neverallow_macros · 0780f30c80740c3a19e70e9ffa25631e5b9a9ced · CodeLinaro / public-release-test / platform / system / sepolicy · GitLab

Snippets Groups Projects

recovery.te: add /data neverallow rules · a17a266e

Nick Kralevich authored 10 years ago

Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88

a17a266e

neverallow_macros 298 B

#
# Common neverallow permissions
define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms',  `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')