Restrict functions for vold Raw sockets usually imply advanced parsers that might have flaws. If vold need such odd thing, force it to have that in a other domain like filesystem checks. Debug features like ptrace does not belong to vold. Bug: 64791922 Test: Manual Change-Id: I75c62d13f998621f80b2049bce0505442862bf0b

commit: f295758caeab2628d671d06d983088eaf25a493c [log] [tgz]
author: Peter Enderborg <peter.enderborg@sony.com> Wed Aug 30 11:34:39 2017 +0200
committer: John Eckerdal <john.eckerdal@sonymobile.com> Tue Sep 05 16:27:58 2017 +0200
tree: 14e7251cfb878412ff620f63c958235ca59691c1
parent: acb4871ff320f0e3c0745cc25fbc5cf78421960d [diff]
diff --git a/public/vold.te b/public/vold.te
index 99f0bb3..118244a 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -190,3 +190,5 @@
 
 neverallow vold fsck_exec:file execute_no_trans;
 neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;
commit	f295758caeab2628d671d06d983088eaf25a493c	[log] [tgz]
author	Peter Enderborg <peter.enderborg@sony.com>	Wed Aug 30 11:34:39 2017 +0200
committer	John Eckerdal <john.eckerdal@sonymobile.com>	Tue Sep 05 16:27:58 2017 +0200
tree	14e7251cfb878412ff620f63c958235ca59691c1
parent	acb4871ff320f0e3c0745cc25fbc5cf78421960d [diff]