Merge "Fix too-broad allows granted to domain"

2022-10-13 05:37:13 +00:00 · 2022-10-13 05:37:13 +00:00 · c3b7489ee5
commit c3b7489ee5
parent 9a8980aed5 4e141f6241
2 changed files with 2 additions and 3 deletions
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@ -217,9 +217,6 @@ allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;

-allow domain self:global_capability_class_set audit_control;
-allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-
 # globally readable properties
 get_prop(domain, arm64_memtag_prop)
 get_prop(domain, bootloader_prop)
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@ -435,3 +435,5 @@ use_bootstrap_libs(init)
 allow init fuse:dir { search getattr };

 set_prop(init, property_type)
+
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };