Merge "su.te: drop domain_deprecated and app auditallow rules."
This commit is contained in:
Nick Kralevich
Gerrit Code Review
commit
e288cfa120
2 changed files with 3 additions and 3 deletions
4
app.te
4
app.te
|
|
@ -219,8 +219,8 @@ selinux_check_access(appdomain)
|
|||
selinux_check_context(appdomain)
|
||||
|
||||
# appdomain should not be accessing information on /sys
|
||||
auditallow appdomain sysfs:dir { open getattr read ioctl };
|
||||
auditallow appdomain sysfs:file r_file_perms;
|
||||
auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
|
||||
auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
|
|||
2
su.te
2
su.te
|
|
@ -5,7 +5,7 @@ userdebug_or_eng(`
|
|||
# Domain used for su processes, as well as for adbd and adb shell
|
||||
# after performing an adb root command. The domain definition is
|
||||
# wrapped to ensure that it does not exist at all on -user builds.
|
||||
type su, domain, domain_deprecated, mlstrustedsubject;
|
||||
type su, domain, mlstrustedsubject;
|
||||
domain_auto_trans(shell, su_exec, su)
|
||||
|
||||
# Allow dumpstate to call su on userdebug / eng builds to collect
|
||||
|
|
|
|||
Loading…
Reference in a new issue