2f6151ea44
This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.
This has now effect on what domains are permitted to do. This only
changes neverallow rules.
Test: mmm system/sepolicy
Bug: 36577153
(cherry picked from commit cf2ffdf0d8)
Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
7 lines
187 B
Text
7 lines
187 B
Text
typeattribute drmserver coredomain;
|
|
|
|
init_daemon_domain(drmserver)
|
|
|
|
type_transition drmserver apk_data_file:sock_file drmserver_socket;
|
|
|
|
typeattribute drmserver_socket coredomain_socket;
|