untrusted_app: neverallow debugfs
Too many leaky files in that directory. It's a security best practice to not mount this filesystem, however, we need it mounted for tracing support. Even though it's mounted, make sure the files aren't readable. Bug: 11635985 Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd
This commit is contained in:
Nick Kralevich
parent
f78fb4e0c8
commit
4bdd13e4c3
1 changed files with 8 additions and 0 deletions
|
|
@ -63,3 +63,11 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
|
|||
# Write to /cache.
|
||||
allow untrusted_app cache_file:dir create_dir_perms;
|
||||
allow untrusted_app cache_file:file create_file_perms;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# Too much leaky information in debugfs. It's a security
|
||||
# best practice to ensure these files aren't readable.
|
||||
neverallow untrusted_app debugfs:file read;
|
||||
|
|
|
|||
Loading…
Reference in a new issue