需求
MTK
Android 11
需要为内置的APP打开读写/sys与/proc的权限
实现
修改文件如下
device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te
system/sepolicy/prebuilts/api/30.0/private/coredomain.te
system/sepolicy/prebuilts/api/30.0/private/system_app.te
system/sepolicy/private/coredomain.te
system/sepolicy/private/system_app.te
注意
- 30.0这个数字不同Android版本值不同,Android 11对应30.0。
- coredomain.te,system_app.te要修改2个地方,如果只改一处编译会出错。
diff --git a/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te b/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
index 56cd694293..f09095ebae 100644
--- a/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
+++ b/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
@@ -37,6 +37,7 @@ full_treble_only(`
vendor_init
vold
sprd_validationtools_app
+ system_app
} sysfs:file *;
neverallow {
@@ -92,6 +93,7 @@ full_treble_only(`
vendor_init
vold
sprd_validationtools_app
+ system_app
} proc:file *;
neverallow {
diff --git a/device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te b/device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te
index 218569c9ac..ab699ce20a 100644
--- a/device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te
+++ b/device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te
@@ -15,6 +15,7 @@ full_treble_only(`
-init
-ueventd
-vold
+ -system_app
} sysfs:file *;
neverallow {
@@ -66,6 +67,7 @@ full_treble_only(`
-init
-system_server
-vold
+ -system_app
} proc:file *;
neverallow {
diff --git a/system/sepolicy/prebuilts/api/30.0/private/coredomain.te b/system/sepolicy/prebuilts/api/30.0/private/coredomain.te
index ab731f1228..cd9dcbfab0 100644
--- a/system/sepolicy/prebuilts/api/30.0/private/coredomain.te
+++ b/system/sepolicy/prebuilts/api/30.0/private/coredomain.te
@@ -100,6 +100,7 @@ full_treble_only(`
coredomain
-init
-vold
+ -system_app
} proc:file no_rw_file_perms;
# /sys
@@ -108,6 +109,7 @@ full_treble_only(`
-init
-ueventd
-vold
+ -system_app
diff --git a/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te b/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
index 56cd694293..f09095ebae 100644
--- a/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
+++ b/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
@@ -37,6 +37,7 @@ full_treble_only(`
vendor_init
vold
sprd_validationtools_app
+ system_app
} sysfs:file *;
neverallow {
@@ -92,6 +93,7 @@ full_treble_only(`
vendor_init
vold
sprd_validationtools_app
+ system_app
} proc:file *;
neverallow {
diff --git a/device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te b/device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te
index 218569c9ac..ab699ce20a 100644
--- a/device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te
+++ b/device/mediatek/sepolicy/basic/neverallows/plat_public/neverallows.te
@@ -15,6 +15,7 @@ full_treble_only(`
-init
-ueventd
-vold
+ -system_app
} sysfs:file *;
neverallow {
@@ -66,6 +67,7 @@ full_treble_only(`
-init
-system_server
-vold
+ -system_app
} proc:file *;
neverallow {
diff --git a/system/sepolicy/prebuilts/api/30.0/private/coredomain.te b/system/sepolicy/prebuilts/api/30.0/private/coredomain.te
index ab731f1228..cd9dcbfab0 100644
--- a/system/sepolicy/prebuilts/api/30.0/private/coredomain.te
+++ b/system/sepolicy/prebuilts/api/30.0/private/coredomain.te
@@ -100,6 +100,7 @@ full_treble_only(`
coredomain
-init
-vold
+ -system_app
作者:帅得不敢出门