Skip to content
Snippets Groups Projects
  • Stephen Smalley's avatar
    Remove block device access from unconfined domains. · 3f40d4f4
    Stephen Smalley authored
    
    Only allow to domains as required and amend the existing
    neverallow on block_device:blk_file to replace the
    exemption for unconfineddomain with an explicit whitelist.
    The neverallow does not check other device types as specific
    ones may need to be writable by device-specific domains.
    
    Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    3f40d4f4