* commit '1df534745d10b3930caaaaf75226be92894e7568': add neverallow rules for execmod
This commit is contained in:
Nick Kralevich
Android Git Automerger
commit
eee5d2026e
1 changed files with 15 additions and 0 deletions
15
domain.te
15
domain.te
|
|
@ -382,3 +382,18 @@ neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file
|
|||
# On userdebug/eng builds, only dumpstate, shell, and
|
||||
# su itself execute su.
|
||||
neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
|
||||
|
||||
# Do not allow the introduction of new execmod rules. Text relocations
|
||||
# and modification of executable pages are unsafe.
|
||||
# The only exceptions are for NDK text relocations associated with
|
||||
# https://code.google.com/p/android/issues/detail?id=23203
|
||||
# which, long term, need to go away.
|
||||
neverallow domain {
|
||||
file_type
|
||||
-system_data_file
|
||||
-apk_data_file
|
||||
-app_data_file
|
||||
-asec_public_file
|
||||
}:file execmod;
|
||||
|
||||
neverallow { domain -appdomain } file_type:file execmod;
|
||||
|
|
|
|||
Loading…
Reference in a new issue