2f6151ea44
This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.
This has now effect on what domains are permitted to do. This only
changes neverallow rules.
Test: mmm system/sepolicy
Bug: 36577153
(cherry picked from commit cf2ffdf0d8)
Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
6 lines
221 B
Text
6 lines
221 B
Text
typeattribute wificond coredomain;
|
|
|
|
init_daemon_domain(wificond)
|
|
|
|
# TODO(b/36790991): Remove this once wificond is no longer permitted to touch wpa sockets
|
|
typeattribute wificond socket_between_core_and_vendor_violators;
|