Restrict /proc/sys/vm/mmap_rnd_bits
Label /proc/sys/vm/mmap_rnd_bits so it is only readable and writable by init. This also tightens the neverallow restrictions for proc_security. Bug: 33563834 Test: run cts -m CtsPermissionTestCases -t \ android.permission.cts.FileSystemPermissionTest#testProcfsMmapRndBitsExistsAndSane Change-Id: Ie7af39ddbf23806d4ffa35e7b19d30fec7b6d410
This commit is contained in:
parent
38dc1e2230
commit
64a0503831
@ -26,6 +26,8 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
|
||||
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
|
||||
genfscon proc /timer_list u:object_r:proc_timer:s0
|
||||
|
@ -251,7 +251,7 @@ neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
|
||||
# Only init should be able to configure kernel usermodehelpers or
|
||||
# security-sensitive proc settings.
|
||||
neverallow { domain -init } usermodehelper:file { append write };
|
||||
neverallow { domain -init } proc_security:file { append write };
|
||||
neverallow { domain -init } proc_security:file { append open read write };
|
||||
|
||||
# No domain should be allowed to ptrace init.
|
||||
neverallow * init:process ptrace;
|
||||
|
Loading…
Reference in New Issue
Block a user