tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Revert "Relax neverallows for vendor to use /system/bin/sh"" into main

Browse source
This commit is contained in:
Jernej Virag 2024-02-16 10:13:22 +00:00 committed by Gerrit Code Review
commit bbff9f5ea1
2 changed files with 1 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
public/domain.te
View file

@ -924,9 +924,6 @@ full_treble_only(`
-crash_dump_exec -crash_dump_exec
-netutils_wrapper_exec -netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec') userdebug_or_eng(`-tcpdump_exec')
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
}:file { entrypoint execute execute_no_trans }; }:file { entrypoint execute execute_no_trans };
') ')
@ -1007,9 +1004,6 @@ full_treble_only(`
-task_profiles_api_file -task_profiles_api_file
-task_profiles_file -task_profiles_file
userdebug_or_eng(`-tcpdump_exec') userdebug_or_eng(`-tcpdump_exec')
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
}:file *; }:file *;
') ')

8
public/hal_neverallows.te
View file

@ -85,13 +85,7 @@ neverallow {
halserverdomain halserverdomain
-hal_dumpstate_server -hal_dumpstate_server
-hal_telephony_server -hal_telephony_server
} { } { file_type fs_type }:file execute_no_trans;
file_type
fs_type
# May invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
}:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain. # Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition; neverallow { domain -init } halserverdomain:process transition;
# Only allow transitioning to a domain by running its executable. Do not # Only allow transitioning to a domain by running its executable. Do not