Neverallow executable files and symlink following Test: build Change-Id: Iec30d8a7642c34f12571c5654914ddbdc3d8355e

commit: 0ac2eece90af1428b328ecaab6dc0cd4a15e05bd [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Mon Feb 04 10:07:15 2019 -0800
committer: Jeffrey Vander Stoep <jeffv@google.com> Mon Feb 04 18:38:05 2019 +0000
tree: d1512f6c1c9b3f98b739b0d734121d13aa262ba1
parent: 5c8f9398d975bbc7c3737bc513885513716e8b46 [diff]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9c96f19..4ecb355 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -20,7 +20,7 @@
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
 
 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering
commit	0ac2eece90af1428b328ecaab6dc0cd4a15e05bd	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Mon Feb 04 10:07:15 2019 -0800
committer	Jeffrey Vander Stoep <jeffv@google.com>	Mon Feb 04 18:38:05 2019 +0000
tree	d1512f6c1c9b3f98b739b0d734121d13aa262ba1
parent	5c8f9398d975bbc7c3737bc513885513716e8b46 [diff]