tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Restrict sandbox access to drmservice"

Browse source
This commit is contained in:
Bram Bonné 2022-03-25 08:07:24 +00:00 committed by Gerrit Code Review
commit 11b691844f
2 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
private/sdk_sandbox.te
View file

@ -85,3 +85,5 @@ neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms; neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms; neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;

4
private/technical_debt.cil
View file

@ -20,9 +20,9 @@
; Unfortunately, we can't currently express this in module policy language: ; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app)))))) (typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps, are clients of Drm-related services ; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language: ; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app)))))) (typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
; Apps, except isolated apps, are clients of Configstore HAL ; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language: ; Unfortunately, we can't currently express this in module policy language: