Sepolicy: Give apexd permission for mounton
To not propagate any changes by APEX hooks, apexd remounts / private. Bug: 119260955 Bug: 119261380 Test: atest apexservice_test Change-Id: I19aebc9c1562d8c4e4fedf36eb79826291b6ee61
This commit is contained in:
parent
db90b91ea0
commit
742ac5561c
@ -81,6 +81,10 @@ allow apexd kmsg_device:chr_file w_file_perms;
|
||||
# Allow self-execute for the fork mount helper.
|
||||
allow apexd apexd_exec:file execute_no_trans;
|
||||
|
||||
# Unshare and make / private so that hooks cannot influence the
|
||||
# running system.
|
||||
allow apexd rootfs:dir mounton;
|
||||
|
||||
# Allow to execute shell for pre- and postinstall scripts. A transition
|
||||
# rule is required, thus restricted to execute and not execute_no_trans.
|
||||
allow apexd shell_exec:file { r_file_perms execute };
|
||||
|
Loading…
Reference in New Issue
Block a user