Neverallow write access to /sys files for untrusted apps am: 06cef4ff15 am: 1db7eba91f Change-Id: I961a8ab997effcc28b6601d46d88f6e3828f99db

commit: 6c558a5e0ab51a12ead34e4aae235be3de21c40f [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Thu Oct 12 06:46:04 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Thu Oct 12 06:46:04 2017 +0000
tree: d9ae8218ebaf3b424bd8eb6f78d1634973fc66e2
parent: a35083e015166b09b8ccb34e6998397095202db3 [diff]
parent: 1db7eba91f52e9c3f558b64098193a5988dd2a52 [diff]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7638d36..53638f7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -57,6 +57,9 @@
 # Do not allow untrusted apps to access network MAC address file
 neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
 
+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
 neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
commit	6c558a5e0ab51a12ead34e4aae235be3de21c40f	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Thu Oct 12 06:46:04 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Thu Oct 12 06:46:04 2017 +0000
tree	d9ae8218ebaf3b424bd8eb6f78d1634973fc66e2
parent	a35083e015166b09b8ccb34e6998397095202db3 [diff]
parent	1db7eba91f52e9c3f558b64098193a5988dd2a52 [diff]