Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c855629ebd42e4aba64dea0a8a95fc5c465b911e
commitc855629ebd42e4aba64dea0a8a95fc5c465b911e[log] [tgz]
authorTri Vo <trong@google.com>Tue Oct 02 18:03:31 2018 -0700
committerTri Vo <trong@google.com>Wed Oct 17 22:31:02 2018 +0000
tree14a060706b324ba53b35e8eb4c8c21e9bd4ca360
parentafdcd959d718906991be92ef0a844766c14809f7 [diff]
Neverallow vendor code access to files on /system.

What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: Ic8d71c8d139cad687ad7d7c9db7111240475f175
1 file changed
tree: 14a060706b324ba53b35e8eb4c8c21e9bd4ca360
  1. build/
  2. prebuilts/
  3. private/
  4. public/
  5. reqd_mask/
  6. tests/
  7. tools/
  8. vendor/
  9. .gitignore
  10. Android.bp
  11. Android.mk
  12. CleanSpec.mk
  13. definitions.mk
  14. MODULE_LICENSE_PUBLIC_DOMAIN
  15. NOTICE
  16. OWNERS
  17. PREUPLOAD.cfg
  18. README
  19. treble_sepolicy_tests_for_release.mk