Skip to content
Snippets Groups Projects
Commit 7ffb9972 authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Neverallow low memory mappings. 


This just adds a neverallow rule to ensure we never
add an allow rule permitting such mappings.

Change-Id: Id20463b26e0eac5b7629326f68b3b94713108cc2
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent f78fb4e0
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 3 additions and 0 deletions
domain.te
+ 3
0
View file @ 7ffb9972
...@@ -153,6 +153,9 @@ neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability ...@@ -153,6 +153,9 @@ neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability
# Limit device node creation and raw I/O to these whitelisted domains. # Limit device node creation and raw I/O to these whitelisted domains.
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod }; neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow domain self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux. # No domain needs mac_override as it is unused by SELinux.
neverallow domain self:capability2 mac_override; neverallow domain self:capability2 mac_override;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment