neverallow su_exec:file execute
Executing /system/xbin/su is only supported on userdebug builds for a limited number of domains. On user builds, it should never occur. Add a compile time assertion (neverallow rule) that this is always true. Bug: 19647373 Change-Id: I231a438948ea2d47c1951207e117e0fb2728c532
This commit is contained in:
Nick Kralevich
parent
6ece49c3dc
commit
8bd13687b0
1 changed files with 5 additions and 0 deletions
|
|
@ -369,3 +369,8 @@ neverallow domain domain:{ shm sem msg msgq } *;
|
|||
# Do not mount on top of symlinks, fifos, or sockets.
|
||||
# Feature parity with Chromium LSM.
|
||||
neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
|
||||
|
||||
# Nobody should be able to execute su on user builds.
|
||||
# On userdebug/eng builds, only dumpstate, shell, and
|
||||
# su itself execute su.
|
||||
neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue