forked from danielhk/android_device_asus_grouper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsystem_sepolicy.patch
90 lines (81 loc) · 2.57 KB
/
system_sepolicy.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
diff --git a/app.te b/app.te
index 4462062..4825dbc 100644
--- a/app.te
+++ b/app.te
@@ -276,7 +276,7 @@ allow appdomain cache_file:dir getattr;
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
+neverallow { appdomain -bluetooth -shell } self:capability *;
neverallow { appdomain -bluetooth } self:capability2 *;
# Block device access.
diff --git a/domain.te b/domain.te
index 1ea8b1e..d071047 100644
--- a/domain.te
+++ b/domain.te
@@ -380,6 +380,8 @@ neverallow {
-installd
-postinstall_dexopt
-dex2oat
+ -shell
+ -system_app
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -388,6 +390,7 @@ neverallow {
-installd
-postinstall_dexopt
-dex2oat
+ -shell
-zygote
} dalvikcache_data_file:dir no_w_dir_perms;
@@ -429,6 +432,7 @@ neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_
# which, long term, need to go away.
neverallow * {
file_type
+ -system_file
-system_data_file
-apk_data_file
-app_data_file
@@ -564,7 +568,24 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate userdebug_or_eng(`-qti_debugfs_domain')} debugfs:file no_rw_file_perms;
+neverallow {
+ domain
+ -init
+ -system_server
+ -dumpstate
+ -surfaceflinger
+ -zygote
+ -dex2oat
+ -cameraserver
+ -audioserver
+ -bootanim
+ -shell
+ -priv_app
+ -system_app
+ -untrusted_app
+ -mediacodec
+ -mediaserver
+} debugfs:file no_rw_file_perms;
neverallow {
domain
diff --git a/untrusted_app.te b/untrusted_app.te
index 6bc6843..370107f 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -61,7 +61,7 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
-allow untrusted_app mnt_media_rw_file:dir search;
+#allow untrusted_app mnt_media_rw_file:dir search;
# allow cts to query all services
allow untrusted_app servicemanager:service_manager list;
@@ -117,7 +117,7 @@ neverallow untrusted_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow untrusted_app debugfs_type:file read;
+#neverallow untrusted_app debugfs_type:file read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering