neverallow debugfs access
am: 96b1c9ca6f
* commit '96b1c9ca6f72f3adfa7f6051568efeb450c3756c':
neverallow debugfs access
This commit is contained in:
Nick Kralevich
android-build-merger
commit
0abe8cdbe0
2 changed files with 7 additions and 1 deletions
|
|
@ -508,3 +508,9 @@ neverallow domain ~property_type:property_service set;
|
|||
# $ grep mydaemon file_contexts
|
||||
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
|
||||
neverallow domain domain:file { execute execute_no_trans entrypoint };
|
||||
|
||||
# Do not allow access to the generic debugfs label. This is too broad.
|
||||
# Instead, if access to part of debugfs is desired, it should have a
|
||||
# more specific label.
|
||||
# TODO: fix system_server and dumpstate
|
||||
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -112,7 +112,7 @@ neverallow untrusted_app domain:netlink_socket *;
|
|||
|
||||
# Too much leaky information in debugfs. It's a security
|
||||
# best practice to ensure these files aren't readable.
|
||||
neverallow untrusted_app debugfs:file read;
|
||||
neverallow untrusted_app debugfs_type:file read;
|
||||
|
||||
# Do not allow untrusted apps to register services.
|
||||
# Only trusted components of Android should be registering
|
||||
|
|
|
|||
Loading…
Reference in a new issue