Don't allow ptrace on keystore
keystore may hold sensitive information in it's memory. Don't allow anyone to ptrace keystore. Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f
This commit is contained in:
parent
5ce079b916
commit
8aa754c9be
@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
|
||||
allow debuggerd domain:dir r_dir_perms;
|
||||
allow debuggerd domain:file r_file_perms;
|
||||
allow debuggerd domain:lnk_file read;
|
||||
allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
|
||||
allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process ptrace;
|
||||
security_access_policy(debuggerd)
|
||||
allow debuggerd system_data_file:dir create_dir_perms;
|
||||
allow debuggerd system_data_file:dir relabelfrom;
|
||||
|
@ -15,7 +15,7 @@ allow keystore tee:unix_stream_socket connectto;
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
### Protect our files from others
|
||||
### Protect ourself from others
|
||||
###
|
||||
|
||||
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
|
||||
@ -23,3 +23,5 @@ neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relab
|
||||
|
||||
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
|
||||
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
|
||||
|
||||
neverallow domain keystore:process ptrace;
|
||||
|
Loading…
Reference in New Issue
Block a user