From 52542bfa6aa3fc18249ca6811fd78eade7a70189 Mon Sep 17 00:00:00 2001
From: zlewchan <zlewchan@icloud.com>
Date: Sun, 8 Sep 2024 22:47:09 +0200
Subject: [PATCH] fixup! sepolicy: Allow fsck_untrusted to be sys_admin

---
 prebuilts/api/202404/public/fsck_untrusted.te | 2 +-
 private/fsck_untrusted.te                     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/prebuilts/api/202404/public/fsck_untrusted.te b/prebuilts/api/202404/public/fsck_untrusted.te
index 0975d3f10..7e981bf27 100644
--- a/prebuilts/api/202404/public/fsck_untrusted.te
+++ b/prebuilts/api/202404/public/fsck_untrusted.te
@@ -51,7 +51,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
 # fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
 # permissions, that is a code mistake that needs to be fixed, not a permission that
 # should be granted. Same with setgid and setuid.
-neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
 
 ###
 ### dontaudit rules
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 682831ff2..36ea05f98 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -50,7 +50,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
 # fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
 # permissions, that is a code mistake that needs to be fixed, not a permission that
 # should be granted. Same with setgid and setuid.
-neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };
 
 ###
 ### dontaudit rules