diff options
| author | Nikhilesh Reddy <reddyn@codeaurora.org> | 2014-08-29 11:49:14 -0700 |
|---|---|---|
| committer | Avijit Kanti Das <avijitnsec@codeaurora.org> | 2014-10-22 12:59:07 -0700 |
| commit | 7851fba9fcf9b224bfba1e32cd3e8539ba58bf72 (patch) | |
| tree | 8103da98decf302fdc45810fe48cdcdd38abf5f0 /common/rfs_access.te | |
| parent | 808ae2fff73e081862330eb6fb249b644cf145cb (diff) | |
| download | android_device_qcom_sepolicy-7851fba9fcf9b224bfba1e32cd3e8539ba58bf72.tar.gz android_device_qcom_sepolicy-7851fba9fcf9b224bfba1e32cd3e8539ba58bf72.tar.bz2 android_device_qcom_sepolicy-7851fba9fcf9b224bfba1e32cd3e8539ba58bf72.zip | |
SEAndroid: Add policy rules for rfs_access daemon
The rfs_access is started as a service by init process. This change
moves rfs_access to its own domain and also adds relevant policies
to move it to confined domain
Change-Id: I1009fa600a587d4a9fdf53cc306f157b34b51908
Diffstat (limited to 'common/rfs_access.te')
| -rw-r--r-- | common/rfs_access.te | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/common/rfs_access.te b/common/rfs_access.te new file mode 100644 index 00000000..129ffa3b --- /dev/null +++ b/common/rfs_access.te @@ -0,0 +1,40 @@ +# rfs_access - rfs_access daemon +type rfs_access, domain; +type rfs_access_exec, exec_type, file_type; +init_daemon_domain(rfs_access) + +#The files created by rfs_access process in the /data folder will have type rfs_data_file +type_transition rfs_access system_data_file:{ dir file } rfs_data_file; + +#To read the uio char device +allow rfs_access uio_device:chr_file { read write open }; + +#For QMI sockets +allow rfs_access self:socket { create_socket_perms }; + +#For Wakelocks +allow rfs_access self:capability2 block_suspend; +allow rfs_access sysfs_wake_lock:file { open write append }; + +#To create the /data/rfs +allow rfs_access system_data_file:dir { write add_name }; + +#For system folder entries +allow rfs_access rfs_system_file:dir search; +allow rfs_access rfs_system_file:lnk_file read; + +#For data folder entries +allow rfs_access rfs_data_file:dir { write search create add_name }; +allow rfs_access rfs_data_file:file { open read write create append getattr }; + +#For ramdump entries in /data/tombstones. +allow rfs_access tombstone_data_file:dir { write search create add_name }; +allow rfs_access tombstone_data_file:file { open read write create append getattr }; + +#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes). +allow rfs_access firmware_file:dir { search }; +allow rfs_access firmware_file:file { open read getattr }; + +#Prevent other domains from accessing RFS data files. +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name }; +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr }; |