binderfs neverallows Add neverallow reading these files because this came up in a review recently, and they contain information about processes which is important for security, so we'd like to avoid accidentally granted these permissions. Fixes: 306036348 Test: build (is build time change) Change-Id: I8b8917dacd2a65b809b7b6fb7c1869a3db94156b

commit: 0365329dad68ba3ee1460b04ad3dd51bfb8ac395 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Tue Oct 24 22:49:25 2023 +0000
committer: Steven Moreland <smoreland@google.com> Wed Oct 25 00:41:25 2023 +0000
tree: 4fcb527ad4a96d9e388b58e63eac630ff13bc645
parent: c5509a8ea0d3657b67f6f5a60c649f3bfc1151cd [diff]
diff --git a/public/domain.te b/public/domain.te
index bed0d7d..d630a24 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -440,6 +440,10 @@
 neverallow * init:binder *;
 neverallow * vendor_init:binder *;
 
+# Binderfs logs contain sensitive information about other processes.
+neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
+
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
 neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
commit	0365329dad68ba3ee1460b04ad3dd51bfb8ac395	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Tue Oct 24 22:49:25 2023 +0000
committer	Steven Moreland <smoreland@google.com>	Wed Oct 25 00:41:25 2023 +0000
tree	4fcb527ad4a96d9e388b58e63eac630ff13bc645
parent	c5509a8ea0d3657b67f6f5a60c649f3bfc1151cd [diff]