Do not allow untrusted apps any access to kernel configuration Bug: 37541374 Test: Build and boot sailfish Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc Signed-off-by: Sandeep Patil <sspatil@google.com>

commit: 2da9cfdff73536d741a1d171a1b156155a4124ae [log] [tgz]
author: Sandeep Patil <sspatil@google.com> Fri Apr 21 11:25:29 2017 -0700
committer: Sandeep Patil <sspatil@google.com> Fri Apr 21 11:27:11 2017 -0700
tree: c7ea9b1c17c917a6d858c55441fd13856ad1c507
parent: 97903c05674e332a60557c8cb79ced8eed9298af [diff]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5e47b68..beee4f7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -98,6 +98,9 @@
 # Create a more specific label if needed
 neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
 
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
commit	2da9cfdff73536d741a1d171a1b156155a4124ae	[log] [tgz]
author	Sandeep Patil <sspatil@google.com>	Fri Apr 21 11:25:29 2017 -0700
committer	Sandeep Patil <sspatil@google.com>	Fri Apr 21 11:27:11 2017 -0700
tree	c7ea9b1c17c917a6d858c55441fd13856ad1c507
parent	97903c05674e332a60557c8cb79ced8eed9298af [diff]