Remove -kernel -recovery from keystore_data_file neverallow.
Aside from the keystore daemon itself, only init needs any access to keystore_data_file (in order to create and potentially restorecon /data/misc/keystore). The exceptions for the kernel and recovery domains are unnecessary; no allow rule permits this access in current policy. Change-Id: I5cf6f29ec08174017ac8f5fb36fef166ce360ca0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
0d08d4721a
commit
d4731ad8c7
1 changed files with 2 additions and 2 deletions
|
@ -21,8 +21,8 @@ allow keystore tee:unix_stream_socket connectto;
|
||||||
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
|
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
|
||||||
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
|
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
|
||||||
|
|
||||||
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
|
neverallow { domain -keystore -init } keystore_data_file:dir *;
|
||||||
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
|
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
|
||||||
|
|
||||||
neverallow domain keystore:process ptrace;
|
neverallow domain keystore:process ptrace;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue