am 74df7f59: don\'t allow mounting on top of /system files/directories

* commit '74df7f593494a00dcc3be410b2d82267b6b31ca0': don't allow mounting on top of /system files/directories
2015-02-05 20:17:11 +00:00 · 2015-02-05 20:17:11 +00:00 · f901c4ccd5
commit f901c4ccd5
parent 8aaf546402 74df7f5934
1 changed files with 3 additions and 0 deletions
--- a/domain.te
+++ b/domain.te
@ -297,6 +297,9 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };

+# Don't allow mounting on top of /system files or directories
+neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+
 # Nothing should be writing to files in the rootfs.
 neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };