diff options
author | Nick Kralevich <nnk@google.com> | 2014-05-13 14:45:00 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-05-13 14:45:00 -0700 |
commit | 4bdd13e4c3632587c72b487a16d6c71a7a30714f (patch) | |
tree | 6d2bc88726ccc7c80b678b1952db1b4c2b1f66af /untrusted_app.te | |
parent | f78fb4e0c8ae49bb73e691a37de00f2d5b66f9e1 (diff) | |
download | android_external_sepolicy-4bdd13e4c3632587c72b487a16d6c71a7a30714f.tar.gz android_external_sepolicy-4bdd13e4c3632587c72b487a16d6c71a7a30714f.tar.bz2 android_external_sepolicy-4bdd13e4c3632587c72b487a16d6c71a7a30714f.zip |
untrusted_app: neverallow debugfs
Too many leaky files in that directory. It's a security best practice
to not mount this filesystem, however, we need it mounted for
tracing support. Even though it's mounted, make sure the files aren't
readable.
Bug: 11635985
Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd
Diffstat (limited to 'untrusted_app.te')
-rw-r--r-- | untrusted_app.te | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/untrusted_app.te b/untrusted_app.te index 1d94923..b7a2cef 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -63,3 +63,11 @@ allow untrusted_app media_rw_data_file:file create_file_perms; # Write to /cache. allow untrusted_app cache_file:dir create_dir_perms; allow untrusted_app cache_file:file create_file_perms; + +### +### neverallow rules +### + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow untrusted_app debugfs:file read; |