Add neverallow to prevent reading heap dumps.

Bug: http://b/172518739 Test: mma Change-Id: I12342015ddd1d8666f62317e027dae6816f53c7e
2020-12-17 16:50:40 -08:00 · 2020-12-17 16:50:40 -08:00 · 0f48b76e72
commit 0f48b76e72
parent ab5e7d3671
1 changed files with 3 additions and 0 deletions
--- a/public/domain.te
+++ b/public/domain.te
@ -1072,6 +1072,9 @@ neverallow {
 neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
 neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;

+# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
+neverallow { domain -init -system_server } heapdump_data_file:file read;
+
 # Android does not support System V IPCs.
 #
 # The reason for this is due to the fact that, by design, they lead to global