Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / acc0842c4bed8690fe29858070215d7a74f4a44b
commitacc0842c4bed8690fe29858070215d7a74f4a44b[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Mar 11 12:44:27 2015 -0700
committerNick Kralevich <nnk@google.com>Wed Mar 11 12:48:02 2015 -0700
treeb872131565b2f88d5fe9208eb66027353553a044
parentc01f7fd1c1569a0649703d24747ad1ddd857bc93 [diff]
system_server: neverallow blk_file read/write

With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
2 files changed
tree: b872131565b2f88d5fe9208eb66027353553a044
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. attributes
  7. binderservicedomain.te
  8. bluetooth.te
  9. bootanim.te
  10. clatd.te
  11. debuggerd.te
  12. device.te
  13. dex2oat.te
  14. dhcp.te
  15. dnsmasq.te
  16. domain.te
  17. drmserver.te
  18. dumpstate.te
  19. file.te
  20. file_contexts
  21. fs_use
  22. fsck.te
  23. genfs_contexts
  24. global_macros
  25. gpsd.te
  26. hci_attach.te
  27. healthd.te
  28. hostapd.te
  29. init.te
  30. initial_sid_contexts
  31. initial_sids
  32. inputflinger.te
  33. install_recovery.te
  34. installd.te
  35. isolated_app.te
  36. kernel.te
  37. keys.conf
  38. keystore.te
  39. lmkd.te
  40. logd.te
  41. mac_permissions.xml
  42. mdnsd.te
  43. mediaserver.te
  44. mls
  45. mls_macros
  46. mtp.te
  47. net.te
  48. netd.te
  49. neverallow_macros
  50. nfc.te
  51. NOTICE
  52. platform_app.te
  53. policy_capabilities
  54. port_contexts
  55. ppp.te
  56. property.te
  57. property_contexts
  58. racoon.te
  59. radio.te
  60. README
  61. recovery.te
  62. rild.te
  63. roles
  64. runas.te
  65. sdcardd.te
  66. seapp_contexts
  67. security_classes
  68. service.te
  69. service_contexts
  70. servicemanager.te
  71. shared_relro.te
  72. shell.te
  73. slideshow.te
  74. su.te
  75. surfaceflinger.te
  76. system_app.te
  77. system_server.te
  78. te_macros
  79. tee.te
  80. toolbox.te
  81. ueventd.te
  82. uncrypt.te
  83. untrusted_app.te
  84. users
  85. vdc.te
  86. vold.te
  87. watchdogd.te
  88. wpa.te
  89. zygote.te