summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornailyk-fr <nailyk_git@nailyk.fr>2017-05-06 17:14:57 +0200
committernailyk-fr <nailyk_git@nailyk.fr>2017-05-10 11:18:02 +0000
commitaa884cbd87daf8f19d72da7cecdbdc601e6aabd3 (patch)
tree437d9ca94d29097750cf337a82a9d33c9f1a352a
parent5da01ebea7bd3f4344b8eb0f887ac1e9927644cd (diff)
shinano-common: sepolicy: Rework credmgr init
* Credmgrdinit script had some mistakes. Adjust policies according to the new changes. Change-Id: I6e865f756225a1d8decdbc1833123dced27e75de
-rw-r--r--rootdir/init.camera.rc4
-rw-r--r--sepolicy/audioserver.te3
-rw-r--r--sepolicy/credmgrd.te10
-rw-r--r--sepolicy/file_contexts1
-rw-r--r--sepolicy/vold.te3
5 files changed, 13 insertions, 8 deletions
diff --git a/rootdir/init.camera.rc b/rootdir/init.camera.rc
index 8e139e9..09c1322 100644
--- a/rootdir/init.camera.rc
+++ b/rootdir/init.camera.rc
@@ -98,6 +98,10 @@ on post-fs-data
setprop init.taimport.ready true
# taimport ready, use this as trigger for multi-cdf-symlinker
+ # create credmgrinit log file
+ touch /cache/credmgr.log
+ restorecon -R /cache/credmgr.log
+
service taimport /system/bin/taimport
class late_start
user root
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
new file mode 100644
index 0000000..67f2692
--- /dev/null
+++ b/sepolicy/audioserver.te
@@ -0,0 +1,3 @@
+allow audioserver tad_socket:sock_file write;
+allow audioserver tad:unix_stream_socket connectto;
+
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
index 662b76d..5383834 100644
--- a/sepolicy/credmgrd.te
+++ b/sepolicy/credmgrd.te
@@ -3,6 +3,7 @@ type credmgrd, domain;
type credmgrd_exec, exec_type, file_type;
type credmgrd_data_file, file_type;
type credmgrd_socket, file_type;
+type credmgrd_prop, property_type;
init_daemon_domain(credmgrd);
#credmgrd self
@@ -14,7 +15,6 @@ allow credmgrd cache_file:dir { remove_name write };
allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write };
allow credmgrd credmgrd_data_file:file { create getattr lock open read setattr unlink write };
-
#credmgdr tad
allow credmgrd tad:unix_stream_socket connectto;
allow credmgrd tad_block_device:blk_file { read write ioctl open };
@@ -50,7 +50,6 @@ allow credmgrd iddd_file:sock_file write;
allow credmgrd iddd_file:unix_stream_socket connectto;
allow credmgrd iddd_file:unix_dgram_socket sendto;
-
#/mnt/idd is tmpfs
allow credmgrd tmpfs:dir search;
allow credmgrd tmpfs:lnk_file read;
@@ -58,13 +57,12 @@ allow credmgrd tmpfs:lnk_file read;
#credmgrd ion
allow credmgrd ion_device:chr_file { ioctl open read };
-
#============= credmgr init script ==============
allow credmgrd cache_file:dir { add_name search };
+allow credmgrd cache_file:file { create getattr open read unlink write };
allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search };
allow credmgrd credmgrd_data_file:file { append getattr open read unlink write };
allow credmgrd credmgrd_prop:property_service set;
-allow credmgrd init:unix_stream_socket connectto;
allow credmgrd property_socket:sock_file write;
allow credmgrd shell_exec:file { getattr read };
allow credmgrd system_file:file execute_no_trans;
@@ -74,9 +72,5 @@ allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name se
#TODO: wrong labeled on dest socket?
allow credmgrd init:unix_stream_socket connectto;
-#TODO: remove
allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read };
-type credmgr, domain;
-type credmgr_exec, exec_type, file_type;
-init_daemon_domain(credmgr);
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7c5353b..d817851 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -41,6 +41,7 @@
/dev/socket/credmgr u:object_r:credmgrd_socket:s0
/data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0
/cache/CredentialManagerData u:object_r:credmgrd_data_file:s0
+/cache/credmgr.log u:object_r:credmgrd_data_file:s0
/ta(/.*)? -- u:object_r:ta_data_file:s0
#cam_socket
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index e5b776e..dc3885b 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1,6 +1,9 @@
allow vold diag_data_file:dir { read open ioctl };
allow vold tee_prop:file { getattr open read };
allow vold firmware_file:file { getattr open read };
+allow vold iddd_file:dir { open read };
+allow vold tee_device:unix_stream_socket connectto;
+allow vold tee_device:sock_file write;
allow vold iddd_file:dir read;
allow vold tee_device:unix_stream_socket connectto;
allow vold tee_device:sock_file write;