From 10b250df24f96cf439025233d5bfa9ace1b5654b Mon Sep 17 00:00:00 2001 From: Pavel Grafov <pgrafov@google.com> Date: Fri, 19 Oct 2018 11:06:08 +0000 Subject: [PATCH] Revert "Neverallow vendor code access to files on /system." This reverts commit c855629ebd42e4aba64dea0a8a95fc5c465b911e. Reason for revert: breaks builds for some devices in master Change-Id: I02c0967d6607ef0173b4188c06d2e781c3c93f4b --- public/domain.te | 43 +++++++++++++------------------------------ 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/public/domain.te b/public/domain.te index fefca843b..edcc49880 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1091,10 +1091,9 @@ full_treble_only(` -vendor_executes_system_violators -vendor_init } { - system_file_type - -system_file # TODO(b/111243627): remove once Treble violations are fixed. - -system_lib_file + exec_type -system_linker_exec + -vendor_file_type -crash_dump_exec -netutils_wrapper_exec userdebug_or_eng(`-tcpdump_exec') @@ -1157,33 +1156,17 @@ full_treble_only(` }:file *; ') -full_treble_only(` - # Do not allow vendor components access to /system files except for the - # ones whitelisted here. - neverallow { - domain - -appdomain - -coredomain - -vendor_executes_system_violators - # vendor_init needs access to init_exec for domain transition. vendor_init - # neverallows are covered in public/vendor_init.te - -vendor_init - } { - system_file_type - -system_file # TODO(b/111243627): remove once Treble violations are fixed. - -crash_dump_exec - -file_contexts_file - -netutils_wrapper_exec - -property_contexts_file - -system_lib_file - -system_linker_exec - -system_linker_config_file - -system_seccomp_policy_file - -system_security_cacerts_file - -system_zoneinfo_file - userdebug_or_eng(`-tcpdump_exec') - }:file *; -') +# TODO(b/111243627): Uncomment once all violations are cleaned up. +#full_treble_only(` +# # Do not allow vendor components access to /system files except for the +# # ones whitelisted here. +# neverallow { +# domain +# -appdomain +# -coredomain +# -vendor_executes_system_violators +# } system_file_type:file *; +#') # Only authorized processes should be writing to files in /data/dalvik-cache neverallow { -- GitLab