Merge "Disallow most coredomains from accessing vendor_files on Treble." am: 6168a12ea9
am: ea3942f0a7
Change-Id: I67615fa3fac8c88647e4e085269ad30405010c8c
This commit is contained in:
Joel Galenson
android-build-merger
commit
6771dc79ef
1 changed files with 13 additions and 0 deletions
|
|
@ -1114,3 +1114,16 @@ neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
|
||||||
# be passthrough only (i.e., run in the process of their clients instead of a
|
# be passthrough only (i.e., run in the process of their clients instead of a
|
||||||
# separate server process).
|
# separate server process).
|
||||||
neverallow * same_process_hwservice:hwservice_manager add;
|
neverallow * same_process_hwservice:hwservice_manager add;
|
||||||
|
|
||||||
|
# On TREBLE devices, most coredomains should not access vendor_files.
|
||||||
|
full_treble_only(`
|
||||||
|
neverallow {
|
||||||
|
coredomain
|
||||||
|
-halclientdomain
|
||||||
|
-init
|
||||||
|
-ueventd
|
||||||
|
-crash_dump
|
||||||
|
-perfprofd
|
||||||
|
-vendor_init
|
||||||
|
} vendor_file:file { create_file_perms x_file_perms };
|
||||||
|
')
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue