Merge "Only installd and init may relabel app_data_file."
This commit is contained in:
android-build-prod (mdb)
Gerrit Code Review
commit
577b7a5d7b
1 changed files with 6 additions and 0 deletions
|
|
@ -1187,6 +1187,12 @@ neverallow {
|
|||
-installd # creation of sandbox
|
||||
} app_data_file:dir_file_class_set { create unlink };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
} app_data_file:dir_file_class_set { relabelfrom relabelto };
|
||||
|
||||
#
|
||||
# Only these domains should transition to shell domain. This domain is
|
||||
# permissible for the "shell user". If you need a process to exec a shell
|
||||
|
|
|
|||
Loading…
Reference in a new issue