Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / docs / source.android.com / 63c45b8837dd2d5a7ac95cbcf3fda911d6b4d927^! / .
commit63c45b8837dd2d5a7ac95cbcf3fda911d6b4d927[log] [tgz]
authorClay Murphy <claym@google.com>Fri Jun 19 13:24:58 2015 -0700
committerClay Murphy <claym@google.com>Fri Jun 19 15:39:01 2015 -0700
tree083eb41f751f12aa2fa5dcbc16772fc13a574206
parente96d833b46586d358b989f5c889a229656ef73bb [diff]
Docs: Add neverallow rules info to customize page

Bug: 21467635
Change-Id: I7e9e16170e9a928227b037e2fcf56b7d31f431d3

diff --git a/src/devices/tech/security/selinux/customize.jd b/src/devices/tech/security/selinux/customize.jd
index 63b3b56..a667168 100644
--- a/src/devices/tech/security/selinux/customize.jd
+++ b/src/devices/tech/security/selinux/customize.jd

@@ -2,7 +2,7 @@
 @jd:body
 
 <!--
-    Copyright 2014 The Android Open Source Project
+    Copyright 2015 The Android Open Source Project
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -271,3 +271,29 @@
 </td>
  </tr>
 </table>
+
+<h2 id=neverallow>neverallow rules</h2>
+
+<p>SELinux <code>neverallow</code> rules prohibit behavior that should never occur.
+With compatibility testing, SELinux <code>neverallow</code> rules are now
+enforced across partner devices.</p>
+
+<p>The following guidelines are intended to help manufacturers avoid errors
+related to <code>neverallow</code> rules during customization. The rule numbers
+used here correspond to Android 5.1 and are subject to change by release.</p>
+
+<p>Rule 48: <code>neverallow { domain -debuggerd -vold -dumpstate
+-system_server } self:capability sys_ptrace;</code><br>
+See the man page for <code>ptrace</code>.  The <code>sys_ptrace</code>
+capability grants the ability to <code>ptrace</code> any process, which allows a great deal
+of control over other processes and should belong only to designated system
+components, outlined in the rule.  The need for this capability often indicates
+the presence of something that is not meant for user-facing builds or
+functionality that isn’t needed. Remove the unnecessary component.</p>
+
+<p>Rule 76: <code>neverallow { domain -appdomain -dumpstate -shell -system_server -zygote } { file_type -system_file -exec_type }:file execute;</code><br>
+This rule is intended to prevent the execution of arbitrary code on the system.
+Specifically, it asserts that only code on <code>/system</code> gets executed,
+which allows security guarantees thanks to mechanisms such as verified boot.
+Often, the best solution when encountering a problem with this neverallow rule
+is to move the offending code to the <code>/system</code> partition.</p>