diff options
author | nailyk-fr <nailyk_git@nailyk.fr> | 2017-05-06 17:14:57 +0200 |
---|---|---|
committer | nailyk-fr <nailyk_git@nailyk.fr> | 2017-05-10 11:18:02 +0000 |
commit | aa884cbd87daf8f19d72da7cecdbdc601e6aabd3 (patch) | |
tree | 437d9ca94d29097750cf337a82a9d33c9f1a352a | |
parent | 5da01ebea7bd3f4344b8eb0f887ac1e9927644cd (diff) |
shinano-common: sepolicy: Rework credmgr init
* Credmgrdinit script had some mistakes. Adjust
policies according to the new changes.
Change-Id: I6e865f756225a1d8decdbc1833123dced27e75de
-rw-r--r-- | rootdir/init.camera.rc | 4 | ||||
-rw-r--r-- | sepolicy/audioserver.te | 3 | ||||
-rw-r--r-- | sepolicy/credmgrd.te | 10 | ||||
-rw-r--r-- | sepolicy/file_contexts | 1 | ||||
-rw-r--r-- | sepolicy/vold.te | 3 |
5 files changed, 13 insertions, 8 deletions
diff --git a/rootdir/init.camera.rc b/rootdir/init.camera.rc index 8e139e9..09c1322 100644 --- a/rootdir/init.camera.rc +++ b/rootdir/init.camera.rc @@ -98,6 +98,10 @@ on post-fs-data setprop init.taimport.ready true # taimport ready, use this as trigger for multi-cdf-symlinker + # create credmgrinit log file + touch /cache/credmgr.log + restorecon -R /cache/credmgr.log + service taimport /system/bin/taimport class late_start user root diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..67f2692 --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,3 @@ +allow audioserver tad_socket:sock_file write; +allow audioserver tad:unix_stream_socket connectto; + diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te index 662b76d..5383834 100644 --- a/sepolicy/credmgrd.te +++ b/sepolicy/credmgrd.te @@ -3,6 +3,7 @@ type credmgrd, domain; type credmgrd_exec, exec_type, file_type; type credmgrd_data_file, file_type; type credmgrd_socket, file_type; +type credmgrd_prop, property_type; init_daemon_domain(credmgrd); #credmgrd self @@ -14,7 +15,6 @@ allow credmgrd cache_file:dir { remove_name write }; allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write }; allow credmgrd credmgrd_data_file:file { create getattr lock open read setattr unlink write }; - #credmgdr tad allow credmgrd tad:unix_stream_socket connectto; allow credmgrd tad_block_device:blk_file { read write ioctl open }; @@ -50,7 +50,6 @@ allow credmgrd iddd_file:sock_file write; allow credmgrd iddd_file:unix_stream_socket connectto; allow credmgrd iddd_file:unix_dgram_socket sendto; - #/mnt/idd is tmpfs allow credmgrd tmpfs:dir search; allow credmgrd tmpfs:lnk_file read; @@ -58,13 +57,12 @@ allow credmgrd tmpfs:lnk_file read; #credmgrd ion allow credmgrd ion_device:chr_file { ioctl open read }; - #============= credmgr init script ============== allow credmgrd cache_file:dir { add_name search }; +allow credmgrd cache_file:file { create getattr open read unlink write }; allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search }; allow credmgrd credmgrd_data_file:file { append getattr open read unlink write }; allow credmgrd credmgrd_prop:property_service set; -allow credmgrd init:unix_stream_socket connectto; allow credmgrd property_socket:sock_file write; allow credmgrd shell_exec:file { getattr read }; allow credmgrd system_file:file execute_no_trans; @@ -74,9 +72,5 @@ allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name se #TODO: wrong labeled on dest socket? allow credmgrd init:unix_stream_socket connectto; -#TODO: remove allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read }; -type credmgr, domain; -type credmgr_exec, exec_type, file_type; -init_daemon_domain(credmgr); diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 7c5353b..d817851 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -41,6 +41,7 @@ /dev/socket/credmgr u:object_r:credmgrd_socket:s0 /data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0 /cache/CredentialManagerData u:object_r:credmgrd_data_file:s0 +/cache/credmgr.log u:object_r:credmgrd_data_file:s0 /ta(/.*)? -- u:object_r:ta_data_file:s0 #cam_socket diff --git a/sepolicy/vold.te b/sepolicy/vold.te index e5b776e..dc3885b 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -1,6 +1,9 @@ allow vold diag_data_file:dir { read open ioctl }; allow vold tee_prop:file { getattr open read }; allow vold firmware_file:file { getattr open read }; +allow vold iddd_file:dir { open read }; +allow vold tee_device:unix_stream_socket connectto; +allow vold tee_device:sock_file write; allow vold iddd_file:dir read; allow vold tee_device:unix_stream_socket connectto; allow vold tee_device:sock_file write; |