diff options
-rw-r--r-- | plat_private/domain.te | 5 | ||||
-rw-r--r-- | plat_public/domain.te | 8 |
2 files changed, 13 insertions, 0 deletions
diff --git a/plat_private/domain.te b/plat_private/domain.te index 3091c3c..8e246c2 100644 --- a/plat_private/domain.te +++ b/plat_private/domain.te @@ -22,6 +22,7 @@ full_treble_only(` -init -installd -iorap_prefetcherd + -iorap_inode2filename -logd -mediadrmserver -mediaextractor @@ -54,6 +55,7 @@ full_treble_only(` neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; neverallow { mediadrmserver @@ -74,6 +76,7 @@ full_treble_only(` init installd iorap_prefetcherd + iorap_inode2filename logd rs runas @@ -100,6 +103,8 @@ full_treble_only(` neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; + neverallow rs system_data_file:lnk_file ~{ read }; neverallow { diff --git a/plat_public/domain.te b/plat_public/domain.te index cd362dd..9adf77e 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -171,6 +171,7 @@ full_treble_only(` -init -installd -iorap_prefetcherd + -iorap_inode2filename -system_server -toolbox -vold @@ -183,6 +184,8 @@ full_treble_only(` neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; neverallow { @@ -203,6 +206,7 @@ full_treble_only(` init installd iorap_prefetcherd + iorap_inode2filename logd rs runas @@ -227,6 +231,8 @@ full_treble_only(` neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; + neverallow rs system_data_file:lnk_file ~{ read }; neverallow { @@ -242,6 +248,7 @@ full_treble_only(` init installd iorap_prefetcherd + iorap_inode2filename system_server toolbox traced_probes @@ -263,6 +270,7 @@ full_treble_only(` neverallow { iorap_prefetcherd + iorap_inode2filename traced_probes } system_data_file:dir ~{ open read search getattr }; |