Fixup neverallow rule
When we removed /data/dalvik-cache execute permission for system_server (b/37214733, b/31780877), I forgot to fixup this neverallow rule. Fix rule. Test: policy compiles. Change-Id: I38b821a662e0d8304b8390a69a6d9e923211c31e
This commit is contained in:
Nick Kralevich
parent
714ee5f293
commit
2ec15e5b27
@ -758,11 +758,8 @@ neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock
|
||||
neverallow system_server dex2oat_exec:file no_x_file_perms;
|
||||
|
||||
# system_server should never execute or load executable shared libraries
|
||||
# in /data except for /data/dalvik-cache files.
|
||||
neverallow system_server {
|
||||
data_file_type
|
||||
-dalvikcache_data_file #mapping with PROT_EXEC
|
||||
}:file no_x_file_perms;
|
||||
# in /data
|
||||
neverallow system_server data_file_type:file no_x_file_perms;
|
||||
|
||||
# The only block device system_server should be accessing is
|
||||
# the frp_block_device. This helps avoid a system_server to root
|
||||
|
||||
Loading…
Reference in New Issue
Block a user