Merge "ban hal_dumpstate_default from execute_no_trans" into main

2024-10-08 03:13:54 +00:00 · 2024-10-08 03:13:54 +00:00 · fa448be01f
commit fa448be01f
parent 8edb8909cf f24bfe8ca3
1 changed files with 5 additions and 0 deletions
--- a/gear/dumpstate/sepolicy/hal_dumpstate_default.te
+++ b/gear/dumpstate/sepolicy/hal_dumpstate_default.te
@ -5,3 +5,8 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
 allow hal_dumpstate_default shell_data_file:file getattr;
 set_prop(hal_dumpstate_default, vendor_logger_prop)

+# All dumps that are executed via hal_dumpstate_default should use their
+# own domain to request their permissions to achieve compartmentalization.
+# go/pixel-bugreport has examples on how to do that.
+neverallow hal_dumpstate_default { vendor_file_type -vendor_toolbox_exec }:file execute_no_trans;
+