summaryrefslogtreecommitdiff
path: root/sepolicy
diff options
context:
space:
mode:
authorShawn Guo <shawn.guo@linaro.org>2018-08-22 14:40:37 +0800
committerShawn Guo <shawn.guo@linaro.org>2018-08-22 14:40:37 +0800
commitf6edae694f9613627068902387e41d9385c20373 (patch)
treee52aa23cadb6efd9c266ce3c528d08da5d092700 /sepolicy
parent741e61d94c0ffa06f2d971aed5b662607f72d0c9 (diff)
downloadpoplar-f6edae694f9613627068902387e41d9385c20373.tar.gz
Fix sepolicy neverallow failures with hi_overlay_file and vendor_file
Poplar build is broken as below due to the merge of "neverallow fwk access to /vendor" in system/sepolicy repository. libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow platform_app hi_overlay_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow priv_app vendor_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow bootanim hi_overlay_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow surfaceflinger hi_overlay_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow system_app vendor_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow platform_app vendor_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow priv_app hi_overlay_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow system_app hi_overlay_file:file { read getattr open }; libsepol.check_assertions: 8 neverallow failures occurred Let's update Poplar sepolicy to fix the failures and get build pass. Change-Id: I6e47077e2bc36952f897cdace0b90caf2201838b
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/file.te2
-rw-r--r--sepolicy/platform_app.te1
-rw-r--r--sepolicy/priv_app.te1
-rw-r--r--sepolicy/system_app.te1
4 files changed, 1 insertions, 4 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 266ee3d..a902be7 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,5 +1,5 @@
type sysfs_hisi, fs_type, sysfs_type;
type proc_hisi, fs_type, proc_type;
#type proc_slabinfo, fs_type, proc_type;
-type hi_overlay_file, vendor_file_type, file_type;
+type hi_overlay_file, file_type;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index f51833c..b3e20f5 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1,4 +1,3 @@
allow platform_app mali_device:chr_file { getattr ioctl open read write };
-allow platform_app vendor_file:file { read open getattr };
allow platform_app hi_vfmw_device:chr_file { write read open ioctl getattr};
allow platform_app hi_overlay_file:file { read open getattr };
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index d051837..565ca06 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -8,7 +8,6 @@ allow priv_app proc_interrupts:file { open };
allow priv_app proc_modules:file { open };
allow priv_app sysfs_android_usb:file { open };
allow priv_app zygote:dir { search };
-allow priv_app vendor_file:file { read open getattr };
allow priv_app hi_vfmw_device:chr_file { write read open ioctl getattr};
allow priv_app hi_overlay_file:file { read open getattr };
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index e80d5ff..28378ca 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -2,7 +2,6 @@ set_prop(system_app, hisi_prop)
allow system_app mali_device:chr_file { getattr ioctl open read write };
allow system_app hi_vdec_device:chr_file { getattr read write open ioctl };
-allow system_app vendor_file:file { read open getattr };
allow system_app hi_vfmw_device:file { write read open getattr };
allow system_app hi_vfmw_device:chr_file { write read open getattr };
allow system_app hi_overlay_file:file { read open getattr };
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 09:58:18 +0000