init: lock down access to keychord_device
The out-of-tree keychord driver is only intended for use by init. Test: build Bug: 64114943 Bug: 78174219 Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6
This commit is contained in:
Mark Salyzyn
parent
ced43bc823
commit
f14f735455
1 changed files with 8 additions and 0 deletions
|
|
@ -363,6 +363,14 @@ neverallow {
|
||||||
-system_server
|
-system_server
|
||||||
-ueventd
|
-ueventd
|
||||||
} hw_random_device:chr_file *;
|
} hw_random_device:chr_file *;
|
||||||
|
# b/78174219 b/64114943
|
||||||
|
neverallow {
|
||||||
|
domain
|
||||||
|
-init
|
||||||
|
-shell # stat of /dev, getattr only
|
||||||
|
-vendor_init
|
||||||
|
-ueventd
|
||||||
|
} keychord_device:chr_file *;
|
||||||
|
|
||||||
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
|
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
|
||||||
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
|
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue