aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Salyzyn2018-04-17 12:55:41 -0500
committerMark Salyzyn2018-04-17 13:24:35 -0500
commitf14f73545552564c813da865533b1be29893131f (patch)
tree073b121e3c696a569af368a65d76397c62727a33
parentced43bc823c43f75674786b352d36c775080a13e (diff)
downloadsystem-sepolicy-f14f73545552564c813da865533b1be29893131f.tar.gz
system-sepolicy-f14f73545552564c813da865533b1be29893131f.tar.xz
system-sepolicy-f14f73545552564c813da865533b1be29893131f.zip
init: lock down access to keychord_device
The out-of-tree keychord driver is only intended for use by init. Test: build Bug: 64114943 Bug: 78174219 Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6
-rw-r--r--public/domain.te8
1 files changed, 8 insertions, 0 deletions
diff --git a/public/domain.te b/public/domain.te
index 2856f2c6..0e815b60 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -363,6 +363,14 @@ neverallow {
363 -system_server 363 -system_server
364 -ueventd 364 -ueventd
365} hw_random_device:chr_file *; 365} hw_random_device:chr_file *;
366# b/78174219 b/64114943
367neverallow {
368 domain
369 -init
370 -shell # stat of /dev, getattr only
371 -vendor_init
372 -ueventd
373} keychord_device:chr_file *;
366 374
367# Ensure that all entrypoint executables are in exec_type or postinstall_file. 375# Ensure that all entrypoint executables are in exec_type or postinstall_file.
368neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 376neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;