diff --git a/private/system_server.te b/private/system_server.te index c2033dbbdad67d7bb97164d3a154babfba5c7b86..d8a67c3745a7a516ac4c5b84da91914021b63396 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -142,8 +142,6 @@ allow system_server stats_data_file:dir { open read remove_name search write }; allow system_server stats_data_file:file unlink; # Read /sys/kernel/debug/wakeup_sources. -allow system_server debugfs:file r_file_perms; -auditallow system_server debugfs:file r_file_perms; allow system_server debugfs_wakeup_sources:file r_file_perms; # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. diff --git a/public/domain.te b/public/domain.te index 13f52dc2349cb006c6b0561c55c2a2267682a1a6..20ae4a9f127026291f1e8cf082b6ab1837f984f2 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1387,8 +1387,8 @@ neverallow * domain:file { execute execute_no_trans entrypoint }; # Do not allow access to the generic debugfs label. This is too broad. # Instead, if access to part of debugfs is desired, it should have a # more specific label. -# TODO: fix system_server and dumpstate -neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms; +# TODO: fix dumpstate +neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms; # Profiles contain untrusted data and profman parses that. We should only run # in from installd forked processes.