mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-16 19:34:34 -05:00
9a6c3f99ed
- No patches were found with incorrect authorship/From: lines - The older AndroidHardening patch repos are no longer available to verify CID. - New GrapheneOS patches do not include a CID. - *Signature_Spoofing.patch CID could not be found. - Fixed CID of *Harden_Sig_Spoofing.patch to match 14.1 - Fixed CID of *LGE_Fixes.patch to match 14.1 - Fixed CID of *Harden.patch to match 14.1 - Added edit note to *Harden.patch - Fixed CID of *PREREQ_Handle_All_Modes.patch to match 14.1 - Fixed CID of *More_Preferred_Network_Modes.patch to match 14.1 - Fixed CID of *AES256.patch to match 14.1 - Fixed CID of *0001-OTA_Keys.patch to match 18.1 - Fixed CID of *Camera_Fix.patch to match 15.1 - Fixed CID of *Connectivity.patch to match 14.1 - Fixed CID of *Fix_Calling.patch to match 14.1 - Fixed CID of *Remove_Analytics.patch to match 14.1 - Fixed CID of Unused-*.patch/audio_extn to match original Signed-off-by: Tad <tad@spotco.us>
36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
From b75779de1c7fd9f624d0523a8ff9020b91f918ed Mon Sep 17 00:00:00 2001
|
|
From: Tad <tad@spotco.us>
|
|
Date: Thu, 12 Apr 2018 08:05:32 -0400
|
|
Subject: [PATCH] Fix -user builds for many LGE devices
|
|
|
|
Change-Id: I3649cf211a356c57e129fbda1f5184a4bebc85af
|
|
---
|
|
public/domain.te | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/public/domain.te b/public/domain.te
|
|
index 8640baaa..4b5b0bc6 100644
|
|
--- a/public/domain.te
|
|
+++ b/public/domain.te
|
|
@@ -486,6 +486,9 @@ neverallow { domain -recovery -update_engine } system_block_device:blk_file writ
|
|
# No domains other than install_recovery or recovery can write to recovery.
|
|
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
|
|
|
|
+# Select devices have policies prevented by the following neverallow
|
|
+attribute misc_block_device_exception;
|
|
+
|
|
# No domains other than a select few can access the misc_block_device. This
|
|
# block device is reserved for OTA use.
|
|
# Do not assert this rule on userdebug/eng builds, due to some devices using
|
|
@@ -500,6 +503,7 @@ neverallow {
|
|
-vold
|
|
-recovery
|
|
-ueventd
|
|
+ -misc_block_device_exception
|
|
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
|
|
|
|
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
|
|
--
|
|
2.17.0
|
|
|