diff options
author | Nikhilesh Reddy <reddyn@codeaurora.org> | 2014-12-03 18:44:07 -0800 |
---|---|---|
committer | Nikhilesh Reddy <reddyn@codeaurora.org> | 2014-12-05 15:04:58 -0800 |
commit | 3e49ef18a5ba02f12ff02754b73156ff00f6ff6a (patch) | |
tree | 3a43ca28cd0354cd9e802175c508db319f2afd46 /common/rfs_access.te | |
parent | 6ecb77aaa07546f1afefad806478d0c7d6f78099 (diff) | |
download | android_device_qcom_sepolicy-3e49ef18a5ba02f12ff02754b73156ff00f6ff6a.tar.gz android_device_qcom_sepolicy-3e49ef18a5ba02f12ff02754b73156ff00f6ff6a.tar.bz2 android_device_qcom_sepolicy-3e49ef18a5ba02f12ff02754b73156ff00f6ff6a.zip |
sepolicy: Update the sepolicy for RFS and RMTS
Update the sepolicy for RFS and RMTS to include all new
permissions required and add the tftp_server to the RFS
domain.
Change-Id: I1dc0c062ef21cf9eca1f365291ec7ff5733c7c8e
Diffstat (limited to 'common/rfs_access.te')
-rw-r--r-- | common/rfs_access.te | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/common/rfs_access.te b/common/rfs_access.te index ec946c27..e4dc3a55 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -5,39 +5,44 @@ init_daemon_domain(rfs_access) #The files created by rfs_access process in the /data folder will have type rfs_data_file type_transition rfs_access system_data_file:{ dir file } rfs_data_file; +type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs"; #To read the uio char device -allow rfs_access uio_device:chr_file { read write open }; +allow rfs_access uio_device:chr_file rw_file_perms; -#For QMI sockets -allow rfs_access self:socket { create_socket_perms }; +#For QMI sockets and IPCR Sockets +allow rfs_access self:socket create_socket_perms; +allow rfs_access smem_log_device:chr_file rw_file_perms; #For Wakelocks allow rfs_access self:capability2 block_suspend; -allow rfs_access sysfs_wake_lock:file { open write append }; +allow rfs_access sysfs_wake_lock:file w_file_perms; -#To create the /data/rfs -allow rfs_access system_data_file:dir { write add_name }; +#To create the folders in /data +allow rfs_access system_data_file:dir create_dir_perms; #For system folder entries -allow rfs_access rfs_system_file:dir search; -allow rfs_access rfs_system_file:lnk_file read; +allow rfs_access rfs_system_file:dir r_dir_perms; +allow rfs_access rfs_system_file:lnk_file r_file_perms; #For data folder entries -allow rfs_access rfs_data_file:dir { write search create add_name }; -allow rfs_access rfs_data_file:file { open read write create append getattr }; +allow rfs_access rfs_data_file:dir create_dir_perms; +allow rfs_access rfs_data_file:file create_file_perms; + +allow rfs_access rfs_shared_hlos_file:dir create_dir_perms; +allow rfs_access rfs_shared_hlos_file:file create_file_perms; #For ramdump entries in /data/tombstones. -allow rfs_access tombstone_data_file:dir { write search create add_name }; -allow rfs_access tombstone_data_file:file { open read write create append getattr }; +allow rfs_access tombstone_data_file:dir create_dir_perms; +allow rfs_access tombstone_data_file:file create_file_perms; #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes). -allow rfs_access firmware_file:dir { search }; -allow rfs_access firmware_file:file { open read getattr }; +allow rfs_access firmware_file:dir r_dir_perms; +allow rfs_access firmware_file:file r_file_perms; -#Prevent other domains from accessing RFS data files. -neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name }; -neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr }; +#For dropping permisions from root and wakelock +allow rfs_access self:capability { setuid setgid setpcap net_raw }; -allow rfs_access self:capability { setuid setpcap net_raw }; -allow rfs_access smem_log_device:chr_file rw_file_perms; +#Prevent other domains from accessing RFS data files. +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir create_dir_perms; +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file create_file_perms; |