Do not allow untrusted apps any access to kernel configuration

Bug: 37541374 Test: Build and boot sailfish Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc Signed-off-by: Sandeep Patil <sspatil@google.com>

Do not allow untrusted apps any access to kernel configuration
Bug: 37541374 Test: Build and boot sailfish Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc Signed-off-by: Sandeep Patil <sspatil@google.com>
2da9cfdf · Sandeep Patil · 97903c05 · 2da9cfdf
Commit 2da9cfdf authored 7 years ago by Sandeep Patil
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -98,6 +98,9 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 # Create a more specific label if needed
 neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };

+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;