Merge "init: access to /dev based on audit results"
This commit is contained in:
Tri Vo
Gerrit Code Review
commit
368c7c08f5
1 changed files with 17 additions and 29 deletions
|
|
@ -251,36 +251,24 @@ allow init {
|
|||
}:file { open read setattr };
|
||||
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
||||
|
||||
# init should not be able to read or open generic devices
|
||||
# TODO: auditing to see if this can be deleted entirely
|
||||
allow init {
|
||||
dev_type
|
||||
-keychord_device
|
||||
-kmem_device
|
||||
-port_device
|
||||
-device
|
||||
-vndbinder_device
|
||||
}:chr_file { read open };
|
||||
auditallow init {
|
||||
dev_type
|
||||
-alarm_device
|
||||
-ashmem_device
|
||||
-binder_device
|
||||
-console_device
|
||||
-device
|
||||
-devpts
|
||||
-dm_device
|
||||
-hwbinder_device
|
||||
-hw_random_device
|
||||
-input_device
|
||||
-kmem_device
|
||||
-kmsg_device
|
||||
-null_device
|
||||
-owntty_device
|
||||
-port_device
|
||||
-ptmx_device
|
||||
-random_device
|
||||
-zero_device
|
||||
alarm_device
|
||||
ashmem_device
|
||||
binder_device
|
||||
console_device
|
||||
devpts
|
||||
dm_device
|
||||
hwbinder_device
|
||||
hw_random_device
|
||||
input_device
|
||||
kmsg_device
|
||||
null_device
|
||||
owntty_device
|
||||
pmsg_device
|
||||
ptmx_device
|
||||
random_device
|
||||
tty_device
|
||||
zero_device
|
||||
}:chr_file { read open };
|
||||
|
||||
# chown/chmod on devices.
|
||||
|
|
|
|||
Loading…
Reference in a new issue