1. seandroid
  2. Untitled project
  3. external/sepolicy


Stephen Smalley  committed 09258ad

Drop domain write access to sysfs for the emulator.

3.4 goldfish kernel supports sysfs labeling so we no longer need this.

Change-Id: I77514a8f3102ac8be957c57d95e7de7d5901f69d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits 2524fc8
  • Branches seandroid, seandroid-4.0.4 4
    1. seandroid-4.1
    2. seandroid-4.2
    3. seandroid-4.3
    4. seandroid-4.4

Comments (0)

Files changed (2)

File assert.te

View file
  • Ignore whitespace
 neverallow appdomain efs_file:dir_file_class_set { read write };
 # Write to various pseudo file systems.
-# Violated by in_qemu conditional rule so commented out for now.
-#neverallow { appdomain -nfc } sysfs:dir_file_class_set write;
+neverallow { appdomain -nfc } sysfs:dir_file_class_set write;
 neverallow { appdomain -system_app } selinuxfs:dir_file_class_set write;
 neverallow appdomain proc:dir_file_class_set write;

File domain.te

View file
  • Ignore whitespace
 # For /sys/qemu_trace files in the emulator.
 bool in_qemu false;
 if (in_qemu) {
-allow domain sysfs:file rw_file_perms;
 allow domain sysfs_writable:file rw_file_perms;
 # Read access to pseudo filesystems.
 r_dir_file(domain, proc)