From b6511a510d4802194e339f04a59d5d2b789196ed Mon Sep 17 00:00:00 2001
From: 5ec1cff <ewtqyqyewtqyqy@gmail.com>
Date: Sun, 1 Dec 2024 16:39:44 +0800
Subject: [PATCH] Revert "Allow all domains to access tmpfs files"

This reverts commit da43ac89a07c7b13b4cf4ae1539c95363ecd1f9f.
---
 native/src/sepolicy/rules.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/native/src/sepolicy/rules.rs b/native/src/sepolicy/rules.rs
index c8194fc7a..f34c315cb 100644
--- a/native/src/sepolicy/rules.rs
+++ b/native/src/sepolicy/rules.rs
@@ -101,8 +101,9 @@ impl SepolicyMagisk for sepolicy {
                 "system_app", "priv_app", "untrusted_app", "untrusted_app_all"],
                 [proc], ["unix_stream_socket"], ["connectto", "getopt"]);
 
-            // For tmpfs overlay on 2SI. We allow all domains to access tmpfs files.
-            allow(["domain"], ["tmpfs"], ["file"], all);
+            // Let selected domains access tmpfs files
+            // For tmpfs overlay on 2SI, Zygisk on lower Android versions and AVD scripts
+            allow(["init", "zygote", "shell"], ["tmpfs"], ["file"], all);
 
             // Allow magiskinit daemon to handle mock selinuxfs
             allow(["kernel"], ["tmpfs"], ["fifo_file"], ["write"]);