Revert "Neverallow coredomain to kernel interface files."
This reverts commit 502e43f7d9
.
Reason for revert: Suspected to have broken a build, see b/68792382
Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249
This commit is contained in:
parent
502e43f7d9
commit
83a06805f0
@ -16,119 +16,3 @@ neverallow {
|
||||
|
||||
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
||||
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
|
||||
|
||||
# Core domains are not permitted to use kernel interfaces which are not
|
||||
# explicitly labeled.
|
||||
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
|
||||
full_treble_only(`
|
||||
# /proc
|
||||
neverallow {
|
||||
coredomain
|
||||
-dumpstate
|
||||
-init
|
||||
-platform_app
|
||||
-priv_app
|
||||
-radio
|
||||
-shell
|
||||
-system_app
|
||||
-vold
|
||||
-vendor_init
|
||||
} proc:file no_rw_file_perms;
|
||||
|
||||
# /sys
|
||||
neverallow {
|
||||
coredomain
|
||||
-charger
|
||||
-dumpstate
|
||||
-healthd
|
||||
-init
|
||||
-mediaserver
|
||||
-priv_app
|
||||
-radio
|
||||
-storaged
|
||||
-system_app
|
||||
-system_server
|
||||
-ueventd
|
||||
-update_verifier
|
||||
-vold
|
||||
-vendor_init
|
||||
} sysfs:file no_rw_file_perms;
|
||||
|
||||
# /dev
|
||||
neverallow {
|
||||
coredomain
|
||||
-fsck
|
||||
-init
|
||||
-shell
|
||||
-ueventd
|
||||
-vendor_init
|
||||
} device:{ blk_file file } no_rw_file_perms;
|
||||
|
||||
# debugfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-dumpstate
|
||||
-init
|
||||
-system_server
|
||||
-vendor_init
|
||||
} debugfs:file no_rw_file_perms;
|
||||
|
||||
# tracefs
|
||||
neverallow {
|
||||
coredomain
|
||||
-atrace
|
||||
-dumpstate
|
||||
-init
|
||||
-perfprofd
|
||||
-shell
|
||||
-vendor_init
|
||||
} debugfs_tracing:file no_rw_file_perms;
|
||||
|
||||
# inotifyfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
-vendor_init
|
||||
} inotify:file no_rw_file_perms;
|
||||
|
||||
# pstorefs
|
||||
neverallow {
|
||||
coredomain
|
||||
-bootstat
|
||||
-charger
|
||||
-dumpstate
|
||||
-healthd
|
||||
-init
|
||||
-logd
|
||||
-logpersist
|
||||
-recovery_persist
|
||||
-recovery_refresh
|
||||
-shell
|
||||
-system_server
|
||||
-vendor_init
|
||||
} pstorefs:file no_rw_file_perms;
|
||||
|
||||
# configfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
-system_server
|
||||
-vendor_init
|
||||
} configfs:file no_rw_file_perms;
|
||||
|
||||
# functionfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-adbd
|
||||
-init
|
||||
-mediaprovider
|
||||
-vendor_init
|
||||
}functionfs:file no_rw_file_perms;
|
||||
|
||||
# usbfs and binfmt_miscfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
-vendor_init
|
||||
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user