Wider neverallow rules for coredomain /dev access.
"iio_device", "radio_device" must not be accessed by coredomain on all devices. And "tee_device" must not be accessed by coredomain on Treble devices. Bug: 110962171 Test: m selinux_policy Test: mmma system/sepolicy Change-Id: I27029b6579b41109c01c35c6ab5a992413f2de5c
This commit is contained in:
parent
9cded32f6a
commit
2725edc658
@ -169,12 +169,12 @@ full_treble_only(`
|
||||
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
||||
')
|
||||
|
||||
# Following /dev nodes must not be directly accessed by coredomain after Treble,
|
||||
# but should instead be wrapped by HALs.
|
||||
full_treble_only(`
|
||||
neverallow coredomain {
|
||||
iio_device
|
||||
radio_device
|
||||
tee_device
|
||||
}:chr_file { open read append write ioctl };
|
||||
')
|
||||
# Following /dev nodes must not be directly accessed by coredomain, but should
|
||||
# instead be wrapped by HALs.
|
||||
neverallow coredomain {
|
||||
iio_device
|
||||
radio_device
|
||||
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
|
||||
# on non-Treble devices.
|
||||
full_treble_only(`tee_device')
|
||||
}:chr_file { open read append write ioctl };
|
||||
|
Loading…
Reference in New Issue
Block a user