diff options
author | Ajay Dudani <adudani@codeaurora.org> | 2015-04-12 07:25:30 -0700 |
---|---|---|
committer | Ajay Dudani <adudani@codeaurora.org> | 2015-04-12 07:27:04 -0700 |
commit | 0711c1faa010df33da523f311e0eb9f779e4e56e (patch) | |
tree | 79c055471c274e632ffa8190e771971418ee876e | |
parent | 5d655600d7307ee00f5b00437c30ae75881c99e7 (diff) | |
download | android_device_qcom_sepolicy-0711c1faa010df33da523f311e0eb9f779e4e56e.tar.gz android_device_qcom_sepolicy-0711c1faa010df33da523f311e0eb9f779e4e56e.tar.bz2 android_device_qcom_sepolicy-0711c1faa010df33da523f311e0eb9f779e4e56e.zip |
Revert "Switch over to qti_init_shell"
This reverts commit 7a8ed167d1fdf3b59e6ab8dc1176e7e17c84e17e.
Change-Id: I28c78cb03828841b06bd6bc11e730dcd19e89712
-rw-r--r-- | common/init_shell.te | 34 | ||||
-rw-r--r-- | common/rfs_access.te | 4 | ||||
-rwxr-xr-x | test/init_shell.te | 5 |
3 files changed, 17 insertions, 26 deletions
diff --git a/common/init_shell.te b/common/init_shell.te index 0ed537be..34b8f897 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -1,39 +1,29 @@ -# Restricted domain for shell processes spawned by init. -# Normally these are shell commands or scripts invoked via sh -# from an init*.rc file. No service should ever run in this domain. -type qti_init_shell, domain; -domain_auto_trans(init, shell_exec, qti_init_shell) - -# Run helpers from / or /system without changing domain. -#allow qti_init_shell rootfs:file execute_no_trans; -#allow qti_init_shell system_file:file execute_no_trans; - #for accessing fmradio device node -allow qti_init_shell fm_radio_device:chr_file { open read ioctl }; +allow init_shell fm_radio_device:chr_file { open read ioctl }; # for insmod of iris ko , this is needed . -allow qti_init_shell self:capability sys_module; +allow init_shell self:capability sys_module; #for property starting with hw -allow qti_init_shell system_prop:property_service set ; +allow init_shell system_prop:property_service set ; #for access to set BT property -allow qti_init_shell bluetooth_prop:property_service set; +allow init_shell bluetooth_prop:property_service set; -#most of the default properties are set by qti_init_shell -#allow qti_init_shell default_prop:property_service set; +#most of the default properties are set by init_shell +allow init_shell default_prop:property_service set; -#allow qti_init_shell shell_exec:file execute_no_trans; +allow init_shell shell_exec:file execute_no_trans; #Needed in order to set properties while going in/out of debug mode. -#allow qti_init_shell ctl_default_prop:property_service set; +allow init_shell ctl_default_prop:property_service set; -allow qti_init_shell efs_boot_dev:blk_file r_file_perms; +allow init_shell efs_boot_dev:blk_file r_file_perms; #perfd -#allow qti_init_shell ctl_default_prop:property_service set; +allow init_shell ctl_default_prop:property_service set; -allow qti_init_shell ctl_rildaemon_prop:property_service set; +allow init_shell ctl_rildaemon_prop:property_service set; #for access to UICC property -allow qti_init_shell uicc_prop:property_service set; +allow init_shell uicc_prop:property_service set; diff --git a/common/rfs_access.te b/common/rfs_access.te index 9ad79954..b7ab3cca 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -44,5 +44,5 @@ allow rfs_access firmware_file:file r_file_perms; allow rfs_access self:capability { setuid setgid setpcap net_raw }; #Prevent other domains from accessing RFS data files. -neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_data_file:dir create_dir_perms; -neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_data_file:file create_file_perms; +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir create_dir_perms; +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file create_file_perms; diff --git a/test/init_shell.te b/test/init_shell.te index 7a48c8ba..4a477176 100755 --- a/test/init_shell.te +++ b/test/init_shell.te @@ -1,4 +1,5 @@ userdebug_or_eng(` - allow qti_init_shell fuse:dir create_dir_perms; - allow qti_init_shell fuse:file create_file_perms; + domain_auto_trans(init_shell, su_exec, su) + allow init_shell fuse:dir create_dir_perms; + allow init_shell fuse:file create_file_perms; ') |