am f7e98fe2: Merge "recovery.te: add /data neverallow rules"
* commit 'f7e98fe2c988d88a4a98a1fdfd07561cef013e5c': recovery.te: add /data neverallow rules
This commit is contained in:
Nick Kralevich
Android Git Automerger
commit
39f92a8350
4 changed files with 25 additions and 2 deletions
|
|
@ -83,6 +83,7 @@ sepolicy_build_files := security_classes \
|
|||
initial_sids \
|
||||
access_vectors \
|
||||
global_macros \
|
||||
neverallow_macros \
|
||||
mls_macros \
|
||||
mls \
|
||||
policy_capabilities \
|
||||
|
|
|
|||
|
|
@ -291,8 +291,8 @@ neverallow {
|
|||
} { fs_type -rootfs }:file execute;
|
||||
|
||||
# Only the init property service should write to /data/property.
|
||||
neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
|
||||
neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
|
||||
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
|
||||
neverallow { domain -init } property_data_file:file no_w_file_perms;
|
||||
|
||||
# Only recovery should be doing writes to /system
|
||||
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
|
||||
|
|
|
|||
5
neverallow_macros
Normal file
5
neverallow_macros
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
#
|
||||
# Common neverallow permissions
|
||||
define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
|
||||
define(`no_x_file_perms', `{ execute execute_no_trans }')
|
||||
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
|
||||
17
recovery.te
17
recovery.te
|
|
@ -98,3 +98,20 @@ recovery_only(`
|
|||
# set scheduling parameters for a kernel domain task.
|
||||
allow recovery kernel:process setsched;
|
||||
')
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# Recovery should never touch /data.
|
||||
#
|
||||
# In particular, if /data is encrypted, it is not accessible
|
||||
# to recovery anyway.
|
||||
#
|
||||
# For now, we only enforce write/execute restrictions, as domain.te
|
||||
# contains a number of read-only rules that apply to all
|
||||
# domains, including recovery.
|
||||
#
|
||||
# TODO: tighten this up further.
|
||||
neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
|
||||
neverallow recovery data_file_type:dir no_w_dir_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue