tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Assert untrusted apps can't add or list hwservicemanager

Browse source 
This adds a neverallow rules which checks that SELinux app domains
which host arbitrary code are not allowed to access hwservicemanager
operations other than "find" operation for which there already are
strict neverallow rules in the policy.

Test: mmm system/sepolicy -- neverallow-only change
Bug: 34454312
Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7
This commit is contained in:
Alex Klyubin 2017-04-24 15:09:19 -07:00
parent 2a7f4fb069
commit 5c5b626358
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/app_neverallows.te
View file

@ -108,6 +108,10 @@ neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
# Do not permit access from apps which host arbitrary code to HwBinder services,
# except those considered sufficiently safe for access from such apps.
# The two main reasons for this are: