diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-10 13:29:38 -0500 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-02-11 17:32:31 +0000 |
commit | b081cc1e050843ecb7dff687f780787ad05d6143 (patch) | |
tree | 391ec7ba18e806341c4ecfeb4cb0b28739670d68 /recovery.te | |
parent | 48b18832c476f0bd8fcb8ee3e308258392f36aaf (diff) | |
download | android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.tar.gz android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.tar.bz2 android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.zip |
Remove mount-related permissions from unconfined domains.
Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.
Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'recovery.te')
-rw-r--r-- | recovery.te | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/recovery.te b/recovery.te index abcf0cf..37d6455 100644 --- a/recovery.te +++ b/recovery.te @@ -8,6 +8,7 @@ allow recovery self:capability2 mac_admin; allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto; allow recovery unlabeled:filesystem mount; +allow recovery fs_type:filesystem *; allow recovery self:process execmem; allow recovery ashmem_device:chr_file execute; |