Skip to content
Snippets Groups Projects
Commit 05bc7165 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Drop fuse_device neverallow rules 

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Drop them for CTS purposes.

These neverallow rules have been changed in master (see commit
45766d41), but we're not attempting to
backport that change to avoid introducing new neverallow statements.

Bug: 37496487
Test: compile time assertion removal only. No device changes.
Change-Id: I2fc7d944bf91c2295d53cd41fb0d0aa73627f482
parent 2c019b50
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 0 additions and 19 deletions
domain.te
+ 0
19
View file @ 05bc7165
...@@ -572,25 +572,6 @@ neverallow * domain:file { execute execute_no_trans entrypoint }; ...@@ -572,25 +572,6 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
# TODO: fix system_server and dumpstate # TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms; neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
neverallow {
domain
-init
-recovery
-sdcardd
-vold
} fuse_device:chr_file open;
neverallow {
domain
-dumpstate
-init
-priv_app
-recovery
-sdcardd
-system_server
-ueventd
-vold
} fuse_device:chr_file *;
# Profiles contain untrusted data and profman parses that. We should only run # Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes. # in from installd forked processes.
neverallow { neverallow {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment