diff options
author | Nick Kralevich <nnk@google.com> | 2014-08-21 16:26:23 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-08-21 16:26:23 -0700 |
commit | 65feafce6c72ded001619e4f6b975de095941acd (patch) | |
tree | c6c9e0c8d055015e2132c08d4af994f1b875c9f9 /servicemanager.te | |
parent | cd10eb955090f76847c27c2a621f3f8abc80bbc3 (diff) | |
download | android_external_sepolicy-65feafce6c72ded001619e4f6b975de095941acd.tar.gz android_external_sepolicy-65feafce6c72ded001619e4f6b975de095941acd.tar.bz2 android_external_sepolicy-65feafce6c72ded001619e4f6b975de095941acd.zip |
tighten up neverallow rules for init binder operations
Init never uses binder, so allowing binder related operations
for init never makes sense. Disallow all binder opertions for
init.
This change expands on commit a730e50bd93cd058b271ce3a4affcc6ac75da58b,
disallowing any init binder operation, not just call operations, which
may be accidentally added by blindly running audit2allow.
Change-Id: I12547a75cf68517d54784873846bdadcb60c5112
Diffstat (limited to 'servicemanager.te')
-rw-r--r-- | servicemanager.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/servicemanager.te b/servicemanager.te index a928916..d20872c 100644 --- a/servicemanager.te +++ b/servicemanager.te @@ -11,7 +11,7 @@ init_daemon_domain(servicemanager) # created by other domains. It never passes its own references # or initiates a Binder IPC. allow servicemanager self:binder set_context_mgr; -allow servicemanager domain:binder transfer; +allow servicemanager { domain -init }:binder transfer; # Check SELinux permissions. selinux_check_access(servicemanager) |