diff options
Diffstat (limited to 'te_macros')
| -rw-r--r-- | te_macros | 39 |
1 files changed, 20 insertions, 19 deletions
@@ -118,12 +118,32 @@ typeattribute $1 bluetoothdomain; # unix_socket_connect(clientdomain, socket, serverdomain) # Allow a local socket connection from clientdomain via # socket to serverdomain. +# +# Note: If you see denial records that distill to the +# following allow rules: +# allow clientdomain property_socket:sock_file write; +# allow clientdomain init:unix_stream_socket connectto; +# allow clientdomain something_prop:property_service set; +# +# This sequence is indicative of attempting to set a property. +# use set_prop(sourcedomain, targetproperty) +# define(`unix_socket_connect', ` allow $1 $2_socket:sock_file write; allow $1 $3:unix_stream_socket connectto; ') ##################################### +# set_prop(sourcedomain, targetproperty) +# Allows source domain to set the +# targetproperty. +# +define(`set_prop', ` +unix_socket_connect($1, property, init) +allow $1 $2:property_service set; +') + +##################################### # unix_socket_send(clientdomain, socket, serverdomain) # Allow a local socket send from clientdomain via # socket to serverdomain. @@ -255,17 +275,6 @@ allow $1 kernel:system syslog_read; ') ##################################### -# write_klog(domain) -# Ability to write to kernel log via -# klog_write() -# See system/core/libcutil/klog.c -define(`write_klog', ` -type_transition $1 device:chr_file klog_device "__kmsg__"; -allow $1 klog_device:chr_file { create open write unlink }; -allow $1 device:dir { write add_name remove_name }; -') - -##################################### # create_pty(domain) # Allow domain to create and use a pty, isolated from any other domain ptys. define(`create_pty', ` @@ -338,14 +347,6 @@ define(`use_keystore', ` ') ########################################### -# service_manager_local_audit_domain(domain) -# Has its own auditallow rule on service_manager -# and should be excluded from the domain.te auditallow. -define(`service_manager_local_audit_domain', ` - typeattribute $1 service_manager_local_audit; -') - -########################################### # use_drmservice(domain) # Ability to use DrmService which requires # DrmService to call getpidcon. |