update sepolicy

2020-11-25 21:39:48 +08:00 · 2020-11-25 21:39:48 +08:00 · 8482237918
parent 4570d8ff46
commit 8482237918
2 changed files with 7 additions and 11 deletions
--- a/edxp-core/template_override/post-fs-data.sh
+++ b/edxp-core/template_override/post-fs-data.sh
@ -41,17 +41,12 @@ PATH_PREFIX="/data/user_de/0/"
 #PATH_PREFIX_LEGACY="/data/user/0/"

 sepolicy() {
-    # necessary for using mmap in system_server process
-    # read configs set in our app
-    # for built-in apps // TODO: maybe narrow down the target classes
-    # read module apk file in zygote
-    # TODO: remove coredomain sepolicy
-    supolicy --live "allow system_server system_server process { execmem }"\
-                    "allow system_server system_server memprotect { mmap_zero }"\
-                    "allow coredomain coredomain process { execmem }"\
-                    "allow coredomain app_data_file * *"\
-                    "attradd { system_app platform_app } mlstrustedsubject"\
-                    "allow zygote apk_data_file * *"
+    # Should be deprecated now. This is for debug only.
+    supolicy --live "allow system_server system_server process execmem" \
+                    "allow system_server system_server memprotect mmap_zero" \
+                    "allow zygote app_data_file dir { search read open }" \
+                    "allow zygote app_data_file file { getattr read open }" \
+                    "allow zygote app_data_file dir { getattr search read open }"
 }

 #if [[ ${ANDROID_SDK} -ge 24 ]]; then
--- a/edxp-core/template_override/sepolicy.rule
+++ b/edxp-core/template_override/sepolicy.rule
@ -2,3 +2,4 @@ allow system_server system_server process execmem
 allow system_server system_server memprotect mmap_zero
 allow zygote app_data_file dir { search read open }
 allow zygote app_data_file file { getattr read open }
+allow zygote app_data_file dir { getattr search read open }