diff options
author | Nick Kralevich <nnk@google.com> | 2015-06-11 20:47:59 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-06-11 20:51:22 -0700 |
commit | 50897feb6113c165d5d6ab72f3600976fd019db0 (patch) | |
tree | 08f000265f7f8db43abbaadaa70028c5a826ca92 | |
parent | 73f7e76837c1f3d6a1360d2d4a06c9037d7addc1 (diff) | |
download | android_external_sepolicy-50897feb6113c165d5d6ab72f3600976fd019db0.tar.gz android_external_sepolicy-50897feb6113c165d5d6ab72f3600976fd019db0.tar.bz2 android_external_sepolicy-50897feb6113c165d5d6ab72f3600976fd019db0.zip |
sdcardd: ensure that init never executes sdcard daemon
Only vold should execute the sdcard daemon. Remove old code which
allows this, and add a neverallow rule to ensure that nobody tries
running with this old configuration.
Change-Id: I6d0133e65948ae69e3c48f7b5f21fc7956fe8168
-rw-r--r-- | sdcardd.te | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -1,8 +1,6 @@ type sdcardd, domain; type sdcardd_exec, exec_type, file_type; -init_daemon_domain(sdcardd) # TODO: deprecated in M - allow sdcardd cgroup:dir create_dir_perms; allow sdcardd fuse_device:chr_file rw_file_perms; allow sdcardd rootfs:dir mounton; # TODO: deprecated in M @@ -31,3 +29,11 @@ allow sdcardd vold:fifo_file { read write getattr }; # Allow running on top of expanded storage allow sdcardd mnt_expand_file:dir search; + +### +### neverallow rules +### + +# The sdcard daemon should no longer be started from init +neverallow init sdcardd_exec:file execute; +neverallow init sdcardd:process { transition dyntransition }; |