sepolicy: Fix references to self:capability
commit 9b2e0cbeea added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns. Apply the new macro to various self:capability
references that have cropped up since then.
Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
This commit is contained in:
Benjamin Gordon
parent
3784e7fcfa
commit
7ed266c678
6 changed files with 7 additions and 7 deletions
|
|
@ -27,4 +27,4 @@ neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
|
|||
# only system_server, netd and bpfloader can read/write the bpf maps
|
||||
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
|
||||
|
||||
dontaudit bpfloader self:capability sys_admin;
|
||||
dontaudit bpfloader self:global_capability_class_set sys_admin;
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ allow traced_probes kmsg_device:chr_file write;
|
|||
allow traced_probes system_file:dir { open read };
|
||||
|
||||
# Allow traced_probes to list some of the data partition.
|
||||
allow traced_probes self:capability dac_read_search;
|
||||
allow traced_probes self:global_capability_class_set dac_read_search;
|
||||
|
||||
allow traced_probes apk_data_file:dir { getattr open read search };
|
||||
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
|
||||
|
|
|
|||
|
|
@ -112,7 +112,7 @@ get_prop(zygote, overlay_prop)
|
|||
get_prop(zygote, exported_overlay_prop)
|
||||
|
||||
# ingore spurious denials
|
||||
dontaudit zygote self:capability sys_resource;
|
||||
dontaudit zygote self:global_capability_class_set sys_resource;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
|
|
|
|||
|
|
@ -1397,8 +1397,8 @@ neverallow {
|
|||
-vold
|
||||
-vold_prepare_subdirs
|
||||
-zygote
|
||||
} self:capability dac_override;
|
||||
neverallow { domain -traced_probes } self:capability dac_read_search;
|
||||
} self:global_capability_class_set dac_override;
|
||||
neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;
|
||||
|
||||
# If an already existing file is opened with O_CREAT, the kernel might generate
|
||||
# a false report of a create denial. Silence these denials and make sure that
|
||||
|
|
|
|||
|
|
@ -4,4 +4,4 @@ binder_call(hal_bootctl_server, hal_bootctl_client)
|
|||
|
||||
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
|
||||
|
||||
dontaudit hal_bootctl self:capability sys_rawio;
|
||||
dontaudit hal_bootctl self:global_capability_class_set sys_rawio;
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ wakelock_use(update_engine);
|
|||
|
||||
# Ignore these denials.
|
||||
dontaudit update_engine kernel:process setsched;
|
||||
dontaudit update_engine self:capability sys_rawio;
|
||||
dontaudit update_engine self:global_capability_class_set sys_rawio;
|
||||
|
||||
# Allow using persistent storage in /data/misc/update_engine.
|
||||
allow update_engine update_engine_data_file:dir create_dir_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue