commit 6a4bc81a2b0cf0349c4efb4661bc2446a6ec2041
author Treehugger Robot <treehugger-gerrit@google.com> Fri Jul 23 09:29:53 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jul 23 09:29:53 2021 +0000
tree cbb08a5fc47783808351eae0f05befde544b3153
parent f326072b40763616f68f7ae6c6119f80c802f73d
parent a89d6aa301acd4f43b8ac8ec629738732c8d442a

Merge changes I43bf09d8,I1fd35d0e

* changes:
  Disallow microdroid from running arbitrary domains
  Add domain for compos binaries

microdroid/system/private/domain.te

diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index fe4d072..a3dfb27 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -242,6 +242,15 @@
 allow domain task_profiles_file:file r_file_perms;
 allow domain task_profiles_api_file:file r_file_perms;
 
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
+
 #-----------------------------------------
 # Allow access to fsverity keyring.
 allow domain kernel:key search;