Merge "strengthen system_file neverallows" am: 9a184232d7 am: 3bf96325d7 am: 679e6f2992
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2594974 Change-Id: I3417d75fce4e26efa69b7b2a56855b6ccfa15c1f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Steven Moreland
Automerger Merge Worker
commit
c17369ecc7
5 changed files with 5 additions and 5 deletions
|
|
@ -89,7 +89,7 @@ neverallow appdomain rootfs:dir_file_class_set
|
|||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Write to /system.
|
||||
neverallow appdomain system_file:dir_file_class_set
|
||||
neverallow appdomain system_file_type:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Write to entrypoint executables.
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ neverallow logd domain:process ptrace;
|
|||
neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
|
||||
|
||||
# Write to /system.
|
||||
neverallow logd system_file:dir_file_class_set write;
|
||||
neverallow logd system_file_type:dir_file_class_set write;
|
||||
|
||||
# Write to files in /data/data or system files on /data
|
||||
neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
|
||||
|
|
|
|||
|
|
@ -129,7 +129,7 @@ neverallow netd dev_type:blk_file { read write };
|
|||
neverallow netd { domain }:process ptrace;
|
||||
|
||||
# Write to /system.
|
||||
neverallow netd system_file:dir_file_class_set write;
|
||||
neverallow netd system_file_type:dir_file_class_set write;
|
||||
|
||||
# Write to files in /data/data or system files on /data
|
||||
neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ neverallow recovery_persist dev_type:blk_file { read write };
|
|||
neverallow recovery_persist domain:process ptrace;
|
||||
|
||||
# Write to /system.
|
||||
neverallow recovery_persist system_file:dir_file_class_set write;
|
||||
neverallow recovery_persist system_file_type:dir_file_class_set write;
|
||||
|
||||
# Write to files in /data/data
|
||||
neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ neverallow recovery_refresh dev_type:blk_file { read write };
|
|||
neverallow recovery_refresh domain:process ptrace;
|
||||
|
||||
# Write to /system.
|
||||
neverallow recovery_refresh system_file:dir_file_class_set write;
|
||||
neverallow recovery_refresh system_file_type:dir_file_class_set write;
|
||||
|
||||
# Write to files in /data/data or system files on /data
|
||||
neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
|
||||
|
|
|
|||
Loading…
Reference in a new issue