diff options
author | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-01-18 10:22:32 +0800 |
---|---|---|
committer | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-01-18 10:22:32 +0800 |
commit | 543f2e74b831950f8648c9245164b81c033a82fe (patch) | |
tree | 74f3d7b383742c40b0869b9702ceabd94f227258 /r_non_plat/factory.te | |
parent | 8b19a5a6d5f2c1866440691a2f2e422628e32b35 (diff) | |
download | wembley-sepolicy-543f2e74b831950f8648c9245164b81c033a82fe.tar.gz |
[ALPS04967419] SEPolicy: Add neverallow rule for sysfs
[Detail]
Do not allow access to the generic sysfs label. This is too broad.
Instead, if access to part of sysfs is desired, it should have a
more specific label.
TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations.
EX.
allow hal_usb sysfs:file write;
hal_server_domain(mtk_hal_usb, hal_usb)
r_dir_file(hal_wifi, sysfs_type)
hal_server_domain(mtk_hal_wifi, hal_wifi)
[Solution]
1.Add neverallow rule for sysfs.
2.Remove the conflicting SEPolicies.
MTK-Commit-Id: 86296cf74da59aa881bb2ae8ad868195b67079d5
Change-Id: I304a1a87b23623e320ff7346da9d10a09264152b
CR-Id: ALPS04967419
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Diffstat (limited to 'r_non_plat/factory.te')
-rw-r--r-- | r_non_plat/factory.te | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/r_non_plat/factory.te b/r_non_plat/factory.te index b1593fb..2292369 100644 --- a/r_non_plat/factory.te +++ b/r_non_plat/factory.te @@ -338,7 +338,6 @@ allow factory proc_asound:file { read open getattr write }; allow factory audiohal_prop:property_service set; # For Accdet data permission -allow factory sysfs:file { read open }; allow factory sysfs_headset:file { read open }; # For touch auto test |