tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Make sure neverallow rules also cover other property types

Browse source 
(cherrypicked from commit 45737b9f58)

There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.

Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403
This commit is contained in:
Nick Kralevich 2016-03-25 13:59:55 -07:00
parent a007594150
commit 4432c6355a
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
domain.te
View file

@ -271,9 +271,12 @@ neverallow {
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
# Only the init property service should write to /data/property.
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file no_w_file_perms;
neverallow { domain -init } property_type:file no_w_file_perms;
neverallow { domain -init } properties_device:file no_w_file_perms;
neverallow { domain -init } properties_serial:file no_w_file_perms;
# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set