Strengthen ptrace neverallow rules
Add additional compile time constraints on the ability to ptrace various sensitive domains. llkd: remove some domains which llkd should never ptrace, even on debuggable builds, such as kernel threads and init. crash_dump neverallows: Remove the ptrace neverallow checks because it duplicates other neverallow assertions spread throughout the policy. Test: policy compiles and device boots Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
Showing
- private/bpfloader.te 7 additions, 2 deletionsprivate/bpfloader.te
- private/crash_dump.te 8 additions, 1 deletionprivate/crash_dump.te
- private/llkd.te 3 additions, 0 deletionsprivate/llkd.te
- public/domain.te 0 additions, 3 deletionspublic/domain.te
- public/init.te 3 additions, 0 deletionspublic/init.te
- public/kernel.te 17 additions, 14 deletionspublic/kernel.te
- public/ueventd.te 3 additions, 0 deletionspublic/ueventd.te
- public/vendor_init.te 3 additions, 0 deletionspublic/vendor_init.te
Please register or sign in to comment