neverallow cache_file and derivatives execute
Change-Id: I45002cfd05e4e184bfc66039b3ae9a4af057adb1 Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
This commit is contained in:
parent
e5916eb67b
commit
6c30016136
1 changed files with 2 additions and 0 deletions
|
@ -294,6 +294,8 @@ neverallow {
|
||||||
-appdomain # for oemfs
|
-appdomain # for oemfs
|
||||||
-recovery # for /tmp/update_binary in tmpfs
|
-recovery # for /tmp/update_binary in tmpfs
|
||||||
} { fs_type -rootfs }:file execute;
|
} { fs_type -rootfs }:file execute;
|
||||||
|
# Files from cache should never be executed
|
||||||
|
neverallow domain { cache_file cache_backup_file }:file execute;
|
||||||
|
|
||||||
# Only the init property service should write to /data/property.
|
# Only the init property service should write to /data/property.
|
||||||
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
|
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
|
||||||
|
|
Loading…
Reference in a new issue