| commit | 29c6d8c1ab5543f5394e8c703b5d9679624450f4 | [log] [tgz] |
|---|---|---|
| author | Nick Kralevich <nnk@google.com> | Mon Oct 09 15:13:31 2017 -0700 |
| committer | Nick Kralevich <nnk@google.com> | Mon Oct 09 15:13:31 2017 -0700 |
| tree | 82671ebbb98a9972d1d9422e4d0046993a8e914a | |
| parent | 7c62d00eee2dbb8ffd24653d1adc363d131585fb [diff] |
Restrict isolated_app's /sys access isolated_app is strictly limited on the files in /sys which can be accessed. Test: policy compiles. Change-Id: I9f3c00a98cd8c08a3968d8e565bf56b4670a780f
diff --git a/sepolicy/domain.te b/sepolicy/domain.te index bddbd2f..d09fe8d 100644 --- a/sepolicy/domain.te +++ b/sepolicy/domain.te
@@ -1,2 +1,2 @@ allow domain sysfs_socinfo:dir r_dir_perms; -allow domain sysfs_socinfo:file r_file_perms; +allow { domain -isolated_app } sysfs_socinfo:file r_file_perms;