Merge "Enforce assumptions around metadata_block_device"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
62f0b8ea0e
1 changed files with 6 additions and 0 deletions
|
|
@ -383,6 +383,12 @@ neverallow {
|
|||
-ueventd # Further restricted in ueventd.te
|
||||
} frp_block_device:blk_file rw_file_perms;
|
||||
|
||||
# The metadata block device is set aside for device encryption and
|
||||
# verified boot metadata. It may be reset at will and should not
|
||||
# be used by other domains.
|
||||
neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
|
||||
{ append link rename write open read ioctl lock };
|
||||
|
||||
# No domain other than recovery and update_engine can write to system partition(s).
|
||||
neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue