Commits

Stephen Smalley  committed c9d1766

Use our policy.

  • Participants
  • Parent commits 1358c7d
  • Branches seandroid-4.3

Comments (0)

Files changed (2)

File BoardConfig.mk

 	genfs_contexts \
 	adbd.te \
 	app.te \
-	compatibility.te \
 	device.te \
 	domain.te \
 	gpsd.te \

File sepolicy/compatibility.te

-# This file contains autogenerated policy based on
-# denials seen in the wild.
-#
-# As a general rule, you should not add policy to
-# this file. You SHOULD treat this policy very
-# skeptically- while it does preserve compatibility,
-# it is also extremely overbroad.
-#
-# Over time this list should trend to size 0. Your
-# assistance in bringing it to 0 is highly appreciated.
-
-#============= adbd ==============
-allow adbd app_data_file:dir { write add_name };
-allow adbd app_data_file:file { write create open setattr };
-allow adbd proc:file write;
-
-#============= debuggerd ==============
-allow debuggerd system:unix_stream_socket connectto;
-allow debuggerd system_data_file:sock_file write;
-
-#============= dhcp ==============
-allow dhcp unlabeled:file create;
-
-#============= gpsd ==============
-allow gpsd system_data_file:fifo_file { read write open setattr };
-allow gpsd shell_exec:file { read execute open execute_no_trans };
-allow gpsd system_file:file execute_no_trans;
-
-#============= media_app ==============
-allow media_app init_tmpfs:file read;
-
-#============= nfc ==============
-allow nfc init_tmpfs:file read;
-allow nfc unlabeled:file { read write open };
-
-#============= ping ==============
-allow ping adbd:process sigchld;
-
-#============= platform_app ==============
-allow platform_app unlabeled:file { read getattr open };
-
-#============= release_app ==============
-allow release_app unlabeled:lnk_file read;
-
-#============= sdcardd ==============
-allow sdcardd unlabeled:dir { read open };
-
-#============= shared_app ==============
-allow shared_app init_tmpfs:file read;
-allow shared_app unlabeled:file { write getattr setattr read lock open };
-allow shared_app unlabeled:lnk_file read;
-
-#============= shell ==============
-allow shell apk_private_data_file:dir getattr;
-allow shell asec_image_file:dir getattr;
-allow shell backup_data_file:dir getattr;
-allow shell drm_data_file:dir getattr;
-allow shell efs_file:dir getattr;
-allow shell gps_data_file:dir getattr;
-allow shell nfc_data_file:dir getattr;
-allow shell rootfs:file getattr;
-allow shell sdcard_internal:dir { create rmdir };
-#allow shell self:capability { fowner fsetid dac_override };
-#allow shell self:capability2 syslog;
-#allow shell system_data_file:dir { write add_name };
-#allow shell system_data_file:file { write create setattr };
-allow shell vold:unix_stream_socket connectto;
-allow shell vold_socket:sock_file write;
-
-#============= surfaceflinger ==============
-allow surfaceflinger nfc:binder call;
-allow surfaceflinger platform_app:binder call;
-
-#============= system ==============
-allow system proc:file write;
-allow system unlabeled:dir { read remove_name write open add_name };
-allow system unlabeled:file { rename read create ioctl getattr unlink open append };
-
-#============= system_app ==============
-allow system_app unlabeled:file { read getattr open };
-
-#============= untrusted_app ==============
-allow untrusted_app init:dir { getattr search };
-allow untrusted_app init:file { read getattr open };
-allow untrusted_app kernel:dir { search getattr };
-allow untrusted_app kernel:file { read getattr open };
-allow untrusted_app shared_app:fifo_file write;
-allow untrusted_app unlabeled:dir { write getattr setattr read remove_name open add_name };
-allow untrusted_app unlabeled:file { read lock getattr open create };
-
-#============= vold ==============
-allow vold unlabeled:dir { read getattr open };