fixup! sepolicy: Allow recovery to alter /
Signed-off-by: HeroBuxx <me@herobuxx.me>
This commit is contained in:
HeroBuxx
parent
cbf3df362f
commit
a2a71a5525
2 changed files with 4 additions and 4 deletions
|
|
@ -504,8 +504,8 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend
|
|||
# Don't allow mounting on top of /system files or directories
|
||||
neverallow * exec_type:dir_file_class_set mounton;
|
||||
|
||||
# Nothing should be writing to files in the rootfs, except recovery.
|
||||
neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
|
||||
# Nothing should be writing to files in the rootfs.
|
||||
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
|
||||
|
||||
# Restrict context mounts to specific types marked with
|
||||
# the contextmount_type attribute.
|
||||
|
|
|
|||
|
|
@ -739,8 +739,8 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend
|
|||
# Don't allow mounting on top of /system files or directories
|
||||
neverallow * exec_type:dir_file_class_set mounton;
|
||||
|
||||
# Nothing should be writing to files in the rootfs.
|
||||
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
|
||||
# Nothing should be writing to files in the rootfs, except recovery.
|
||||
neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
|
||||
|
||||
# Restrict context mounts to specific types marked with
|
||||
# the contextmount_type attribute.
|
||||
|
|
|
|||
Loading…
Reference in a new issue