Skip to content

Commit

Permalink
sepolicy: Allow fsck_untrusted to be sys_admin
Browse files Browse the repository at this point in the history 
* Needed for custom filesystem support

Change-Id: I98a6116cf2a3c06eb2de599bbaf1a77373fa0a23
  • Loading branch information
@someone5678 @afterallafk
someone5678 authored and afterallafk committed Mar 28, 2024
1 parent d9b6292 commit 095a328
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion prebuilts/api/34.0/public/fsck_untrusted.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
# permissions, that is a code mistake that needs to be fixed, not a permission that
# should be granted. Same with setgid and setuid.
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };

###
### dontaudit rules
Expand Down
2 changes: 1 addition & 1 deletion public/fsck_untrusted.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
# permissions, that is a code mistake that needs to be fixed, not a permission that
# should be granted. Same with setgid and setuid.
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };

###
### dontaudit rules
Expand Down

0 comments on commit 095a328

Please sign in to comment.