sdm660-common: sepolicy: drop and dontaudit kill and sys_admin permissions.
This commit is contained in:
pix106
parent
077a21d15e
commit
9188e83cbd
7 changed files with 32 additions and 7 deletions
7
sepolicy/private/dontaudit.te
Normal file
7
sepolicy/private/dontaudit.te
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
dontaudit boringssl_self_test self:capability sys_admin;
|
||||
dontaudit fsck self:capability kill;
|
||||
dontaudit fsverity_init self:capability sys_admin;
|
||||
dontaudit kernel self:capability kill;
|
||||
dontaudit linkerconfig self:capability { kill sys_admin };
|
||||
dontaudit odsign self:capability sys_admin;
|
||||
dontaudit vendor_boringssl_self_test self:capability sys_admin;
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow fsck self:capability { kill };
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow kernel self:capability { kill };
|
||||
25
sepolicy/vendor/dontaudit.te
vendored
25
sepolicy/vendor/dontaudit.te
vendored
|
|
@ -1,3 +1,28 @@
|
|||
# Apps are no longer allowed open access to /dev/ashmem, unless they
|
||||
# target API level < Q.
|
||||
dontaudit untrusted_app ashmem_device:chr_file open;
|
||||
|
||||
dontaudit adbd self:capability sys_admin;
|
||||
dontaudit blkid_untrusted self:capability sys_admin;
|
||||
dontaudit crash_dump self:capability sys_admin;
|
||||
dontaudit fsck self:capability sys_admin;
|
||||
dontaudit hal_power_default self:capability sys_admin;
|
||||
dontaudit hal_wifi_supplicant_default self:capability sys_admin;
|
||||
dontaudit installd self:capability kill;
|
||||
dontaudit irsc_util self:capability sys_admin;
|
||||
dontaudit lmkd self:capability sys_admin;
|
||||
dontaudit netutils_wrapper self:capability sys_admin;
|
||||
dontaudit rfs_access self:capability sys_admin;
|
||||
dontaudit rmt_storage self:capability sys_admin;
|
||||
dontaudit thermal-engine self:capability sys_admin;
|
||||
dontaudit toolbox self:capability { kill sys_admin };
|
||||
dontaudit ueventd self:capability sys_admin;
|
||||
dontaudit usbd self:capability sys_admin;
|
||||
dontaudit vdc self:capability sys_admin;
|
||||
dontaudit vendor_init-qti-dcvs-sh self:capability sys_admin;
|
||||
dontaudit vendor_modprobe self:capability sys_admin;
|
||||
dontaudit vendor_msm_irqbalanced self:capability sys_admin;
|
||||
dontaudit vendor_pd_mapper self:capability sys_admin;
|
||||
dontaudit vendor_toolbox self:capability sys_admin;
|
||||
dontaudit vold_prepare_subdirs self:capability sys_admin;
|
||||
|
||||
|
|
|
|||
1
sepolicy/vendor/hal_power_default.te
vendored
1
sepolicy/vendor/hal_power_default.te
vendored
|
|
@ -9,7 +9,6 @@ allow hal_power_default { sysfs_devfreq sysfs_kgsl }:{ file lnk_file } rw_file_p
|
|||
allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
|
||||
allow hal_power_default sysfs_touchpanel:dir search;
|
||||
allow hal_power_default sysfs_touchpanel:file rw_file_perms;
|
||||
allow hal_power_default self:capability sys_admin;
|
||||
|
||||
r_dir_file(hal_power_default, sysfs_graphics)
|
||||
set_prop(hal_power_default, vendor_power_prop)
|
||||
|
|
|
|||
1
sepolicy/vendor/installd.te
vendored
1
sepolicy/vendor/installd.te
vendored
|
|
@ -1 +0,0 @@
|
|||
allow installd installd:capability { kill };
|
||||
3
sepolicy/vendor/vendor_toolbox.te
vendored
3
sepolicy/vendor/vendor_toolbox.te
vendored
|
|
@ -1,9 +1,6 @@
|
|||
type vendor_toolbox, domain;
|
||||
init_daemon_domain(vendor_toolbox)
|
||||
|
||||
# Allow vendor_toolbox to use sys_admin capability
|
||||
allow vendor_toolbox self:capability sys_admin;
|
||||
|
||||
# Allow vendor_toolbox to execute /vendor/bin/toybox_vendor
|
||||
allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue