Merge "Enforce assumptions around metadata_block_device"
This commit is contained in:
commit
62f0b8ea0e
1 changed files with 6 additions and 0 deletions
|
@ -383,6 +383,12 @@ neverallow {
|
||||||
-ueventd # Further restricted in ueventd.te
|
-ueventd # Further restricted in ueventd.te
|
||||||
} frp_block_device:blk_file rw_file_perms;
|
} frp_block_device:blk_file rw_file_perms;
|
||||||
|
|
||||||
|
# The metadata block device is set aside for device encryption and
|
||||||
|
# verified boot metadata. It may be reset at will and should not
|
||||||
|
# be used by other domains.
|
||||||
|
neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
|
||||||
|
{ append link rename write open read ioctl lock };
|
||||||
|
|
||||||
# No domain other than recovery and update_engine can write to system partition(s).
|
# No domain other than recovery and update_engine can write to system partition(s).
|
||||||
neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
|
neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue