Merge "Add domain level neverallow to restrict access to ptrace" am: 1b4e9393d3
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505897 Change-Id: I89b2a8b69e9884ac1bf0e3e3c375219aa8905fd5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Nikita Ioffe
Automerger Merge Worker
commit
41d6edd0e7
2 changed files with 4 additions and 0 deletions
|
|
@ -63,4 +63,5 @@ userdebug_or_eng(`
|
|||
}:process { ptrace signal sigchld sigstop sigkill };
|
||||
')
|
||||
|
||||
neverallow crash_dump self:process ptrace;
|
||||
neverallow crash_dump no_crash_dump_domain:process ptrace;
|
||||
|
|
|
|||
|
|
@ -538,3 +538,6 @@ neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
|
|||
|
||||
# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
|
||||
neverallow domain encryptedstore_file:file no_x_file_perms;
|
||||
|
||||
# Only crash_dump is allowed to access ptrace
|
||||
neverallow { domain -crash_dump } domain:process ptrace;
|
||||
|
|
|
|||
Loading…
Reference in a new issue