strengthen proc_type neverallows

These were unnecessarily lax. Some additional places additionally exclude only the generic proc type, but we don't care about those places. Bug: 281877578 Test: boot Change-Id: I9ebf410c12a41888ab1f5ecc21c95c34fc36c0d0
2023-05-22 22:59:08 +00:00 · 2023-05-22 22:59:08 +00:00 · 8634a88595
commit 8634a88595
parent c3fd0b60d8
2 changed files with 2 additions and 1 deletions
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@ -410,7 +410,7 @@ neverallow * *:{ shm sem msg msgq } *;
 # Feature parity with Chromium LSM.
 neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;

-neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init } proc_type:{ file dir } mounton;

 # Ensure that all types assigned to processes are included
 # in the domain attribute, so that all allow and neverallow rules
--- a/public/domain.te
+++ b/public/domain.te
@ -1053,6 +1053,7 @@ neverallow * self:process { execstack execheap };
 neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;

 neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init -zygote } proc_type:{ file dir } mounton;

 # Ensure that all types assigned to processes are included
 # in the domain attribute, so that all allow and neverallow rules