MiPad4/android_device_xiaomi_sdm660-common
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sdm660-common: sepolicy: drop and dontaudit kill and sys_admin permissions.

Browse source
This commit is contained in:
pix106 2022-09-11 10:48:58 +02:00
parent 077a21d15e
commit 9188e83cbd
7 changed files with 32 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
sepolicy/private/dontaudit.te Normal file
View file

@ -0,0 +1,7 @@
dontaudit boringssl_self_test self:capability sys_admin;
dontaudit fsck self:capability kill;
dontaudit fsverity_init self:capability sys_admin;
dontaudit kernel self:capability kill;
dontaudit linkerconfig self:capability { kill sys_admin };
dontaudit odsign self:capability sys_admin;
dontaudit vendor_boringssl_self_test self:capability sys_admin;

1
sepolicy/private/fsck.te
View file

@ -1 +0,0 @@
allow fsck self:capability { kill };

1
sepolicy/private/kernel.te
View file

@ -1 +0,0 @@
allow kernel self:capability { kill };

25
sepolicy/vendor/dontaudit.te vendored
View file

@ -1,3 +1,28 @@
# Apps are no longer allowed open access to /dev/ashmem, unless they # Apps are no longer allowed open access to /dev/ashmem, unless they
# target API level < Q. # target API level < Q.
dontaudit untrusted_app ashmem_device:chr_file open; dontaudit untrusted_app ashmem_device:chr_file open;
dontaudit adbd self:capability sys_admin;
dontaudit blkid_untrusted self:capability sys_admin;
dontaudit crash_dump self:capability sys_admin;
dontaudit fsck self:capability sys_admin;
dontaudit hal_power_default self:capability sys_admin;
dontaudit hal_wifi_supplicant_default self:capability sys_admin;
dontaudit installd self:capability kill;
dontaudit irsc_util self:capability sys_admin;
dontaudit lmkd self:capability sys_admin;
dontaudit netutils_wrapper self:capability sys_admin;
dontaudit rfs_access self:capability sys_admin;
dontaudit rmt_storage self:capability sys_admin;
dontaudit thermal-engine self:capability sys_admin;
dontaudit toolbox self:capability { kill sys_admin };
dontaudit ueventd self:capability sys_admin;
dontaudit usbd self:capability sys_admin;
dontaudit vdc self:capability sys_admin;
dontaudit vendor_init-qti-dcvs-sh self:capability sys_admin;
dontaudit vendor_modprobe self:capability sys_admin;
dontaudit vendor_msm_irqbalanced self:capability sys_admin;
dontaudit vendor_pd_mapper self:capability sys_admin;
dontaudit vendor_toolbox self:capability sys_admin;
dontaudit vold_prepare_subdirs self:capability sys_admin;

1
sepolicy/vendor/hal_power_default.te vendored
View file

@ -9,7 +9,6 @@ allow hal_power_default { sysfs_devfreq sysfs_kgsl }:{ file lnk_file } rw_file_p
allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
allow hal_power_default sysfs_touchpanel:dir search; allow hal_power_default sysfs_touchpanel:dir search;
allow hal_power_default sysfs_touchpanel:file rw_file_perms; allow hal_power_default sysfs_touchpanel:file rw_file_perms;
allow hal_power_default self:capability sys_admin;
r_dir_file(hal_power_default, sysfs_graphics) r_dir_file(hal_power_default, sysfs_graphics)
set_prop(hal_power_default, vendor_power_prop) set_prop(hal_power_default, vendor_power_prop)

1
sepolicy/vendor/installd.te vendored
View file

@ -1 +0,0 @@
allow installd installd:capability { kill };

3
sepolicy/vendor/vendor_toolbox.te vendored
View file

@ -1,9 +1,6 @@
type vendor_toolbox, domain; type vendor_toolbox, domain;
init_daemon_domain(vendor_toolbox) init_daemon_domain(vendor_toolbox)
# Allow vendor_toolbox to use sys_admin capability
allow vendor_toolbox self:capability sys_admin;
# Allow vendor_toolbox to execute /vendor/bin/toybox_vendor # Allow vendor_toolbox to execute /vendor/bin/toybox_vendor
allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans; allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans;