From 74df7f593494a00dcc3be410b2d82267b6b31ca0 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 5 Feb 2015 09:23:13 -0800
Subject: [PATCH] don't allow mounting on top of /system files/directories

Change-Id: If311f53b9e5a1020f188ae2346dbf6466e6129ac
---
 domain.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/domain.te b/domain.te
index d9935fe87..1aa99594b 100644
--- a/domain.te
+++ b/domain.te
@@ -297,6 +297,9 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
+# Don't allow mounting on top of /system files or directories
+neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+
 # Nothing should be writing to files in the rootfs.
 neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
 
-- 
GitLab