diff options
| -rw-r--r-- | prebuilts/api/29.0/public/domain.te | 4 | ||||
| -rw-r--r-- | public/domain.te | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te index fe68ed02..6f3a19cd 100644 --- a/prebuilts/api/29.0/public/domain.te +++ b/prebuilts/api/29.0/public/domain.te @@ -488,8 +488,8 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend neverallow * exec_type:dir_file_class_set mounton; neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton; -# Nothing should be writing to files in the rootfs. -neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; +# Nothing should be writing to files in the rootfs, except recovery. +neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute. diff --git a/public/domain.te b/public/domain.te index fe68ed02..6f3a19cd 100644 --- a/public/domain.te +++ b/public/domain.te @@ -488,8 +488,8 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend neverallow * exec_type:dir_file_class_set mounton; neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton; -# Nothing should be writing to files in the rootfs. -neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; +# Nothing should be writing to files in the rootfs, except recovery. +neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute. |