neverallow "write ops" on system_data_file from "others"
Only a few system level components should be creating and writing these files, force a type transition for shared files. Change-Id: Ieb8aa8a36859c9873ac8063bc5999e9468ca7533 Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
This commit is contained in:
William Roberts
parent
520bb816b8
commit
529a8634e1
1 changed files with 19 additions and 0 deletions
19
domain.te
19
domain.te
|
|
@ -410,3 +410,22 @@ neverallow { domain -init } proc:{ file dir } mounton;
|
||||||
# from a domain to a non-domain type and vice versa.
|
# from a domain to a non-domain type and vice versa.
|
||||||
neverallow domain ~domain:process { transition dyntransition };
|
neverallow domain ~domain:process { transition dyntransition };
|
||||||
neverallow ~domain domain:process { transition dyntransition };
|
neverallow ~domain domain:process { transition dyntransition };
|
||||||
|
|
||||||
|
#
|
||||||
|
# Only system_app and system_server should be creating or writing
|
||||||
|
# their files. The proper way to share files is to setup
|
||||||
|
# type transitions to a more specific type or assigning a type
|
||||||
|
# to its parent directory via a file_contexts entry.
|
||||||
|
# Example type transition:
|
||||||
|
# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
|
||||||
|
#
|
||||||
|
neverallow {
|
||||||
|
domain
|
||||||
|
-system_server
|
||||||
|
-system_app
|
||||||
|
-init
|
||||||
|
-installd # for relabelfrom and unlink, check for this in explicit neverallow
|
||||||
|
} system_data_file:file no_w_file_perms;
|
||||||
|
# do not grant anything greater than r_file_perms and relabelfrom unlink
|
||||||
|
# to installd
|
||||||
|
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue