diff --git a/non_plat/adbd.te b/non_plat/adbd.te index cc9031a..e8698fc 100644 --- a/non_plat/adbd.te +++ b/non_plat/adbd.te @@ -23,7 +23,7 @@ allow adbd self:capability2 syslog; allow adbd block_device:dir r_dir_perms; allow adbd kernel:process setsched; -allow adbd self:capability { net_raw ipc_lock dac_override }; +#allow adbd self:capability { net_raw ipc_lock dac_override }; allow adbd system_data_file:dir w_dir_perms; file_type_auto_trans(adbd, system_data_file, adbd_data_file) allow adbd adbd_data_file:file create_file_perms; diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index 8bf486a..d2fec50 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -117,7 +117,7 @@ allow aee_aedv aee_tombstone_data_file:dir w_dir_perms; allow aee_aedv aee_tombstone_data_file:file create_file_perms; # /proc/pid/ -allow aee_aedv self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module}; +#allow aee_aedv self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module}; # PROCESS_FILE_STATE allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; diff --git a/non_plat/aee_core_forwarder.te b/non_plat/aee_core_forwarder.te index 82f5c7f..3258c52 100644 --- a/non_plat/aee_core_forwarder.te +++ b/non_plat/aee_core_forwarder.te @@ -26,7 +26,7 @@ allow aee_core_forwarder aee_exp_data_file:dir create_dir_perms; allow aee_core_forwarder aee_exp_data_file:file create_file_perms; #mkdir(path, mode) -allow aee_core_forwarder self:capability dac_override; +#allow aee_core_forwarder self:capability dac_override; #read STDIN_FILENO allow aee_core_forwarder kernel:fifo_file read; diff --git a/non_plat/biosensord_nvram.te b/non_plat/biosensord_nvram.te index 6f67e6c..0ab7fb4 100644 --- a/non_plat/biosensord_nvram.te +++ b/non_plat/biosensord_nvram.te @@ -29,5 +29,5 @@ allow biosensord_nvram nvdata_file:dir rw_dir_perms; allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms}; allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms; allow biosensord_nvram biometric_device:chr_file { open ioctl read write }; -allow biosensord_nvram self:capability { dac_read_search chown fsetid dac_override }; +#allow biosensord_nvram self:capability { dac_read_search chown fsetid dac_override }; allow biosensord_nvram system_data_file:lnk_file read; diff --git a/non_plat/domain.te b/non_plat/domain.te index 677c01c..a261a44 100644 --- a/non_plat/domain.te +++ b/non_plat/domain.te @@ -15,14 +15,14 @@ allow domain debugfs_binder:dir search; # Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info # as it is a public interface for all processes to read some OTP data. -allow domain sysfs_devinfo:file r_file_perms; +#allow domain sysfs_devinfo:file r_file_perms; # Date:20170519 # Purpose: Full treble bootup issue, coredomain need to access libudf.so where # located on /vendor. # TODO:: In O MR1 may need to change design allow coredomain vendor_file:dir r_dir_perms; -allow coredomain vendor_file:file { read open getattr execute }; +#allow coredomain vendor_file:file { read open getattr execute }; allow coredomain vendor_file:lnk_file { getattr read }; # Date:20170630 @@ -32,5 +32,5 @@ allow { -untrusted_app_all -untrusted_v2_app } aee_aed:unix_stream_socket connectto; -allow { domain -coredomain -hal_configstore_server } aee_aedv:unix_stream_socket connectto; +allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto; diff --git a/non_plat/emdlogger.te b/non_plat/emdlogger.te index 8f08075..2a8b67d 100644 --- a/non_plat/emdlogger.te +++ b/non_plat/emdlogger.te @@ -94,7 +94,7 @@ allow emdlogger file_contexts_file:file { read getattr open }; allow emdlogger block_device:dir search; allow emdlogger md_block_device:blk_file { read open }; -allow emdlogger self:capability { chown dac_override }; +#allow emdlogger self:capability { chown dac_override }; # purpose: allow emdlogger to access persist.meta.connecttype diff --git a/non_plat/file.te b/non_plat/file.te index ca6d6bb..9512232 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -178,8 +178,6 @@ type debugfs_usb20_phy, fs_type, debugfs_type; # dynamic_debug debugfs file type debugfs_dynamic_debug, fs_type, debugfs_type; -# /sys/kernel/debug/wakeup_sources -type debugfs_wakeup_sources, fs_type, debugfs_type; # shrinker debugfs file type debugfs_shrinker_debug, fs_type, debugfs_type; diff --git a/non_plat/fuelgauged.te b/non_plat/fuelgauged.te index 6b342bf..8b24ed4 100644 --- a/non_plat/fuelgauged.te +++ b/non_plat/fuelgauged.te @@ -64,7 +64,7 @@ allow fuelgauged nvram_data_file:lnk_file rw_file_perms; allow fuelgauged nvdata_file:lnk_file rw_file_perms; # Data : WK16.39 -allow fuelgauged self:capability { chown fsetid dac_override }; +#allow fuelgauged self:capability { chown fsetid dac_override }; # Data : W16.43 # Operation : New Feature diff --git a/non_plat/fuelgauged_nvram.te b/non_plat/fuelgauged_nvram.te index 3e8ad87..78eadbe 100644 --- a/non_plat/fuelgauged_nvram.te +++ b/non_plat/fuelgauged_nvram.te @@ -45,7 +45,7 @@ allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms}; # Purpose : Change from /data to /cache allow fuelgauged_nvram cache_file:file {rw_file_perms create_file_perms}; allow fuelgauged_nvram cache_file:dir {rw_dir_perms create_dir_perms}; -allow fuelgauged_nvram self:capability { dac_read_search dac_override chown }; +#allow fuelgauged_nvram self:capability { dac_read_search dac_override chown }; allow fuelgauged_nvram kmsg_device:chr_file { write open }; allow fuelgauged_nvram self:capability fsetid; diff --git a/non_plat/hostapd.te b/non_plat/hostapd.te deleted file mode 100644 index 5a7f8f4..0000000 --- a/non_plat/hostapd.te +++ /dev/null @@ -1,21 +0,0 @@ -# ==================================== -# MTK Policy Rule -# ==================================== - -# Date: 2014/09/15 -# Operation: [Pre-SQC] Hotspot Manager cannot communicate with framework -# Purpose: Add socket write permission for hostapd -allow hostapd system_wpa_socket:sock_file write; - - -# Date: 2014/10/13 -# Operation: [L-SQC] SELinux warning during whole chip reset -# Purpose: kernel module netdev-ap0 gets invalid during whole chip reset, no impact to normal flow, dontaudit -dontaudit hostapd kernel:system module_request; - -# Date: 2017/06/22 -# Operation: [O-SQC] WiFi hal -# Purpose: WiFi hal for WiFi hotspot manager -hal_server_domain(hostapd, hal_wifi_supplicant) -hal_server_domain(hostapd, mtk_hal_wifi_hostapd) - diff --git a/non_plat/md_ctrl.te b/non_plat/md_ctrl.te index 9e0d5fa..cafa056 100644 --- a/non_plat/md_ctrl.te +++ b/non_plat/md_ctrl.te @@ -17,7 +17,7 @@ type md_ctrl_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(md_ctrl) allow md_ctrl ccci_device:chr_file { rw_file_perms }; allow md_ctrl devpts:chr_file { rw_file_perms }; -allow md_ctrl self:capability dac_override; +#allow md_ctrl self:capability dac_override; allow md_ctrl muxreport_exec:file rx_file_perms; allow md_ctrl emd_device:chr_file { rw_file_perms }; allow md_ctrl eemcs_device:chr_file { rw_file_perms }; diff --git a/non_plat/merged_hal_service.te b/non_plat/merged_hal_service.te index 48fe689..d4cde7d 100644 --- a/non_plat/merged_hal_service.te +++ b/non_plat/merged_hal_service.te @@ -58,7 +58,7 @@ allow merged_hal_service gyroscope_device:chr_file r_file_perms; allow merged_hal_service init:unix_stream_socket connectto; allow merged_hal_service property_socket:sock_file write; allow merged_hal_service sysfs:file write; -allow merged_hal_service self:capability { fowner chown dac_override fsetid }; +#allow merged_hal_service self:capability { fowner chown dac_override fsetid }; allow merged_hal_service system_data_file:dir create_file_perms; allow merged_hal_service nvram_device:chr_file rw_file_perms; allow merged_hal_service pro_info_device:chr_file rw_file_perms; diff --git a/non_plat/mnld.te b/non_plat/mnld.te index a0816d1..b98c18b 100644 --- a/non_plat/mnld.te +++ b/non_plat/mnld.te @@ -56,7 +56,7 @@ allow mnld block_device:dir search; allow mnld mnld_prop:property_service set; allow mnld property_socket:sock_file write; allow mnld mdlog_device:chr_file { read write }; -allow mnld self:capability { fsetid dac_override }; +#allow mnld self:capability { fsetid dac_override }; allow mnld stpbt_device:chr_file { read write }; allow mnld ttyGS_device:chr_file { read write }; # Purpose : For file system operations diff --git a/non_plat/mpe.te b/non_plat/mpe.te index c2f84e3..84c62d7 100644 --- a/non_plat/mpe.te +++ b/non_plat/mpe.te @@ -24,7 +24,7 @@ allow MPED sdcard_type:file create_file_perms; allow MPED sdcard_type:dir create_dir_perms; allow MPED init:unix_stream_socket connectto; allow MPED init:udp_socket rw_socket_perms; -allow MPED self:capability { fsetid dac_override }; +#allow MPED self:capability { fsetid dac_override }; allow MPED sysfs:file rw_file_perms; allow MPED tmpfs:lnk_file create_file_perms; # TODO::mtk work around and will fix it later diff --git a/non_plat/mtkfusionrild.te b/non_plat/mtkfusionrild.te index e89ef50..62256a4 100644 --- a/non_plat/mtkfusionrild.te +++ b/non_plat/mtkfusionrild.te @@ -15,7 +15,7 @@ allow rild kernel:system module_request; # Capabilities assigned for rild allow rild self:capability { setuid net_admin net_raw }; -allow rild self:capability dac_override; +#allow rild self:capability dac_override; # Control cgroups allow rild cgroup:dir create_dir_perms; diff --git a/non_plat/mtkrild.te b/non_plat/mtkrild.te index 36a9509..1e747a7 100644 --- a/non_plat/mtkrild.te +++ b/non_plat/mtkrild.te @@ -18,7 +18,7 @@ allow mtkrild kernel:system module_request; # Capabilities assigned for mtkrild allow mtkrild self:capability { setuid net_admin net_raw }; -allow mtkrild self:capability dac_override; +#allow mtkrild self:capability dac_override; # Control cgroups allow mtkrild cgroup:dir create_dir_perms; diff --git a/non_plat/muxreport.te b/non_plat/muxreport.te index 48a3748..5097b94 100644 --- a/non_plat/muxreport.te +++ b/non_plat/muxreport.te @@ -13,7 +13,7 @@ type muxreport ,domain; init_daemon_domain(muxreport) # Capabilities assigned for muxreport -allow muxreport self:capability dac_override; +#allow muxreport self:capability dac_override; # Property service # allow set muxreport control properties diff --git a/non_plat/nvram_agent_binder.te b/non_plat/nvram_agent_binder.te index ce4b47f..f9e2378 100644 --- a/non_plat/nvram_agent_binder.te +++ b/non_plat/nvram_agent_binder.te @@ -41,7 +41,7 @@ allow nvram_agent_binder gyroscope_device:chr_file r_file_perms; allow nvram_agent_binder init:unix_stream_socket connectto; allow nvram_agent_binder property_socket:sock_file write; allow nvram_agent_binder sysfs:file write; -allow nvram_agent_binder self:capability { fowner chown dac_override fsetid }; +#allow nvram_agent_binder self:capability { fowner chown dac_override fsetid }; allow nvram_agent_binder system_data_file:dir create_file_perms; # Purpose: for backup diff --git a/non_plat/nvram_daemon.te b/non_plat/nvram_daemon.te index 7c67064..069b677 100644 --- a/non_plat/nvram_daemon.te +++ b/non_plat/nvram_daemon.te @@ -52,7 +52,7 @@ allow nvram_daemon init:unix_stream_socket connectto; # Purpose: for property set #allow nvram_daemon property_socket:sock_file w_file_perms; allow nvram_daemon sysfs:file w_file_perms; -allow nvram_daemon self:capability { fowner chown dac_override fsetid }; +#allow nvram_daemon self:capability { fowner chown dac_override fsetid }; # Purpose: for backup allow nvram_daemon nvram_device:chr_file rw_file_perms; diff --git a/non_plat/radio.te b/non_plat/radio.te index a37ebb2..7f24a21 100644 --- a/non_plat/radio.te +++ b/non_plat/radio.te @@ -96,7 +96,7 @@ allow radio media_rw_data_file:file { create_file_perms }; # Purpose : # Swift APK integration - access ccci dir/file allow radio ccci_fsd:dir { r_dir_perms }; -allow radio ccci_fsd:file { r_file_perms }; +#allow radio ccci_fsd:file { r_file_perms }; # Date : 2016/07/25 # Operation : Bluetooth access NVRAM fail in Engineer Mode diff --git a/non_plat/spm_loader.te b/non_plat/spm_loader.te index 0690864..ff4c72a 100644 --- a/non_plat/spm_loader.te +++ b/non_plat/spm_loader.te @@ -16,5 +16,5 @@ type spm_loader ,domain; init_daemon_domain(spm_loader) # Read to /dev/spm -allow spm_loader self:capability { dac_read_search dac_override }; +#allow spm_loader self:capability { dac_read_search dac_override }; allow spm_loader spm_device:chr_file r_file_perms; diff --git a/non_plat/stp_dump3.te b/non_plat/stp_dump3.te index 6fd89ac..b366cfe 100644 --- a/non_plat/stp_dump3.te +++ b/non_plat/stp_dump3.te @@ -21,7 +21,7 @@ type stp_dump3 ,domain; # MTK Policy Rule # ============================================== file_type_auto_trans(stp_dump3,system_data_file,stp_dump_data_file) -allow stp_dump3 self:capability { net_admin fowner chown fsetid dac_override }; +#allow stp_dump3 self:capability { net_admin fowner chown fsetid dac_override }; allow stp_dump3 self:netlink_socket { read write getattr bind create setopt }; allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt }; #allow stp_dump3 media_rw_data_file:sock_file { write create unlink setattr }; diff --git a/non_plat/thermal_manager.te b/non_plat/thermal_manager.te index ee20323..d373baa 100644 --- a/non_plat/thermal_manager.te +++ b/non_plat/thermal_manager.te @@ -19,7 +19,7 @@ allow thermal_manager proc_mtkcooler:file rw_file_perms; allow thermal_manager proc_mtktz:file rw_file_perms; allow thermal_manager proc_thermal:file rw_file_perms; allow thermal_manager system_data_file:dir { write add_name }; -allow thermal_manager self:capability { fowner chown fsetid dac_override }; +#allow thermal_manager self:capability { fowner chown fsetid dac_override }; # Date : WK15.30 # Operation : Migration diff --git a/non_plat/update_engine.te b/non_plat/update_engine.te index 413b9e7..94c9ec8 100644 --- a/non_plat/update_engine.te +++ b/non_plat/update_engine.te @@ -19,7 +19,7 @@ allow update_engine para_block_device:blk_file rw_file_perms; # Add for update_engine call by system_app -allow update_engine self:capability dac_override; +#allow update_engine self:capability dac_override; allow update_engine system_app:binder { call transfer }; # Add for update_engine with postinstall diff --git a/non_plat/wmt_loader.te b/non_plat/wmt_loader.te index eeaf813..a947f98 100644 --- a/non_plat/wmt_loader.te +++ b/non_plat/wmt_loader.te @@ -13,7 +13,7 @@ type wmt_loader_exec , exec_type, file_type, vendor_file_type; # ============================================== init_daemon_domain(wmt_loader) -allow wmt_loader self:capability { chown dac_override }; +#allow wmt_loader self:capability { chown dac_override }; # Set the property set_prop(wmt_loader, wmt_prop) diff --git a/plat_private/aee_aed.te b/plat_private/aee_aed.te index 742d000..94481d1 100644 --- a/plat_private/aee_aed.te +++ b/plat_private/aee_aed.te @@ -90,7 +90,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms; allow aee_aed tombstone_data_file:file create_file_perms; # /proc/pid/ -allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill }; +#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill }; # system(cmd) aee_dumpstate aee_archive allow aee_aed shell_exec:file rx_file_perms; diff --git a/plat_private/audiocmdservice_atci.te b/plat_private/audiocmdservice_atci.te index 62dc5ef..cf24268 100644 --- a/plat_private/audiocmdservice_atci.te +++ b/plat_private/audiocmdservice_atci.te @@ -39,7 +39,7 @@ allow audiocmdservice_atci media_rw_data_file:file create_file_perms; allow audiocmdservice_atci kmsg_device:chr_file w_file_perms; userdebug_or_eng(` - allow audiocmdservice_atci self:capability { dac_override sys_nice fowner chown fsetid setuid ipc_lock net_admin}; + allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin}; ') #audio-daemon needs to controlled from adb shell by AudioTuningTool diff --git a/plat_private/boot_logo_updater.te b/plat_private/boot_logo_updater.te index 3e8f405..3217a1c 100644 --- a/plat_private/boot_logo_updater.te +++ b/plat_private/boot_logo_updater.te @@ -21,7 +21,7 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms; # For IPC communication allow boot_logo_updater init:unix_stream_socket connectto; allow boot_logo_updater property_socket:sock_file write; -allow boot_logo_updater self:capability dac_override; +#allow boot_logo_updater self:capability dac_override; # To access some boot_mode infornation allow boot_logo_updater sysfs:file rw_file_perms; # To access directory /dev/block/mmcblk0 or /dev/block/sdc diff --git a/plat_private/em_svr.te b/plat_private/em_svr.te index 431df7c..7f7fa41 100644 --- a/plat_private/em_svr.te +++ b/plat_private/em_svr.te @@ -36,7 +36,7 @@ allow em_svr graphics_device:dir search; allow em_svr radio_data_file:dir { search write add_name create }; allow em_svr radio_data_file:file { create write open read }; allow em_svr sysfs_devices_system_cpu:file write; -allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; +#allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; allow em_svr self:process execmem; allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open }; allow em_svr kernel:system module_request; diff --git a/plat_private/factory.te b/plat_private/factory.te index 9144c69..dfd738f 100644 --- a/plat_private/factory.te +++ b/plat_private/factory.te @@ -19,7 +19,7 @@ allow factory kernel:system module_request; allow factory node:tcp_socket node_bind; allow factory userdata_block_device:blk_file rw_file_perms; allow factory port:tcp_socket { name_bind name_connect }; -allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin }; +#allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin }; allow factory sdcard_type:dir r_dir_perms; ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te #allow factory self:netlink_route_socket create_socket_perms; diff --git a/plat_private/fuelgauged_static.te b/plat_private/fuelgauged_static.te index aba4019..fdbf7c1 100644 --- a/plat_private/fuelgauged_static.te +++ b/plat_private/fuelgauged_static.te @@ -47,4 +47,4 @@ allow fuelgauged_static system_data_file:dir rw_dir_perms; allow fuelgauged_static rootfs:file entrypoint; # Data : WK16.39 -allow fuelgauged_static self:capability { chown fsetid dac_override }; +#allow fuelgauged_static self:capability { chown fsetid dac_override }; diff --git a/plat_private/kisd.te b/plat_private/kisd.te index 334b50c..32d8f1c 100644 --- a/plat_private/kisd.te +++ b/plat_private/kisd.te @@ -28,7 +28,7 @@ allow kisd dkb_block_device:blk_file {read write open ioctl getattr}; allow kisd key_install_data_file:dir {write remove_name add_name}; allow kisd key_install_data_file:file {write getattr read create unlink open}; allow kisd key_install_data_file:dir search; -allow kisd self:capability {dac_override dac_read_search}; +#allow kisd self:capability {dac_override dac_read_search}; allow kisd mtd_device:chr_file { open read write }; allow kisd mtd_device:dir { search }; allow kisd kb_block_device:chr_file {read write open ioctl getattr}; diff --git a/plat_private/meta_tst.te b/plat_private/meta_tst.te index 39e09b3..f4da912 100644 --- a/plat_private/meta_tst.te +++ b/plat_private/meta_tst.te @@ -21,7 +21,7 @@ init_daemon_domain(meta_tst) #============= meta_tst ========================= allow meta_tst port:tcp_socket { name_connect name_bind }; -allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin }; +#allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin }; allow meta_tst self:tcp_socket { create connect setopt bind }; allow meta_tst self:tcp_socket { bind setopt listen accept read write }; allow meta_tst self:udp_socket { create ioctl }; @@ -29,7 +29,7 @@ allow meta_tst self:capability { sys_boot ipc_lock }; allow meta_tst sysfs_wake_lock:file rw_file_perms; #allow meta_tst sysfs:file write; allow meta_tst property_socket:sock_file w_file_perms; -allow meta_tst vold_socket:sock_file w_file_perms; +#allow meta_tst vold_socket:sock_file w_file_perms; allow meta_tst init:unix_stream_socket connectto; allow meta_tst kisd:unix_stream_socket connectto; allow meta_tst vold:unix_stream_socket connectto; diff --git a/plat_private/mobile_log_d.te b/plat_private/mobile_log_d.te index fd89e50..9a38913 100644 --- a/plat_private/mobile_log_d.te +++ b/plat_private/mobile_log_d.te @@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop) unix_socket_connect(mobile_log_d, logdr, logd); #capability -allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid }; +#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid }; allow mobile_log_d self:capability2 syslog; #aee mode switch diff --git a/plat_private/ppp.te b/plat_private/ppp.te index 3b4c84a..5b3376f 100644 --- a/plat_private/ppp.te +++ b/plat_private/ppp.te @@ -16,7 +16,7 @@ allow ppp property_socket:sock_file write; # Purpose: for PPPOE Test allow ppp devpts:chr_file { read write ioctl open setattr }; -allow ppp self:capability { setuid net_raw setgid dac_override }; +#allow ppp self:capability { setuid net_raw setgid dac_override }; ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te #allow ppp self:packet_socket { write ioctl setopt read bind create }; allow ppp shell_exec:file { read execute open execute_no_trans }; diff --git a/plat_private/storagemanagerd.te b/plat_private/storagemanagerd.te index d8b78b2..9c43b79 100644 --- a/plat_private/storagemanagerd.te +++ b/plat_private/storagemanagerd.te @@ -14,7 +14,7 @@ typeattribute storagemanagerd coredomain; init_daemon_domain(storagemanagerd) -unix_socket_connect(storagemanagerd, vold, vold) +#unix_socket_connect(storagemanagerd, vold, vold) # storagemanagerd sends information back to dumpstate when "adb bugreport" is used allow storagemanagerd dumpstate:fd use; diff --git a/prebuilts/api/26.0/nonplat_sepolicy.cil b/prebuilts/api/26.0/nonplat_sepolicy.cil index bc05840..3627dc3 100755 --- a/prebuilts/api/26.0/nonplat_sepolicy.cil +++ b/prebuilts/api/26.0/nonplat_sepolicy.cil @@ -2551,8 +2551,6 @@ (roletype object_r debugfs_usb20_phy) (type debugfs_dynamic_debug) (roletype object_r debugfs_dynamic_debug) -(type debugfs_wakeup_sources) -(roletype object_r debugfs_wakeup_sources) (type debugfs_shrinker_debug) (roletype object_r debugfs_shrinker_debug) (type debugfs_dmlog_debug) @@ -10308,7 +10306,7 @@ (allow epdg_wod self (tun_socket (create relabelfrom relabelto))) (allow epdg_wod tun_device_26_0 (chr_file (ioctl read write getattr open))) (allow epdg_wod self (netlink_route_socket (read write create getattr bind setopt nlmsg_read nlmsg_write))) -(allow epdg_wod self (capability (dac_override kill net_admin))) +(allow epdg_wod self (capability (kill net_admin))) (allow epdg_wod ipsec_exec (file (read getattr execute execute_no_trans open))) (allow epdg_wod ipsec (process (sigkill signull signal))) (allow epdg_wod init_26_0 (unix_stream_socket (connectto))) @@ -10349,7 +10347,7 @@ (allow ipsec epdg_wod (fd (use))) (allow ipsec charon_exec (file (execute_no_trans))) (allow ipsec fwmarkd_socket_26_0 (sock_file (write))) -(allow ipsec self (capability (dac_override kill net_bind_service net_admin))) +(allow ipsec self (capability (kill net_bind_service net_admin))) (allow ipsec self (tcp_socket (read write create getattr connect getopt))) (allow ipsec self (udp_socket (read write create bind setopt))) (allow ipsec self (netlink_route_socket (read write create bind nlmsg_read nlmsg_write))) @@ -10579,7 +10577,6 @@ (allow wfca volte_ua (fd (use))) (allow wfca volte_ua (udp_socket (read write getattr getopt setopt shutdown))) (allow wfca self (packet_socket (read create setopt))) -(allow wfca self (capability (dac_override))) (allow wfca self (capability2 (block_suspend))) (allow wfca netd_26_0 (unix_stream_socket (connectto))) (allow wfca netd_socket_26_0 (sock_file (write))) diff --git a/prebuilts/api/26.0/plat_private/aee_aed.te b/prebuilts/api/26.0/plat_private/aee_aed.te index 4d15e2f..64591a5 100755 --- a/prebuilts/api/26.0/plat_private/aee_aed.te +++ b/prebuilts/api/26.0/plat_private/aee_aed.te @@ -90,7 +90,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms; allow aee_aed tombstone_data_file:file create_file_perms; # /proc/pid/ -allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module}; +#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module}; # system(cmd) aee_dumpstate aee_archive allow aee_aed shell_exec:file rx_file_perms; diff --git a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te index 1422927..abf9061 100755 --- a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te +++ b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te @@ -39,7 +39,7 @@ allow audiocmdservice_atci media_rw_data_file:file create_file_perms; allow audiocmdservice_atci kmsg_device:chr_file w_file_perms; userdebug_or_eng(` - allow audiocmdservice_atci self:capability { dac_override sys_nice fowner chown fsetid setuid ipc_lock net_admin}; + allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin}; ') #audio-daemon needs to controlled from adb shell by AudioTuningTool diff --git a/prebuilts/api/26.0/plat_private/boot_logo_updater.te b/prebuilts/api/26.0/plat_private/boot_logo_updater.te index ca2a381..62e63fa 100755 --- a/prebuilts/api/26.0/plat_private/boot_logo_updater.te +++ b/prebuilts/api/26.0/plat_private/boot_logo_updater.te @@ -21,7 +21,7 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms; # For IPC communication allow boot_logo_updater init:unix_stream_socket connectto; allow boot_logo_updater property_socket:sock_file write; -allow boot_logo_updater self:capability dac_override; +#allow boot_logo_updater self:capability dac_override; # To access some boot_mode infornation allow boot_logo_updater sysfs:file rw_file_perms; # To access directory /dev/block/mmcblk0 or /dev/block/sdc diff --git a/prebuilts/api/26.0/plat_private/em_svr.te b/prebuilts/api/26.0/plat_private/em_svr.te index 713b614..460e33a 100755 --- a/prebuilts/api/26.0/plat_private/em_svr.te +++ b/prebuilts/api/26.0/plat_private/em_svr.te @@ -36,7 +36,7 @@ allow em_svr graphics_device:dir search; allow em_svr radio_data_file:dir { search write add_name create }; allow em_svr radio_data_file:file { create write open read }; allow em_svr sysfs_devices_system_cpu:file write; -allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; +#allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; allow em_svr self:process execmem; allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open }; allow em_svr kernel:system module_request; diff --git a/prebuilts/api/26.0/plat_private/factory.te b/prebuilts/api/26.0/plat_private/factory.te index 9144c69..ca25c0a 100755 --- a/prebuilts/api/26.0/plat_private/factory.te +++ b/prebuilts/api/26.0/plat_private/factory.te @@ -18,7 +18,7 @@ allow factory init:unix_stream_socket connectto; allow factory kernel:system module_request; allow factory node:tcp_socket node_bind; allow factory userdata_block_device:blk_file rw_file_perms; -allow factory port:tcp_socket { name_bind name_connect }; +#allow factory port:tcp_socket { name_bind name_connect }; allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin }; allow factory sdcard_type:dir r_dir_perms; ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te diff --git a/prebuilts/api/26.0/plat_private/fuelgauged_static.te b/prebuilts/api/26.0/plat_private/fuelgauged_static.te index aba4019..fdbf7c1 100755 --- a/prebuilts/api/26.0/plat_private/fuelgauged_static.te +++ b/prebuilts/api/26.0/plat_private/fuelgauged_static.te @@ -47,4 +47,4 @@ allow fuelgauged_static system_data_file:dir rw_dir_perms; allow fuelgauged_static rootfs:file entrypoint; # Data : WK16.39 -allow fuelgauged_static self:capability { chown fsetid dac_override }; +#allow fuelgauged_static self:capability { chown fsetid dac_override }; diff --git a/prebuilts/api/26.0/plat_private/kisd.te b/prebuilts/api/26.0/plat_private/kisd.te index 9bfa053..c952116 100755 --- a/prebuilts/api/26.0/plat_private/kisd.te +++ b/prebuilts/api/26.0/plat_private/kisd.te @@ -26,7 +26,7 @@ allow kisd dkb_block_device:blk_file {read write open ioctl getattr}; allow kisd key_install_data_file:dir {write remove_name add_name}; allow kisd key_install_data_file:file {write getattr read create unlink open}; allow kisd key_install_data_file:dir search; -allow kisd self:capability {dac_override dac_read_search}; +#allow kisd self:capability {dac_override dac_read_search}; allow kisd mtd_device:chr_file { open read write }; allow kisd mtd_device:dir { search }; allow kisd kb_block_device:chr_file {read write open ioctl getattr}; diff --git a/prebuilts/api/26.0/plat_private/meta_tst.te b/prebuilts/api/26.0/plat_private/meta_tst.te index 39e09b3..f4da912 100755 --- a/prebuilts/api/26.0/plat_private/meta_tst.te +++ b/prebuilts/api/26.0/plat_private/meta_tst.te @@ -21,7 +21,7 @@ init_daemon_domain(meta_tst) #============= meta_tst ========================= allow meta_tst port:tcp_socket { name_connect name_bind }; -allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin }; +#allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin }; allow meta_tst self:tcp_socket { create connect setopt bind }; allow meta_tst self:tcp_socket { bind setopt listen accept read write }; allow meta_tst self:udp_socket { create ioctl }; @@ -29,7 +29,7 @@ allow meta_tst self:capability { sys_boot ipc_lock }; allow meta_tst sysfs_wake_lock:file rw_file_perms; #allow meta_tst sysfs:file write; allow meta_tst property_socket:sock_file w_file_perms; -allow meta_tst vold_socket:sock_file w_file_perms; +#allow meta_tst vold_socket:sock_file w_file_perms; allow meta_tst init:unix_stream_socket connectto; allow meta_tst kisd:unix_stream_socket connectto; allow meta_tst vold:unix_stream_socket connectto; diff --git a/prebuilts/api/26.0/plat_private/mobile_log_d.te b/prebuilts/api/26.0/plat_private/mobile_log_d.te index fd89e50..9a38913 100755 --- a/prebuilts/api/26.0/plat_private/mobile_log_d.te +++ b/prebuilts/api/26.0/plat_private/mobile_log_d.te @@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop) unix_socket_connect(mobile_log_d, logdr, logd); #capability -allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid }; +#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid }; allow mobile_log_d self:capability2 syslog; #aee mode switch diff --git a/prebuilts/api/26.0/plat_private/ppp.te b/prebuilts/api/26.0/plat_private/ppp.te index 3b4c84a..5b3376f 100755 --- a/prebuilts/api/26.0/plat_private/ppp.te +++ b/prebuilts/api/26.0/plat_private/ppp.te @@ -16,7 +16,7 @@ allow ppp property_socket:sock_file write; # Purpose: for PPPOE Test allow ppp devpts:chr_file { read write ioctl open setattr }; -allow ppp self:capability { setuid net_raw setgid dac_override }; +#allow ppp self:capability { setuid net_raw setgid dac_override }; ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te #allow ppp self:packet_socket { write ioctl setopt read bind create }; allow ppp shell_exec:file { read execute open execute_no_trans }; diff --git a/prebuilts/api/26.0/plat_private/storagemanagerd.te b/prebuilts/api/26.0/plat_private/storagemanagerd.te index d8b78b2..9c43b79 100755 --- a/prebuilts/api/26.0/plat_private/storagemanagerd.te +++ b/prebuilts/api/26.0/plat_private/storagemanagerd.te @@ -14,7 +14,7 @@ typeattribute storagemanagerd coredomain; init_daemon_domain(storagemanagerd) -unix_socket_connect(storagemanagerd, vold, vold) +#unix_socket_connect(storagemanagerd, vold, vold) # storagemanagerd sends information back to dumpstate when "adb bugreport" is used allow storagemanagerd dumpstate:fd use;