system_writes_mnt_vendor_violators for device launched before P.
In cases when a device upgrades to system-as-root from O to P, it needs a mount point for an already existing partition that is accessed by both system and vendor. Devices launching with P must not have /mnt/vendor accessible to system. Bug: 78598545 Test: m selinx_policy Change-Id: Ia7bcde44e2b8657a7ad9e0d9bae7a7259f40936f
This commit is contained in:
Tri Vo
parent
732e92b6fe
commit
ca4217e211
2 changed files with 6 additions and 0 deletions
|
|
@ -184,6 +184,11 @@ expandattribute system_executes_vendor_violators false;
|
|||
attribute system_writes_vendor_properties_violators;
|
||||
expandattribute system_writes_vendor_properties_violators false;
|
||||
|
||||
# All system domains which violate the requirement of not writing to
|
||||
# /mnt/vendor/*. Must not be used on devices launched with P or later.
|
||||
attribute system_writes_mnt_vendor_violators;
|
||||
expandattribute system_writes_mnt_vendor_violators false;
|
||||
|
||||
# hwservices that are accessible from untrusted applications
|
||||
# WARNING: Use of this attribute should be avoided unless
|
||||
# absolutely necessary. It is a temporary allowance to aid the
|
||||
|
|
|
|||
|
|
@ -1434,6 +1434,7 @@ neverallow {
|
|||
-init
|
||||
-ueventd
|
||||
-vold
|
||||
-system_writes_mnt_vendor_violators
|
||||
} mnt_vendor_file:dir *;
|
||||
|
||||
# Only apps are allowed access to vendor public libraries.
|
||||
|
|
|
|||
Loading…
Reference in a new issue