diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-02-03 18:05:34 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-02-03 18:05:34 +0000 |
commit | 37ac9ac99a14749c9e43d9d6063b069ba3da713f (patch) | |
tree | 63c904290f30be50375743bfdc5dca5eb56a1f7d | |
parent | f3ed0f58837062647b395fabe579b9eb1a0e0a8d (diff) | |
parent | 65a66499ccdd1a7963b5895aaf4c3564a51c8a08 (diff) | |
download | wembley-sepolicy-busytown-mac-infra-release.tar.gz |
Snap for 9560500 from 65a66499ccdd1a7963b5895aaf4c3564a51c8a08 to sdk-releaseplatform-tools-34.0.1platform-tools-34.0.0sdk-releasebusytown-mac-infra-release
Change-Id: Ide21fae599268a341dcbd92a566625c46c5876c8
-rw-r--r-- | neverallows/non_plat/neverallows.te | 32 | ||||
-rw-r--r-- | neverallows/plat_private/neverallows.te | 37 | ||||
-rw-r--r-- | neverallows/plat_public/neverallows.te | 27 |
3 files changed, 0 insertions, 96 deletions
diff --git a/neverallows/non_plat/neverallows.te b/neverallows/non_plat/neverallows.te index 64524ac..4c71456 100644 --- a/neverallows/non_plat/neverallows.te +++ b/neverallows/non_plat/neverallows.te @@ -218,38 +218,6 @@ full_treble_only(` # hal_client_domain(cameraserver, hal_camera) # full_treble_only(` - neverallow ~{ - apexd - cameraserver - fastbootd - hal_camera - hal_camera_default - hal_evs_default - init - mtk_hal_camera - otapreopt_chroot - recovery - shell - slideshow - system_server - vendor_init - vold - ueventd - } device:dir ~{ search getattr }; - - neverallow { - cameraserver - fastbootd - hal_camera - hal_camera_default - hal_evs_default - mtk_hal_camera - system_server - shell - slideshow - recovery - } device:dir ~r_dir_perms; - neverallow init device:dir ~{ create_dir_perms mounton relabelto }; neverallow vendor_init device:dir ~{ create_dir_perms mounton }; diff --git a/neverallows/plat_private/neverallows.te b/neverallows/plat_private/neverallows.te index 695a6c7..1281248 100644 --- a/neverallows/plat_private/neverallows.te +++ b/neverallows/plat_private/neverallows.te @@ -116,44 +116,7 @@ full_treble_only(` neverallow system_server system_data_file:lnk_file ~create_file_perms; ') -# Do not allow access to the generic device label. This is too broad. -# Instead, if access to part of device is desired, it should have a -# more specific label. -# TODO: Remove hal_camera and so on once there are no violations. -# -# allow hal_camera device:dir r_dir_perms; -# hal_client_domain(cameraserver, hal_camera) -# full_treble_only(` - neverallow { - coredomain - -apexd - -cameraserver - -fastbootd - -hal_camera - -init - -otapreopt_chroot - -recovery - -shell - -slideshow - -system_server - -vendor_init - -vold - -ueventd - } device:dir ~{ search getattr }; - - neverallow init device:dir ~{ create_dir_perms mounton relabelto }; - - neverallow { - cameraserver - fastbootd - hal_camera - system_server - shell - slideshow - recovery - } device:dir ~r_dir_perms; - neverallow vendor_init device:dir ~{ create_dir_perms mounton }; neverallow vold device:dir ~{ search getattr write }; diff --git a/neverallows/plat_public/neverallows.te b/neverallows/plat_public/neverallows.te index 1e1bce7..f130f1e 100644 --- a/neverallows/plat_public/neverallows.te +++ b/neverallows/plat_public/neverallows.te @@ -448,33 +448,6 @@ full_treble_only(` neverallow ueventd device:lnk_file ~{ r_file_perms create unlink }; - neverallow { - coredomain - -apexd - -cameraserver - -fastbootd - -hal_camera - -init - -otapreopt_chroot - -recovery - -shell - -slideshow - -system_server - -vendor_init - -vold - -ueventd - } device:dir ~{ search getattr }; - - neverallow { - cameraserver - fastbootd - hal_camera - system_server - shell - slideshow - recovery - } device:dir ~r_dir_perms; - neverallow init device:dir ~{ create_dir_perms mounton relabelto }; neverallow vendor_init device:dir ~{ create_dir_perms mounton }; |