summaryrefslogtreecommitdiffstats
path: root/plat_private/domain.te
diff options
context:
space:
mode:
Diffstat (limited to 'plat_private/domain.te')
-rw-r--r--plat_private/domain.te204
1 files changed, 102 insertions, 102 deletions
diff --git a/plat_private/domain.te b/plat_private/domain.te
index 8e246c2..ced61d6 100644
--- a/plat_private/domain.te
+++ b/plat_private/domain.te
@@ -13,105 +13,105 @@
# allow hal_drm system_data_file:file { getattr read };
# hal_server_domain(merged_hal_service, hal_drm)
#
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -app_zygote
- -dumpstate
- -init
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
- -logd
- -mediadrmserver
- -mediaextractor
- -mediaserver
- -runas
- -sdcardd
- -simpleperf_app_runner
- -storaged
- -system_server
- -toolbox
- -vold
- -vold_prepare_subdirs
- -zygote
- } system_data_file:file *;
-
- neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
-
- neverallow {
- dumpstate
- logd
- runas
- sdcardd
- simpleperf_app_runner
- storaged
- zygote
- } system_data_file:file ~r_file_perms;
-
- neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
-
- neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
-
- neverallow iorap_prefetcherd system_data_file:file ~{ open read };
- neverallow iorap_inode2filename system_data_file:file ~{ open read getattr };
-
- neverallow {
- mediadrmserver
- mediaextractor
- mediaserver
- } system_data_file:file ~{ read getattr };
-
- neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
-
- neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
-
- neverallow vold system_data_file:file ~read;
-
- neverallow ~{
- appdomain
- app_zygote
- dexoptanalyzer
- init
- installd
- iorap_prefetcherd
- iorap_inode2filename
- logd
- rs
- runas
- simpleperf_app_runner
- system_server
- tee
- vold
- webview_zygote
- zygote
- } system_data_file:lnk_file *;
-
- neverallow {
- appdomain
- app_zygote
- logd
- webview_zygote
- } system_data_file:lnk_file ~r_file_perms;
-
- neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr;
-
- neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
-
- neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
-
- neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
-
- neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };
-
- neverallow rs system_data_file:lnk_file ~{ read };
-
- neverallow {
- runas
- simpleperf_app_runner
- tee
- } system_data_file:lnk_file ~{ read getattr };
-
- neverallow system_server system_data_file:lnk_file ~create_file_perms;
-')
+#full_treble_only(`
+# neverallow {
+# coredomain
+# -appdomain
+# -app_zygote
+# -dumpstate
+# -init
+# -installd
+# -iorap_prefetcherd
+# -iorap_inode2filename
+# -logd
+# -mediadrmserver
+# -mediaextractor
+# -mediaserver
+# -runas
+# -sdcardd
+# -simpleperf_app_runner
+# -storaged
+# -system_server
+# -toolbox
+# -vold
+# -vold_prepare_subdirs
+# -zygote
+# } system_data_file:file *;
+#
+# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
+#
+# neverallow {
+# dumpstate
+# logd
+# runas
+# sdcardd
+# simpleperf_app_runner
+# storaged
+# zygote
+# } system_data_file:file ~r_file_perms;
+#
+# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
+#
+# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
+#
+# neverallow iorap_prefetcherd system_data_file:file ~{ open read };
+# neverallow iorap_inode2filename system_data_file:file ~{ open read getattr };
+#
+# neverallow {
+# mediadrmserver
+# mediaextractor
+# mediaserver
+# } system_data_file:file ~{ read getattr };
+#
+# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
+#
+# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
+#
+# neverallow vold system_data_file:file ~read;
+#
+# neverallow ~{
+# appdomain
+# app_zygote
+# dexoptanalyzer
+# init
+# installd
+# iorap_prefetcherd
+# iorap_inode2filename
+# logd
+# rs
+# runas
+# simpleperf_app_runner
+# system_server
+# tee
+# vold
+# webview_zygote
+# zygote
+# } system_data_file:lnk_file *;
+#
+# neverallow {
+# appdomain
+# app_zygote
+# logd
+# webview_zygote
+# } system_data_file:lnk_file ~r_file_perms;
+#
+# neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr;
+#
+# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
+#
+# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
+#
+# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
+#
+# neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };
+#
+# neverallow rs system_data_file:lnk_file ~{ read };
+#
+# neverallow {
+# runas
+# simpleperf_app_runner
+# tee
+# } system_data_file:lnk_file ~{ read getattr };
+#
+# neverallow system_server system_data_file:lnk_file ~create_file_perms;
+#')
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 07:36:59 +0000