fixup! sepolicy: Allow fsck_untrusted to be sys_admin

2024-09-08 22:47:09 +02:00 · 2024-09-08 22:47:09 +02:00 · 52542bfa6a
commit 52542bfa6a
parent caa5a8a29e
2 changed files with 2 additions and 2 deletions
--- a/prebuilts/api/202404/public/fsck_untrusted.te
+++ b/prebuilts/api/202404/public/fsck_untrusted.te
@ -51,7 +51,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
 # fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
 # permissions, that is a code mistake that needs to be fixed, not a permission that
 # should be granted. Same with setgid and setuid.
-neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };

 ###
 ### dontaudit rules
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@ -50,7 +50,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
 # fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
 # permissions, that is a code mistake that needs to be fixed, not a permission that
 # should be granted. Same with setgid and setuid.
-neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };

 ###
 ### dontaudit rules