Remove appdomain sysfs auditallow.
Large numbers of denials have been collected. Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.
(cherry-pick from commit: 0b80f4dc8a)
Change-Id: I11b9b159702fb2d50d4352f9cd8b68503d07222a
This commit is contained in:
dcashman
parent
8f5a891ff8
commit
1af6091686
1 changed files with 0 additions and 4 deletions
4
app.te
4
app.te
|
|
@ -229,10 +229,6 @@ allow appdomain runas_exec:file getattr;
|
|||
selinux_check_access(appdomain)
|
||||
selinux_check_context(appdomain)
|
||||
|
||||
# appdomain should not be accessing information on /sys
|
||||
auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
|
||||
auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
|
||||
|
||||
# Apps receive an open tun fd from the framework for
|
||||
# device traffic. Do not allow untrusted app to directly open tun_device
|
||||
allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
|
||||
|
|
|
|||
Loading…
Reference in a new issue