common/rfs_access.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

# rfs_access - rfs_access daemon
type rfs_access, domain, domain_deprecated;
type rfs_access_exec, exec_type, file_type;
init_daemon_domain(rfs_access)

#The files created by rfs_access process in the /data folder will have type rfs_file
type_transition rfs_access system_data_file:{ dir file } rfs_file;
type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";

#The files created by rfs_access process in the /persist folder will have type rfs_file
type_transition rfs_access persist_file:{ dir file } rfs_file;
type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs";

allow rfs_access {
    #To read the uio char device
    uio_device
    #To read the smem log char device
    smem_log_device
}:chr_file rw_file_perms;

#For QMI sockets and IPCR Sockets
allow rfs_access self:socket create_socket_perms;

#For Wakelocks
wakelock_use(rfs_access)

#To create the folders in /data
allow rfs_access system_data_file:dir create_dir_perms;

#To create the folders in /persist
allow rfs_access persist_file:dir create_dir_perms;

#For system folder entries
r_dir_file(rfs_access, rfs_system_file)
allow rfs_access rfs_system_file:lnk_file r_file_perms;

#For data folder entries
allow rfs_access rfs_file:dir create_dir_perms;
allow rfs_access rfs_file:file create_file_perms;

allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
allow rfs_access rfs_shared_hlos_file:file create_file_perms;

#For ramdump entries in /data/tombstones.
allow rfs_access tombstone_data_file:dir create_dir_perms;
allow rfs_access tombstone_data_file:file create_file_perms;

#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
r_dir_file(rfs_access, firmware_file)

#For dropping permisions from root and wakelock
allow rfs_access self:capability {
    setuid
    setgid
    setpcap
    net_bind_service
};

# RFS UID and GIDs were changed and moved from old values to new ones OEM range.
# The below permissions are required to recursively update the folder ownership
# to the new values in the OEM range.

allow rfs_access self:capability { dac_read_search chown dac_override };

#For access to the kmsg device
allow rfs_access kmsg_device:chr_file w_file_perms;

#Prevent other domains from accessing RFS data files.
neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms;
neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms;