Neverallow write access to /sys files for untrusted apps

Test: build aosp_sailfish Change-Id: Iaefe1df66885d3e78feb600c3d9845bd9fe671a2
2017-10-04 13:12:25 -07:00 · 2017-10-04 13:12:25 -07:00 · 06cef4ff15
commit 06cef4ff15
parent 5b4bea438a
1 changed files with 3 additions and 0 deletions
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -57,6 +57,9 @@ neverallow all_untrusted_apps file_type:file link;
 # Do not allow untrusted apps to access network MAC address file
 neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;

+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
 neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;