85acf6ef70
neverallow rules with allowlist should look like:
neverallow { domain -allow1 -allow2 } ...
Bug: 181744894
Test: m selinux_policy
Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" .
Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
17 lines
426 B
Text
17 lines
426 B
Text
#
|
|
# System Server aka system_server spawned by zygote.
|
|
# Most of the framework services run in this process.
|
|
#
|
|
type system_server, domain;
|
|
type system_server_tmpfs, file_type, mlstrustedobject;
|
|
|
|
# Power controls for debugging/diagnostics
|
|
get_prop(system_server, power_debug_prop)
|
|
set_prop(system_server, power_debug_prop)
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
-system_server
|
|
} power_debug_prop:property_service set;
|