diff options
Diffstat (limited to 'app.te')
-rw-r--r-- | app.te | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -222,6 +222,10 @@ selinux_check_context(appdomain) auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl }; auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms; +# Apps receive an open tun fd from the framework for +# device traffic. Do not allow untrusted app to directly open tun_device +allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append }; + ### ### Neverallow rules ### |