don't allow mounting on top of /system files/directories

Change-Id: If311f53b9e5a1020f188ae2346dbf6466e6129ac
author: Nick Kralevich <nnk@google.com> 2015-02-05 09:23:13 -0800
committer: Nick Kralevich <nnk@google.com> 2015-02-05 09:31:52 -0800
commit: 74df7f593494a00dcc3be410b2d82267b6b31ca0 (patch)
tree: 451e91ecb3ad82840aa6293fb5b9e2abf83f49a9 /domain.te
parent: 5ec38c49e3b61b8a3228b56278e85fc276eaec6b (diff)
download: android_external_sepolicy-74df7f593494a00dcc3be410b2d82267b6b31ca0.tar.gz
android_external_sepolicy-74df7f593494a00dcc3be410b2d82267b6b31ca0.tar.bz2
android_external_sepolicy-74df7f593494a00dcc3be410b2d82267b6b31ca0.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/domain.te b/domain.te
index d9935fe..1aa9959 100644
--- a/domain.te
+++ b/domain.te
@@ -297,6 +297,9 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
+# Don't allow mounting on top of /system files or directories
+neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+
 # Nothing should be writing to files in the rootfs.
 neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
author	Nick Kralevich <nnk@google.com>	2015-02-05 09:23:13 -0800
committer	Nick Kralevich <nnk@google.com>	2015-02-05 09:31:52 -0800
commit	74df7f593494a00dcc3be410b2d82267b6b31ca0 (patch)
tree	451e91ecb3ad82840aa6293fb5b9e2abf83f49a9 /domain.te
parent	5ec38c49e3b61b8a3228b56278e85fc276eaec6b (diff)
download	android_external_sepolicy-74df7f593494a00dcc3be410b2d82267b6b31ca0.tar.gz android_external_sepolicy-74df7f593494a00dcc3be410b2d82267b6b31ca0.tar.bz2 android_external_sepolicy-74df7f593494a00dcc3be410b2d82267b6b31ca0.zip