sdm660-common: Cleanup sepolicy

* Fix neverallows Signed-off-by: clarencelol <clarencekuiek@icloud.com> Signed-off-by: pix106 <sbordenave@gmail.com>
2021-07-24 08:08:47 +00:00 · 2021-07-24 08:08:47 +00:00 · 5514002bef
commit 5514002bef
parent 1426027286
3 changed files with 3 additions and 18 deletions
--- a/sepolicy/vendor/hal_power_stats_default.te
+++ b/sepolicy/vendor/hal_power_stats_default.te
@ -1,17 +1,3 @@
 allow hal_power_stats_default sysfs:dir { open read };
-allow hal_power_stats_default sysfs:file open;
+allow hal_power_stats_default sysfs:file { open read };
 allow hal_power_stats_default sysfs_kgsl:file { r_file_perms getattr };
 # Needed to traverse odpm files
 r_dir_file(hal_power_stats_default, sysfs_iio_devices)
 # Needed to traverse platform low power stats
 r_dir_file(hal_power_stats_default, sysfs_power_stats)
 # The following folders are incidentally accessed by hal_power_stats_default and are not needed.
 dontaudit hal_power_stats_default sysfs_power_stats_ignore:dir r_dir_perms;
 dontaudit hal_power_stats_default sysfs_power_stats_ignore:file r_file_perms;
 dontaudit hal_power_stats_default sysfs:file { open read };
 vndbinder_use(hal_power_stats)
 add_service(hal_power_stats_server, power_stats_service)
--- a/sepolicy/vendor/netutils_wrapper.te
+++ b/sepolicy/vendor/netutils_wrapper.te
@ -1 +1,2 @@
-allow netutils_wrapper netutils_wrapper:capability { kill };
+dontaudit netutils_wrapper kernel:system module_request;
 dontaudit netutils_wrapper self:capability { sys_module sys_admin };
--- a/sepolicy/vendor/zygote.te
+++ b/sepolicy/vendor/zygote.te
@ -1,4 +1,2 @@
 allow zygote exported_camera_prop:file { open read getattr write };
 get_prop(zygote, exported_camera_prop)
 allow zygote unlabeled:dir { search };
`@ -1 +1,2 @@`
	`allow netutils_wrapper netutils_wrapper:capability { kill };`	`dontaudit netutils_wrapper kernel:system module_request;`
		`dontaudit netutils_wrapper self:capability { sys_module sys_admin };`