From 2da9cfdff73536d741a1d171a1b156155a4124ae Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Fri, 21 Apr 2017 11:25:29 -0700
Subject: [PATCH] Do not allow untrusted apps any access to kernel
 configuration

Bug: 37541374
Test: Build and boot sailfish

Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/app_neverallows.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5e47b68db..beee4f7fb 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -98,6 +98,9 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 # Create a more specific label if needed
 neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
 
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 
-- 
GitLab