From 84822379184bfdcd830fff997265ac410e200e66 Mon Sep 17 00:00:00 2001 From: kotori0 Date: Wed, 25 Nov 2020 21:39:48 +0800 Subject: [PATCH] update sepolicy --- edxp-core/template_override/post-fs-data.sh | 17 ++++++----------- edxp-core/template_override/sepolicy.rule | 1 + 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/edxp-core/template_override/post-fs-data.sh b/edxp-core/template_override/post-fs-data.sh index 84deebdf4..450c052ae 100644 --- a/edxp-core/template_override/post-fs-data.sh +++ b/edxp-core/template_override/post-fs-data.sh @@ -41,17 +41,12 @@ PATH_PREFIX="/data/user_de/0/" #PATH_PREFIX_LEGACY="/data/user/0/" sepolicy() { - # necessary for using mmap in system_server process - # read configs set in our app - # for built-in apps // TODO: maybe narrow down the target classes - # read module apk file in zygote - # TODO: remove coredomain sepolicy - supolicy --live "allow system_server system_server process { execmem }"\ - "allow system_server system_server memprotect { mmap_zero }"\ - "allow coredomain coredomain process { execmem }"\ - "allow coredomain app_data_file * *"\ - "attradd { system_app platform_app } mlstrustedsubject"\ - "allow zygote apk_data_file * *" + # Should be deprecated now. This is for debug only. + supolicy --live "allow system_server system_server process execmem" \ + "allow system_server system_server memprotect mmap_zero" \ + "allow zygote app_data_file dir { search read open }" \ + "allow zygote app_data_file file { getattr read open }" \ + "allow zygote app_data_file dir { getattr search read open }" } #if [[ ${ANDROID_SDK} -ge 24 ]]; then diff --git a/edxp-core/template_override/sepolicy.rule b/edxp-core/template_override/sepolicy.rule index 9f1416046..27f00cd88 100644 --- a/edxp-core/template_override/sepolicy.rule +++ b/edxp-core/template_override/sepolicy.rule @@ -2,3 +2,4 @@ allow system_server system_server process execmem allow system_server system_server memprotect mmap_zero allow zygote app_data_file dir { search read open } allow zygote app_data_file file { getattr read open } +allow zygote app_data_file dir { getattr search read open } \ No newline at end of file