aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTreehugger Robot2018-04-17 14:59:58 -0500
committerGerrit Code Review2018-04-17 14:59:58 -0500
commit53cabd6c352dd37608be0e8bebfabf5b1edcd31b (patch)
treed70d45ec78a24b8468e1affff96186982d0b4193
parentcc23e48f9f96bb70fd36f2b76f2d5baf0714a1a1 (diff)
parentf14f73545552564c813da865533b1be29893131f (diff)
downloadsystem-sepolicy-53cabd6c352dd37608be0e8bebfabf5b1edcd31b.tar.gz
system-sepolicy-53cabd6c352dd37608be0e8bebfabf5b1edcd31b.tar.xz
system-sepolicy-53cabd6c352dd37608be0e8bebfabf5b1edcd31b.zip
Merge "init: lock down access to keychord_device"
-rw-r--r--public/domain.te8
1 files changed, 8 insertions, 0 deletions
diff --git a/public/domain.te b/public/domain.te
index 2856f2c6..0e815b60 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -363,6 +363,14 @@ neverallow {
363 -system_server 363 -system_server
364 -ueventd 364 -ueventd
365} hw_random_device:chr_file *; 365} hw_random_device:chr_file *;
366# b/78174219 b/64114943
367neverallow {
368 domain
369 -init
370 -shell # stat of /dev, getattr only
371 -vendor_init
372 -ueventd
373} keychord_device:chr_file *;
366 374
367# Ensure that all entrypoint executables are in exec_type or postinstall_file. 375# Ensure that all entrypoint executables are in exec_type or postinstall_file.
368neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 376neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;