update sepolicy

ElderDrivers · Nov 25, 2020 · 8482237 · 8482237 · C3C0 · Dec 5, 2020
1 parent 4570d8f
commit 8482237
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 11 deletions.
diff --git a/edxp-core/template_override/post-fs-data.sh b/edxp-core/template_override/post-fs-data.sh
@@ -41,17 +41,12 @@ PATH_PREFIX="/data/user_de/0/"
 #PATH_PREFIX_LEGACY="/data/user/0/"
 
 sepolicy() {
-    # necessary for using mmap in system_server process
-    # read configs set in our app
-    # for built-in apps // TODO: maybe narrow down the target classes
-    # read module apk file in zygote
-    # TODO: remove coredomain sepolicy
-    supolicy --live "allow system_server system_server process { execmem }"\
-                    "allow system_server system_server memprotect { mmap_zero }"\
-                    "allow coredomain coredomain process { execmem }"\
-                    "allow coredomain app_data_file * *"\
-                    "attradd { system_app platform_app } mlstrustedsubject"\
-                    "allow zygote apk_data_file * *"
+    # Should be deprecated now. This is for debug only.
+    supolicy --live "allow system_server system_server process execmem" \
+                    "allow system_server system_server memprotect mmap_zero" \
+                    "allow zygote app_data_file dir { search read open }" \
+                    "allow zygote app_data_file file { getattr read open }" \
+                    "allow zygote app_data_file dir { getattr search read open }"
 }
 
 #if [[ ${ANDROID_SDK} -ge 24 ]]; then

diff --git a/edxp-core/template_override/sepolicy.rule b/edxp-core/template_override/sepolicy.rule
@@ -2,3 +2,4 @@ allow system_server system_server process execmem
 allow system_server system_server memprotect mmap_zero
 allow zygote app_data_file dir { search read open }
 allow zygote app_data_file file { getattr read open }
+allow zygote app_data_file dir { getattr search read open }