diff options
author | Nick Kralevich <nnk@google.com> | 2017-10-09 15:22:11 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2017-10-09 15:22:11 -0700 |
commit | b67d85fdf6ca0e1318aae2cf80479a8977231a1a (patch) | |
tree | 6fee967eea5f1b5b3528b5a626cce9e8c3d47a6a | |
parent | ad0b6af1114b2603d788d241af5f5636e1c2638f (diff) | |
download | bullhead-b67d85fdf6ca0e1318aae2cf80479a8977231a1a.tar.gz |
Restrict isolated_app's /sys access
isolated_app is strictly limited on the files in /sys which can be
accessed.
Test: policy compiles.
Change-Id: Ibe6702322cd069d773416789b06b123493055a21
-rw-r--r-- | sepolicy/domain.te | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sepolicy/domain.te b/sepolicy/domain.te index ee24d7f..24869b9 100644 --- a/sepolicy/domain.te +++ b/sepolicy/domain.te @@ -2,7 +2,7 @@ userdebug_or_eng(` allow { domain -appdomain } diag_device:chr_file rw_file_perms; ') -r_dir_file(domain, sysfs_socinfo); -r_dir_file(domain, sysfs_thermal); -r_dir_file(domain, sysfs_power_management); +r_dir_file({ domain -isolated_app }, sysfs_socinfo); +r_dir_file({ domain -isolated_app }, sysfs_thermal); +r_dir_file({ domain -isolated_app }, sysfs_power_management); r_dir_file(domain, sysfs_devices_system_cpu); |