DivestOS/Patches/LineageOS-16.0/android_system_sepolicy/0001-LGE_Fixes.patch
Tad 9a6c3f99ed Verify authorship and Change-Id of all contained patches
- No patches were found with incorrect authorship/From: lines
- The older AndroidHardening patch repos are no longer available to verify CID.
- New GrapheneOS patches do not include a CID.
- *Signature_Spoofing.patch CID could not be found.
- Fixed CID of *Harden_Sig_Spoofing.patch to match 14.1
- Fixed CID of *LGE_Fixes.patch to match 14.1
- Fixed CID of *Harden.patch to match 14.1
- Added edit note to *Harden.patch
- Fixed CID of *PREREQ_Handle_All_Modes.patch to match 14.1
- Fixed CID of *More_Preferred_Network_Modes.patch to match 14.1
- Fixed CID of *AES256.patch to match 14.1
- Fixed CID of *0001-OTA_Keys.patch to match 18.1
- Fixed CID of *Camera_Fix.patch to match 15.1
- Fixed CID of *Connectivity.patch to match 14.1
- Fixed CID of *Fix_Calling.patch to match 14.1
- Fixed CID of *Remove_Analytics.patch to match 14.1
- Fixed CID of Unused-*.patch/audio_extn to match original

Signed-off-by: Tad <tad@spotco.us>
2022-03-05 13:13:30 -05:00

36 lines
1.3 KiB
Diff

From 3d7d3ace3a1cb5a4e31b3fe335128de56049d419 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Thu, 12 Apr 2018 08:05:32 -0400
Subject: [PATCH] Fix -user builds for many LGE devices
Change-Id: I3649cf211a356c57e129fbda1f5184a4bebc85af
---
public/domain.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/public/domain.te b/public/domain.te
index 883048fb..d0a9def1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -597,6 +597,9 @@ neverallow { domain -recovery -update_engine } system_block_device:blk_file { wr
# No domains other than install_recovery or recovery can write to recovery.
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
+# Select devices have policies prevented by the following neverallow
+attribute misc_block_device_exception;
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -612,6 +615,7 @@ neverallow {
-vold
-recovery
-ueventd
+ -misc_block_device_exception
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
--
2.20.1