Commit 17c32ab2 authored by Simon McVittie's avatar Simon McVittie

<abstractions/chaiwala-user-write>: Add doc-comment, mark as deprecated

Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: André Magalhães's avatarAndré Magalhães <andre.magalhaes@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D5731
parent b9f76b53
......@@ -10,6 +10,21 @@
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
###
# <abstractions/chaiwala-user-write>: never use this
#
# This abstraction gives the confined process write access to the entire
# home directory, as well as several obsolete directories that no
# longer exist. It is a mixture of per-app and general paths, and can
# easily be used to escalate privileges into the TCB for protection between
# app-bundles. See https://phabricator.apertis.org/T3600
#
# Status: Apertis-specific, deprecated, should be deleted
# Privilege level: very elevated, neutralises protection between app-bundles
# Known users: none
# Dependencies: <tunables/chaiwala/chaiwala-user>, <tunables/global>
###
owner @{APPLICATION_DATA_USER}/ r,
owner @{APPLICATION_DATA_USER}/** rw,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment