tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "binderfs neverallows" into main

Browse source
This commit is contained in:
Steven Moreland 2023-10-26 00:07:44 +00:00 committed by Gerrit Code Review
commit 012b954125
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
public/domain.te
View file

@ -440,6 +440,10 @@ neverallow { domain -init -vendor_init } proc_security:file { append open read w
neverallow * init:binder *;
neverallow * vendor_init:binder *;
# Binderfs logs contain sensitive information about other processes.
neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };