Searched refs:neverallow (Results 1 – 25 of 42) sorted by relevance
12
172 ### neverallow rules176 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;180 neverallow {191 neverallow {200 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self…203 neverallow domain self:memprotect mmap_zero;206 neverallow domain self:capability2 mac_override;209 neverallow { domain -recovery } self:capability2 mac_admin;215 neverallow { domain -init } kernel:security load_policy;219 neverallow { domain -init -system_server } security_prop:property_service set;[all …]
216 neverallow { appdomain -bluetooth } self:capability *;217 neverallow { appdomain -bluetooth } self:capability2 *;220 neverallow appdomain dev_type:blk_file { read write };223 neverallow appdomain {233 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };235 neverallow { appdomain -nfc } nfc_device:chr_file237 neverallow { appdomain -bluetooth } hci_attach_dev:chr_file239 neverallow appdomain tee_device:chr_file { read write };242 neverallow appdomain256 neverallow appdomain domain:netlink_kobject_uevent_socket { write append };[all …]
26 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search r…27 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };29 neverallow { domain -keystore -init } keystore_data_file:dir *;30 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;32 neverallow domain keystore:process ptrace;
16 ### neverallow rules20 neverallow blkid_untrusted {34 neverallow { domain -vold } blkid_untrusted:process transition;35 neverallow domain blkid_untrusted:process dyntransition;36 neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
16 ### neverallow rules20 neverallow fsck_untrusted {34 neverallow { domain -vold } fsck_untrusted:process transition;35 neverallow domain fsck_untrusted:process dyntransition;36 neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
25 ### neverallow rules29 neverallow fsck {41 neverallow { domain -init -vold } fsck:process transition;42 neverallow domain fsck:process dyntransition;43 neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
116 ### neverallow rules120 neverallow untrusted_app domain:netlink_kobject_uevent_socket *;123 neverallow untrusted_app domain:netlink_socket *;127 neverallow untrusted_app debugfs:file read;132 neverallow untrusted_app service_manager_type:service_manager add;136 neverallow untrusted_app property_socket:sock_file write;137 neverallow untrusted_app init:unix_stream_socket connectto;138 neverallow untrusted_app property_type:property_service set;143 # constraints. As there is no direct way to specify a neverallow148 neverallow untrusted_app mlstrustedsubject:process fork;[all …]
35 neverallow logd dev_type:blk_file { read write };38 neverallow logd domain:process ptrace;41 neverallow logd system_file:dir_file_class_set write;44 neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
18 neverallow { domain -vold } blkid:process transition;19 neverallow domain blkid:process dyntransition;20 neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
33 ##### neverallow rules39 neverallow ueventd property_socket:sock_file write;40 neverallow ueventd init:unix_stream_socket connectto;41 neverallow ueventd property_type:property_service set;
20 neverallow { domain -vold } sgdisk:process transition;21 neverallow domain sgdisk:process dyntransition;22 neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
23 ### neverallow27 neverallow gpsd self:capability *;28 neverallow gpsd self:capability2 ~block_suspend;
24 neverallow { domain -init } toolbox:process transition;25 neverallow domain toolbox:process dyntransition;26 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
29 neverallow isolated_app app_data_file:file open;34 neverallow isolated_app {41 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
30 ### neverallow rules34 neverallow runas self:capability ~{ setuid setgid };35 neverallow runas self:capability2 *;
42 ### neverallow rules46 neverallow wpa sdcard_type:dir ~getattr;47 neverallow wpa sdcard_type:file *;
34 ### neverallow rules38 neverallow init sdcardd_exec:file execute;39 neverallow init sdcardd:process { transition dyntransition };
76 neverallow netd dev_type:blk_file { read write };79 neverallow netd { domain }:process ptrace;82 neverallow netd system_file:dir_file_class_set write;85 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
34 ### neverallow rules37 neverallow domain lmkd:process noatsecure;
166 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto…167 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };168 neverallow { domain -vold -init } vold_data_file:dir *;169 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;170 neverallow { domain -vold -init } restorecon_prop:property_service set;
4 # in neverallow rules.104 ### neverallow rules117 neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };118 neverallow recovery data_file_type:dir no_w_dir_perms;
70 ### neverallow rules74 # in the appdomain attribute, so that all allow and neverallow rules79 neverallow zygote ~{ appdomain system_server }:process dyntransition;
272 ### neverallow rules277 neverallow domain init:process dyntransition;278 neverallow { domain -kernel} init:process transition;279 neverallow init { file_type fs_type -init_exec }:file entrypoint;282 neverallow init shell_data_file:lnk_file read;283 neverallow init app_data_file:lnk_file read;286 neverallow init { file_type fs_type }:file execute_no_trans;
60 ### neverallow rules65 neverallow domain kernel:process { transition dyntransition };78 neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
68 NEVERALLOW CHECKING (neverallow)69 sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \70 [-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]72 Check whether the sepolicy file violates any of the neverallow rules73 from the neverallows.conf file or a given string, which contain neverallow85 classes, or permissions from a neverallow rule that could not be resolved87 the policy from which the neverallow rules were taken and the policy88 being checked. Such values are ignored for the purposes of neverallow92 neverallow rules as it parses them. This is principally a debugging facility93 for the parser but could also be used to extract neverallow rules from