmpfs types in a separate change. Treble-ize tmpfs passing between graphics composer HAL and surfaceflinger. Bug: 122854450 Test: boot Blueline with memfd enabled. Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
2019-01-29 23:43:45 +01:00
type appdomain_tmpfs, file_type;
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
###
### Neverallow rules
###
### These are things that Android apps should NEVER be able to do
###
# Superuser capabilities.
Revert "sepolicy: Permission changes for new wifi mainline module" This reverts commit 3aa1c1725ea2b6fd452c5771629dcfc50a351538. Reason for revert: Wifi services no longer plan to be a separate APK/process for mainline. Will instead become a jar loaded from Apex. Bug: 144722612 Test: Device boots up & connects to wifi networks Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
2019-11-22 18:36:20 +01:00
# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
# Note: Try expanding list of app domains in the future.
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
neverallow { appdomain -nfc } nfc_device:chr_file
{ read write };
neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
{ read write };
neverallow appdomain tee_device:chr_file { read write };
# Privileged netlink socket interfaces.
Add permission for NetworkStack updatability NetworkStack will need to use netlink_tcpdiag_socket to get tcp info. In order to support updatability for NetworkStack as it's a mainline module, get the information from kernel directly to reduce the dependecy with framework. Test: Build and test if NetworkStack can get the tcp_info without SEPolicy exception Bug: 136162280 Change-Id: I8f584f27d5ece5e97090fb5fafe8c70c5cbbe123
2019-10-12 13:49:23 +02:00
neverallow { appdomain -network_stack }
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
domain:{
netlink_tcpdiag_socket
netlink_nflog_socket
netlink_xfrm_socket
netlink_audit_socket
netlink_dnrt_socket
} *;
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
Fix system server and network stack netlink permissions Give system_server and network_stack the same permissions as netd. This is needed as we are continuously moving code out of netd into network_stack and system_server. Test: TH Bug: 233300834 Change-Id: I9559185081213fdeb33019733654ce95af816d99
2022-05-20 06:34:31 +02:00
neverallow { appdomain -network_stack }
domain:netlink_kobject_uevent_socket { write append };
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
# Unix domain sockets.
neverallow appdomain adbd_socket:sock_file write;
neverallow { appdomain -radio } rild_socket:sock_file write;
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
Protect apps from ptrace by other system components The Android security model guarantees the confidentiality and integrity of application data and execution state. Ptrace bypasses those confidentiality guarantees. Disallow ptrace access from system components to apps. Crash_dump is excluded, as it needs ptrace access to produce stack traces. Bug: 111317528 Test: code compiles Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d
2018-07-26 08:48:14 +02:00
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-08-08 01:03:47 +02:00
# produce stack traces. llkd is excluded, as it needs ptrace access to
# inspect stack traces for live lock conditions.
neverallow {
domain
-appdomain
-crash_dump
userdebug_or_eng(`-llkd')
} appdomain:process ptrace;
Protect apps from ptrace by other system components The Android security model guarantees the confidentiality and integrity of application data and execution state. Ptrace bypasses those confidentiality guarantees. Disallow ptrace access from system components to apps. Crash_dump is excluded, as it needs ptrace access to produce stack traces. Bug: 111317528 Test: code compiles Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d
2018-07-26 08:48:14 +02:00
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
# Read or write access to /proc/pid entries for any non-app domain.
# A different form of hidepid=2 like protections
neverallow appdomain { domain -appdomain }:file no_w_file_perms;
neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
# signal access to non-app domains.
# sigchld allowed for parent death notification.
# signull allowed for kill(pid, 0) existence test.
# All others prohibited.
Allow to signal perfetto from shell. When daemonizing perfetto, SIGINT should be sent to ensure clean shutdown. Denial: 12-06 11:12:16.566 3099 3099 I sh : type=1400 audit(0.0:462): avc: denied { signal } for scontext=u:r:shell:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=1 Test: m Test: flash walleye Test: SIGINT perfetto from shell Change-Id: I8d34b447ea90c315faf88f020f1dfc49e4abbcce
2018-12-06 14:28:01 +01:00
# -perfetto is to allow shell (which is an appdomain) to kill perfetto
# (see private/shell.te).
neverallow appdomain { domain -appdomain -perfetto }:process
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
{ sigkill sigstop signal };
# Write to rootfs.
neverallow appdomain rootfs:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to /system.
strengthen system_file neverallows no writing to system_file_type is the intention here, but they only restricted system_file. this does not touch the untrusted_app lock neverallow, because it's specific to a single system_file, and r_file_perms includes 'lock'. Bug: 281877578 Test: build (neverallow only change) Change-Id: I6c6078bc27c49e5a88862eaa330638f442dba9ee
2023-05-18 01:44:30 +02:00
neverallow appdomain system_file_type:dir_file_class_set
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to entrypoint executables.
neverallow appdomain exec_type:file
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to system-owned parts of /data.
# This is the default type for anything under /data not otherwise
# specified in file_contexts. Define a different type for portions
# that should be writable by apps.
neverallow appdomain system_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
system_app: remove unnecessary changes to neverallow Follow-up for aosp/1520729. These are no longer needed. Test: build BUG: 175121264 Change-Id: I7f01d4d4cee18751f4321ef8efa68f9faae06d4f
2020-12-10 19:51:30 +01:00
neverallow { appdomain -platform_app }
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
apk_private_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
apk_private_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -shell }
shell_data_file:dir_file_class_set
{ create setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -bluetooth }
bluetooth_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL. The credstore service is a system service which backs the android.security.identity.* Framework APIs. It essentially calls into the Identity Credential HAL while providing persistent storage for credentials. Bug: 111446262 Test: atest android.security.identity.cts Test: VtsHalIdentityTargetTest Test: android.hardware.identity-support-lib-test Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60
2020-01-17 22:47:53 +01:00
neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
neverallow appdomain
keystore_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
Revert "sepolicy: Permission changes for new wifi mainline module" This reverts commit 3aa1c1725ea2b6fd452c5771629dcfc50a351538. Reason for revert: Wifi services no longer plan to be a separate APK/process for mainline. Will instead become a jar loaded from Apex. Bug: 144722612 Test: Device boots up & connects to wifi networks Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
2019-11-22 18:36:20 +01:00
neverallow appdomain
wifi_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
neverallow appdomain
dhcp_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# access tmp apk files
Allow isolated to read staged apks type=1400 audit(0.0:835): avc: denied { read } for path="/data/app/vmdl1923101285.tmp/base.apk" dev="dm-37" ino=29684 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=0 Bug: 308775782 Test: Flashed to device with and without this change, confirmed that this change allows an isolated process to read already opened staged apk file Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
2023-11-30 20:37:43 +01:00
neverallow { appdomain -platform_app }
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
Allow isolated to read staged apks type=1400 audit(0.0:835): avc: denied { read } for path="/data/app/vmdl1923101285.tmp/base.apk" dev="dm-37" ino=29684 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=0 Bug: 308775782 Test: Flashed to device with and without this change, confirmed that this change allows an isolated process to read already opened staged apk file Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
2023-11-30 20:37:43 +01:00
neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
neverallow { appdomain -shell } efs_file:dir_file_class_set read;
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
sysfs:dir_file_class_set write;
neverallow appdomain
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
Revert "sepolicy: Permission changes for new wifi mainline module" This reverts commit 3aa1c1725ea2b6fd452c5771629dcfc50a351538. Reason for revert: Wifi services no longer plan to be a separate APK/process for mainline. Will instead become a jar loaded from Apex. Bug: 144722612 Test: Device boots up & connects to wifi networks Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
2019-11-22 18:36:20 +01:00
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
neverallow { appdomain -shell } *:netlink_selinux_socket *;
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr;
# prevent creation/manipulation of globally readable symlinks
neverallow appdomain {
apk_data_file
cache_file
cache_recovery_file
dev_type
rootfs
system_file
tmpfs
}:lnk_file no_w_file_perms;
# Applications should use the activity model for receiving events
neverallow {
appdomain
-shell # bugreport
} input_device:chr_file ~getattr;
Update sepolicy to use inclusive language See https://source.android.com/setup/contribute/respectful-code for reference #inclusivefixit Bug: 161896447 Test: Build Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
2020-07-27 18:30:34 +02:00
# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
-bluetooth
-system_app
Add rules for accessing the related bluetooth_audio_hal_prop This change allows those daemons of the audio and Bluetooth which include HALs to access the bluetooth_audio_hal_prop. This property is used to force disable the new BluetoothAudio HAL. - persist.bluetooth.bluetooth_audio_hal.disabled Bug: 128825244 Test: audio HAL can access the property Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-18 04:07:32 +01:00
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
Add persist.nfc property Allow system_app to set and get system property persist.nfc.. Bug: 187083201 Test: access persist.nfc.debug_enabled Change-Id: Ia952f83d6206be458bcb56a9c4d44bc3e6db5e73
2021-06-10 18:28:31 +02:00
# allow system_app to access Nfc-related system properties.
set_prop(system_app, nfc_prop)
Allow system_app to access radio_config system properties Bug: 220995034 Test: manual Change-Id: Ib71e45c74b5f561ca40548de6aa36c5f7044ecd1
2022-03-09 18:36:12 +01:00
# allow system_app to access radio_config system properties.
set_prop(system_app, radio_control_prop)
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
2017-12-19 17:19:52 +01:00
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
# Apps cannot access proc_uid_concurrent_active_time
neverallow appdomain proc_uid_concurrent_active_time:file *;
# Apps cannot access proc_uid_concurrent_policy_time
neverallow appdomain proc_uid_concurrent_policy_time:file *;
sepolicy: restrict access to uid_cpupower files Do not let apps read /proc/uid_cpupower/time_in_state, /proc/uid_cpupower/concurrent_active_time, /proc/uid_cpupower/concurrent_policy_time. b/71718257 Test: Check that they can't be read from the shell without root permissions and system_server was able to read them Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
2018-01-19 22:48:31 +01:00
# Apps cannot access proc_uid_cpupower
neverallow appdomain proc_uid_cpupower:file *;
Remove access to /proc/net/{tcp,udp} Remove these files from proc_net_type. Domains that need access must have permission explicitly granted. Neverallow app access except the shell domain. Bug: 114475727 Test: atest CtsLibcoreOjTestCases Test: netstat, lsof Test: adb bugreport Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
2018-09-28 19:55:14 +02:00
# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
# perform UID lookups.
neverallow { appdomain -shell } proc_net_tcp_udp:file *;
Allow bootstrap bionic only to init, ueventd, and apexd The bootstrap bionic (/system/lib/bootstrap/*) are only to the early processes that are executed before the bionic libraries become available via the runtime APEX. Allowing them to other processes is not needed and sometimes causes a problem like b/123183824. Bug: 123183824 Test: device boots to the UI Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
2019-03-14 18:45:33 +01:00
# Apps cannot access bootstrap files. The bootstrap files are only for
# extremely early processes (like init, etc.) which are started before
# the runtime APEX is activated and Bionic libs are provided from there.
# If app process accesses (or even load/execute) the bootstrap files,
# it might cause problems such as ODR violation, etc.
neverallow appdomain system_bootstrap_lib_file:file
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
Reference in a new issue Copy permalink