Neverallow write access to /sys files for untrusted apps

Test: build aosp_sailfish Change-Id: Iaefe1df66885d3e78feb600c3d9845bd9fe671a2

Neverallow write access to /sys files for untrusted apps
Test: build aosp_sailfish Change-Id: Iaefe1df66885d3e78feb600c3d9845bd9fe671a2
06cef4ff · Jeff Vander Stoep · Nick Kralevich · 5b4bea43 · 06cef4ff
Commit 06cef4ff authored 7 years ago by Jeff Vander Stoep Committed by Nick Kralevich 7 years ago
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -57,6 +57,9 @@ neverallow all_untrusted_apps file_type:file link;
 # Do not allow untrusted apps to access network MAC address file
 neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;

+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
 neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;