Merge "strengthen debugfs neverallows" am: 4f36bd15ac am: 863fea7e62

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599510 Change-Id: I9c12dd0e933f6e5c4917db5c1ccdadd985dce7d3 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-05-24 22:25:47 +00:00 · 2023-05-24 22:25:47 +00:00 · 5a0664065e
commit 5a0664065e
parent 79190c4da7 863fea7e62
3 changed files with 3 additions and 3 deletions
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@ -66,7 +66,7 @@ neverallow ephemeral_app domain:netlink_socket *;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
+neverallow ephemeral_app debugfs_type:file read;

 # execute gpu_device
 neverallow ephemeral_app gpu_device:chr_file execute;
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -218,7 +218,7 @@ neverallow priv_app kmsg_device:chr_file no_rw_file_perms;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
+neverallow priv_app debugfs_type:file read;

 # Do not allow privileged apps to register services.
 # Only trusted components of Android should be registering
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@ -45,7 +45,7 @@ neverallow sdk_sandbox_all domain:netlink_socket *;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow sdk_sandbox_all debugfs:file read;
+neverallow sdk_sandbox_all debugfs_type:file read;

 # execute gpu_device
 neverallow sdk_sandbox_all gpu_device:chr_file execute;