04b8a75c2f7532821a2a098a95d884931a91807c - LeafOS-Project/android_system_sepolicy

commit	04b8a75c2f7532821a2a098a95d884931a91807c	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Thu Jun 19 11:26:22 2014 -0400
committer	Nick Kralevich <nnk@google.com>	Thu Jun 19 23:11:04 2014 +0000
tree	51add4cf8631d7547fffce606e17768a589e58e5
parent	f3c3a1aa33bc3a34a5bef94d3643c3702cf925c6 [diff]

Remove write access to rootfs files.

Remove write access to rootfs files from unconfineddomain and
prevent adding it back via neverallow.  This is only applied to
regular files, as we are primarily concerned with preventing
writing to a file that can be exec'd and because creation of
directories or symlinks in the rootfs may be required for mount
point directories.

Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

domain.te[diff]
unconfined.te[diff]

2 files changed

tree: 51add4cf8631d7547fffce606e17768a589e58e5

tools/
access_vectors
adbd.te
Android.mk
app.te
attributes
binderservicedomain.te
bluetooth.te
bootanim.te
clatd.te
debuggerd.te
device.te
dhcp.te
dnsmasq.te
domain.te
drmserver.te
dumpstate.te
file.te
file_contexts
fs_use
genfs_contexts
global_macros
gpsd.te
hci_attach.te
healthd.te
hostapd.te
init.te
init_shell.te
initial_sid_contexts
initial_sids
inputflinger.te
installd.te
isolated_app.te
kernel.te
keys.conf
keystore.te
lmkd.te
logd.te
mac_permissions.xml
mdnsd.te
mediaserver.te
mls
mls_macros
mtp.te
net.te
netd.te
nfc.te
NOTICE
platform_app.te
policy_capabilities
port_contexts
ppp.te
property.te
property_contexts
racoon.te
radio.te
README
recovery.te
rild.te
roles
runas.te
sdcardd.te
seapp_contexts
security_classes
selinux-network.sh
service.te
service_contexts
servicemanager.te
shared_relro.te
shell.te
su.te
surfaceflinger.te
system_app.te
system_server.te
te_macros
tee.te
ueventd.te
unconfined.te
uncrypt.te
untrusted_app.te
users
vold.te
watchdogd.te
wpa.te
zygote.te