cf2ffdf0d8
This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 Change-Id: I633163cf67d60677c4725b754e01097dd5790aed
7 lines
187 B
Text
7 lines
187 B
Text
typeattribute drmserver coredomain;
|
|
|
|
init_daemon_domain(drmserver)
|
|
|
|
type_transition drmserver apk_data_file:sock_file drmserver_socket;
|
|
|
|
typeattribute drmserver_socket coredomain_socket;
|