Commits

Anonymous committed ac0c39c Merge

Merge "Remove the unnecessary compatibility.te."

Comments (0)

Files changed (2)

 BOARD_SEPOLICY_UNION := \
        app.te \
        bluetooth.te \
-       compatibility.te \
        device.te \
        domain.te \
        drmserver.te \

sepolicy/compatibility.te

-# This file contains autogenerated policy based on
-# denials seen in the wild.
-#
-# As a general rule, you should not add policy to
-# this file. You SHOULD treat this policy very
-# skeptically- while it does preserve compatibility,
-# it is also extremely overbroad.
-#
-# Over time this list should trend to size 0. Your
-# assistance in bringing it to 0 is highly appreciated.
-
-#============= adbd ==============
-allow adbd app_data_file:dir { write add_name };
-allow adbd app_data_file:file { write create open setattr };
-allow adbd kernel:process setsched;
-allow adbd proc:file write;
-allow adbd self:capability setpcap;
-
-#============= debuggerd ==============
-allow debuggerd system_server:unix_stream_socket connectto;
-allow debuggerd system_data_file:sock_file write;
-
-#============= dhcp ==============
-allow dhcp system_data_file:file open;
-allow dhcp unlabeled:file create;
-
-#============= drmserver ==============
-allow drmserver init:unix_stream_socket { read write };
-
-#============= init ==============
-allow init node:rawip_socket node_bind;
-
-#============= init_shell ==============
-allow init_shell init:fifo_file write;
-allow init_shell init:netlink_route_socket { read write };
-allow init_shell init:netlink_socket { read write };
-allow init_shell init:unix_stream_socket { read write };
-allow init_shell self:netlink_route_socket { write getattr setopt bind create nlmsg_read };
-
-#============= installd ==============
-allow installd download_file:dir { read search open getattr };
-
-#============= keystore ==============
-allow keystore init:unix_stream_socket { read write };
-
-#============= media_app ==============
-allow media_app system_data_file:file append;
-
-#============= mediaserver ==============
-allow mediaserver device:chr_file { read write ioctl open };
-allow mediaserver init:unix_dgram_socket sendto;
-allow mediaserver init:unix_stream_socket { read write };
-allow mediaserver system_data_file:file { write open };
-allow mediaserver system_data_file:sock_file write;
-
-#============= nfc ==============
-allow nfc device:chr_file { read write open };
-allow nfc init:unix_stream_socket { read write };
-#allow nfc system_data_file:dir { write remove_name add_name };
-#allow nfc system_data_file:file { write create unlink append };
-allow nfc unlabeled:file { read write open };
-
-#============= ping ==============
-allow ping adbd:process sigchld;
-
-#============= platform_app ==============
-allow platform_app device:chr_file { read write ioctl };
-allow platform_app init:binder { transfer call };
-allow platform_app init:unix_stream_socket { read write };
-#allow platform_app system_data_file:file append;
-allow platform_app unlabeled:file { read getattr open };
-
-#============= radio ==============
-allow radio init:binder call;
-allow radio init:unix_stream_socket { read write };
-allow radio system_data_file:file append;
-
-#============= release_app ==============
-allow release_app system_data_file:file append;
-allow release_app unlabeled:lnk_file read;
-
-#============= sdcardd ==============
-allow sdcardd unlabeled:dir { read open };
-
-#============= shared_app ==============
-allow shared_app device:chr_file { read write };
-allow shared_app init:binder call;
-allow shared_app init:unix_stream_socket { read write };
-allow shared_app init_tmpfs:file read;
-#allow shared_app system_data_file:file append;
-allow shared_app unlabeled:file { write lock getattr open read };
-
-#============= shell ==============
-allow shell apk_private_data_file:dir getattr;
-allow shell asec_image_file:dir getattr;
-allow shell backup_data_file:dir getattr;
-allow shell device:sock_file write;
-allow shell drm_data_file:dir getattr;
-allow shell nfc_data_file:dir getattr;
-allow shell rootfs:file getattr;
-allow shell sdcard_internal:dir { create rmdir };
-#allow shell self:capability { fowner fsetid dac_override };
-#allow shell self:capability2 syslog;
-#allow shell system_data_file:dir { write remove_name add_name };
-#allow shell system_data_file:file { write create setattr };
-allow shell unlabeled:dir getattr;
-allow shell vold:unix_stream_socket connectto;
-allow shell vold_socket:sock_file write;
-
-#============= surfaceflinger ==============
-allow surfaceflinger adbd:binder call;
-allow surfaceflinger device:chr_file { read write ioctl open };
-allow surfaceflinger init:dir search;
-allow surfaceflinger init:file { read open };
-allow surfaceflinger init:unix_stream_socket { read write };
-allow surfaceflinger platform_app:binder call;
-allow surfaceflinger shell_data_file:dir search;
-allow surfaceflinger sysfs:file write;
-allow surfaceflinger system_app:dir search;
-allow surfaceflinger system_app:file { read open };
-
-#============= system_server ==============
-allow system_server device:chr_file ioctl;
-allow system_server init:binder { transfer call };
-allow system_server init:unix_stream_socket { read write setopt };
-allow system_server proc:file write;
-allow system_server security_file:lnk_file read;
-allow system_server unlabeled:dir { read remove_name write open add_name };
-allow system_server unlabeled:file { rename getattr read create open ioctl append };
-
-#============= system_app ==============
-allow system_app init:unix_stream_socket { read write setopt };
-allow system_app unlabeled:file { read getattr open };
-
-#============= untrusted_app ==============
-allow untrusted_app device:chr_file { read write };
-allow untrusted_app init:binder { transfer call };
-allow untrusted_app init:dir { getattr search };
-allow untrusted_app init:file { read getattr open };
-allow untrusted_app init:unix_stream_socket { read write connectto };
-allow untrusted_app kernel:dir { getattr search };
-allow untrusted_app kernel:file { read getattr open };
-allow untrusted_app servicemanager:dir { getattr search };
-allow untrusted_app servicemanager:file { read getattr open };
-allow untrusted_app shell_data_file:dir search;
-allow untrusted_app shell_data_file:file { read getattr open };
-#allow untrusted_app system_data_file:file append;
-allow untrusted_app ueventd:dir { search getattr };
-allow untrusted_app ueventd:file { read getattr open };
-allow untrusted_app unlabeled:dir setattr;
-allow untrusted_app zygote:dir search;
-
-#============= vold ==============
-allow vold unlabeled:dir { read getattr open };
-
-#============= wpa ==============
-allow wpa init:unix_dgram_socket { read write sendto };
-allow wpa wifi_data_file:sock_file write;
-
-#============= zygote ==============
-allow zygote security_file:lnk_file read;