PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't allow ptrace on keystore

Browse Source 
keystore may hold sensitive information in it's memory. Don't
allow anyone to ptrace keystore.

Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f
This commit is contained in:
Nick Kralevich 2014-05-19 21:49:50 -07:00
parent 5ce079b916
commit 8aa754c9be
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debuggerd.te
View File

@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:lnk_file read;
allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process ptrace;
security_access_policy(debuggerd)
allow debuggerd system_data_file:dir create_dir_perms;
allow debuggerd system_data_file:dir relabelfrom;

4
keystore.te
View File

@ -15,7 +15,7 @@ allow keystore tee:unix_stream_socket connectto;
###
### Neverallow rules
###
### Protect our files from others
### Protect ourself from others
###
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
@ -23,3 +23,5 @@ neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relab
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;