tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add neverallow rule for set_context_mgr.

Browse source 
Resubmission of commit: 76f3fe33d7

Removed conflicting rule from unconfined domain.

Change-Id: I3e6da8922ebf636f1cd8ceefea4291d043a28ab7
This commit is contained in:
dcashman 2014-12-10 13:50:39 -08:00
parent 6322a3297b
commit 10ecd05df3
2 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
domain.te
View file

@ -329,3 +329,6 @@ neverallow { domain -recovery } system_block_device:blk_file write;
# No domains other than install_recovery or recovery can write to recovery.
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
# Only servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager } *:binder set_context_mgr;

2
unconfined.te
View file

@ -90,4 +90,4 @@ allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
allow unconfineddomain node_type:node *;
allow unconfineddomain netif_type:netif *;
allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
allow unconfineddomain { domain -init }:binder { call transfer };