Google Git
Sign in
android / platform / external / sepolicy / f25304ee8472c48e7cacdda10b950827017e5cf9
commitf25304ee8472c48e7cacdda10b950827017e5cf9[log] [tgz]
authorWilliam Roberts <william.c.roberts@intel.com>Mon Sep 14 20:45:30 2015 -0700
committerWilliam Roberts <william.c.roberts@intel.com>Tue Oct 13 20:15:38 2015 -0700
treedc6d7a2347a04443e8d3dba885c1e1bc5c644074
parentde11f5017c53aabba212425406962d21148fd2f6 [diff]
neverallow: domain:file execute and entrypoint

Occasionally, files get labeled with the domain type rather
than the executable file type. This can work if the author
uses domain_auto_trans() versus init_daemon_domain(). This
will cause a lot of issues and is typically not what the
author intended.

Another case where exec on domain type might occur, is if
someone attempts to execute a /proc/pid file, this also
does not make sense.

To prevent this, we add a neverallow.

Change-Id: I39aff58c8f5a2f17bafcd2be33ed387199963b5f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
1 file changed
tree: dc6d7a2347a04443e8d3dba885c1e1bc5c644074
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. atrace.te
  7. attributes
  8. binderservicedomain.te
  9. blkid.te
  10. blkid_untrusted.te
  11. bluetooth.te
  12. bootanim.te
  13. clatd.te
  14. CleanSpec.mk
  15. debuggerd.te
  16. device.te
  17. dex2oat.te
  18. dhcp.te
  19. dnsmasq.te
  20. domain.te
  21. drmserver.te
  22. dumpstate.te
  23. file.te
  24. file_contexts
  25. file_contexts_asan
  26. fingerprintd.te
  27. fs_use
  28. fsck.te
  29. fsck_untrusted.te
  30. gatekeeperd.te
  31. genfs_contexts
  32. global_macros
  33. gpsd.te
  34. hci_attach.te
  35. healthd.te
  36. hostapd.te
  37. idmap.te
  38. init.te
  39. initial_sid_contexts
  40. initial_sids
  41. inputflinger.te
  42. install_recovery.te
  43. installd.te
  44. ioctl_macros
  45. isolated_app.te
  46. kernel.te
  47. keys.conf
  48. keystore.te
  49. lmkd.te
  50. logd.te
  51. mac_permissions.xml
  52. mdnsd.te
  53. mediaserver.te
  54. mls
  55. mls_macros
  56. MODULE_LICENSE_PUBLIC_DOMAIN
  57. mtp.te
  58. net.te
  59. netd.te
  60. neverallow_macros
  61. nfc.te
  62. NOTICE
  63. perfprofd.te
  64. platform_app.te
  65. policy_capabilities
  66. port_contexts
  67. ppp.te
  68. property.te
  69. property_contexts
  70. racoon.te
  71. radio.te
  72. README
  73. recovery.te
  74. rild.te
  75. roles
  76. runas.te
  77. sdcardd.te
  78. seapp_contexts
  79. security_classes
  80. service.te
  81. service_contexts
  82. servicemanager.te
  83. sgdisk.te
  84. shared_relro.te
  85. shell.te
  86. slideshow.te
  87. su.te
  88. surfaceflinger.te
  89. system_app.te
  90. system_server.te
  91. te_macros
  92. tee.te
  93. toolbox.te
  94. tzdatacheck.te
  95. ueventd.te
  96. uncrypt.te
  97. untrusted_app.te
  98. update_engine.te
  99. users
  100. vdc.te
  101. vold.te
  102. watchdogd.te
  103. wpa.te
  104. zygote.te