am 26cdf1e0: Merge "neverallow: domain:file execute and entrypoint"
* commit '26cdf1e09033c9c489867852094e7c7f53b118f5': neverallow: domain:file execute and entrypoint
This commit is contained in:
Nick Kralevich
Android Git Automerger
commit
82434224db
1 changed files with 13 additions and 0 deletions
13
domain.te
13
domain.te
|
|
@ -537,3 +537,16 @@ neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_fi
|
||||||
|
|
||||||
# Prevent assigning non property types to properties
|
# Prevent assigning non property types to properties
|
||||||
neverallow domain ~property_type:property_service set;
|
neverallow domain ~property_type:property_service set;
|
||||||
|
|
||||||
|
# Domain types should never be assigned to any files other
|
||||||
|
# than the /proc/pid files associated with a process. The
|
||||||
|
# executable file used to enter a domain should be labeled
|
||||||
|
# with its own _exec type, not with the domain type.
|
||||||
|
# Conventionally, this looks something like:
|
||||||
|
# $ cat mydaemon.te
|
||||||
|
# type mydaemon, domain;
|
||||||
|
# type mydaemon_exec, exec_type, file_type;
|
||||||
|
# init_daemon_domain(mydaemon)
|
||||||
|
# $ grep mydaemon file_contexts
|
||||||
|
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
|
||||||
|
neverallow domain domain:file { execute execute_no_trans entrypoint };
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue