2f6151ea44
This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.
This has now effect on what domains are permitted to do. This only
changes neverallow rules.
Test: mmm system/sepolicy
Bug: 36577153
(cherry picked from commit cf2ffdf0d8)
Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
11 lines
480 B
Text
11 lines
480 B
Text
type hal_nfc_default, domain;
|
|
hal_server_domain(hal_nfc_default, hal_nfc)
|
|
|
|
type hal_nfc_default_exec, exec_type, file_type;
|
|
init_daemon_domain(hal_nfc_default)
|
|
|
|
# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
|
|
# data type. Remove coredata_in_vendor_violators and
|
|
# socket_between_core_and_vendor_violators attribute associations below.
|
|
typeattribute hal_nfc_default coredata_in_vendor_violators;
|
|
typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
|