diff options
| author | Joel Galenson <jgalenson@google.com> | 2018-01-31 10:07:32 -0800 |
|---|---|---|
| committer | Joel Galenson <jgalenson@google.com> | 2018-01-31 10:07:32 -0800 |
| commit | 6fe1a7951b1c69d488872e442a514a4bf2c8767b (patch) | |
| tree | 45f7800e2ef4d60779dff81c673be324a9e43f4e | |
| parent | a590164dc8fa14ef345aba56c0f0ba36b1c36046 (diff) | |
| download | bullhead-6fe1a7951b1c69d488872e442a514a4bf2c8767b.tar.gz | |
Remove dac_override and dac_read_search.android-p-preview-1android-o-mr1-iot-preview-7o-mr1-iot-preview-7
These permissions should not be granted and currently break the build.
Test: Built policy.
Change-Id: I86eb53251887c8bdc67e138488f06774b9458342
| -rw-r--r-- | sepolicy/rmt.te | 2 | ||||
| -rw-r--r-- | sepolicy/sensortool.te | 2 | ||||
| -rw-r--r-- | sepolicy/servicemanager.te | 2 | ||||
| -rw-r--r-- | sepolicy/start_hci_filter.te | 2 | ||||
| -rw-r--r-- | sepolicy/thermal-engine.te | 2 |
5 files changed, 5 insertions, 5 deletions
diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te index 6fcce6f..f5cacb3 100644 --- a/sepolicy/rmt.te +++ b/sepolicy/rmt.te @@ -6,7 +6,7 @@ type rmt_exec, exec_type, file_type; init_daemon_domain(rmt) # Drop (user, group) to (nobody, nobody) -allow rmt self:capability { setuid setgid dac_override setpcap net_raw }; +allow rmt self:capability { setuid setgid setpcap net_raw }; # opens and reads /dev/block/mmcblk0 allow rmt root_block_device:blk_file r_file_perms; diff --git a/sepolicy/sensortool.te b/sepolicy/sensortool.te index f78af45..c2f44fc 100644 --- a/sepolicy/sensortool.te +++ b/sepolicy/sensortool.te @@ -4,7 +4,7 @@ type sensortool_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(sensortool) allow sensortool sensors_device:chr_file rw_file_perms; -allow sensortool self:capability { dac_override sys_nice }; +allow sensortool self:capability sys_nice; allow sensortool persist_file:dir search; allow sensortool persist_sensortool_file:file r_file_perms; diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te index 05923e0..6c2e37d 100644 --- a/sepolicy/servicemanager.te +++ b/sepolicy/servicemanager.te @@ -1,5 +1,5 @@ # Drop (user, group) to (nobody, nobody) -allow servicemanager self:capability { setuid setgid dac_override setpcap net_raw }; +allow servicemanager self:capability { setuid setgid setpcap net_raw }; allow servicemanager init:dir search; allow servicemanager init:file { read open }; diff --git a/sepolicy/start_hci_filter.te b/sepolicy/start_hci_filter.te index 0579b3f..d2704c4 100644 --- a/sepolicy/start_hci_filter.te +++ b/sepolicy/start_hci_filter.te @@ -4,7 +4,7 @@ type start_hci_filter_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(start_hci_filter); -allow start_hci_filter self:capability { setuid setgid dac_override }; +allow start_hci_filter self:capability { setuid setgid }; allow start_hci_filter proc_sysrq:file rw_file_perms; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index 93c2179..b2b329d 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -9,7 +9,7 @@ allow thermal-engine smem_log_device:chr_file rw_file_perms; allow thermal-engine thermal_device:chr_file rw_file_perms; -allow thermal-engine self:capability { dac_read_search dac_override fsetid chown }; +allow thermal-engine self:capability { fsetid chown }; allow thermal-engine self:capability2 wake_alarm; # Talk to qmuxd (/dev/socket/qmux_radio) |