projects / GitHub / LineageOS / android_device_samsung_universal7580-common.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f39a66a)
universal7580: sepolicy: remove general sysfs:file allowances
authorJan Altensen <info@stricted.net>
Mon, 1 Jul 2019 06:50:32 +0000 (08:50 +0200)
committerJan Altensen <info@stricted.net>
Fri, 16 Aug 2019 21:19:02 +0000 (23:19 +0200)
* we really should label all the files correctly instead of just allowing to read or write to sysfs:file

Change-Id: I9af5f8e4df3426a4ed67b43fc01c9fa4150785bf

sepolicy/cpboot-daemon.te patch | blob | blame | history
sepolicy/hal_power_default.te patch | blob | blame | history
sepolicy/kernel.te patch | blob | blame | history
sepolicy/sswap.te patch | blob | blame | history

diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te
index c8736d3d6c2d72ddeedb34f94492edbfac6e6fff..14886b4588de91c9c79c60daeabeaabec12ef874 100644 (file)
--- a/sepolicy/cpboot-daemon.te
+++ b/sepolicy/cpboot-daemon.te
@@ -40,9 +40,6 @@ allow cpboot-daemon efs_file:dir r_dir_perms;
 allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms;
 allow cpboot-daemon efs_file:file rw_file_perms;
 
-# /sys/bus/usb/devices/1-2/idVendor
-allow cpboot-daemon sysfs:file r_file_perms;
-
 # /proc/cmdline
 allow cpboot-daemon proc:file r_file_perms;
 
diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
index 764c7a17ded223a391254e307d134a41dffc9ddd..432cb3c0acc23b95720d0f1088ced3b038c4e61d 100644 (file)
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@@ -1,6 +1,4 @@
 # hal_power_default
-allow hal_power_default sysfs:dir { open read search };
-allow hal_power_default sysfs:file { rw_file_perms };
 
 # Input devices
 allow hal_power_default sysfs_input:dir { open read search };
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index bd8b009f1dc70d02c144e379a66a8fb1574532ba..73dbd2acbb83e4fbb8e2fa6226cd3a9af5b09eaf 100644 (file)
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -9,7 +9,6 @@ allow kernel device:chr_file { create setattr getattr unlink };
 
 # /sys/devices/system/cpu/cpu[0-9]/cpufreq/*
 allow kernel sysfs_devices_system_cpu:file { setattr };
-allow kernel sysfs:file { setattr };
 
 # /efs contents
 allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms;
diff --git a/sepolicy/sswap.te b/sepolicy/sswap.te
index 3408a2e4a1f6d29d3b2258df28f5c9910d1a6c67..a6316906dbca4aac911af2595afa9d684ec8c8fe 100644 (file)
--- a/sepolicy/sswap.te
+++ b/sepolicy/sswap.te
@@ -6,7 +6,6 @@ init_daemon_domain(sswap);
 
 allow sswap sswap_device:blk_file { read write open };
 allow sswap rootfs:file { entrypoint read };
-allow sswap sysfs:file { write open read };
 allow sswap block_device:dir search;
 allow sswap self:capability sys_admin;