diff options
| author | nailyk-fr <nailyk_git@nailyk.fr> | 2017-02-04 21:05:51 +0100 |
|---|---|---|
| committer | nailyk-fr <nailyk_git@nailyk.fr> | 2017-02-21 20:13:22 +0100 |
| commit | 67ab8dadec98b22862fcb9f68d944649d6c176ab (patch) | |
| tree | 8011d03d86c6319ec9f74b78ae145af97517c352 /sepolicy | |
| parent | 40f4a8d2bc4b231de451985a9d04156b43214e53 (diff) | |
shinano-common: sepolicies: Rework for new vendors
Change-Id: Id559336a2e89951c1c17f7e9bce5b0c23ce162b9
Diffstat (limited to 'sepolicy')
| -rw-r--r-- | sepolicy/idd.te | 2 | ||||
| -rw-r--r-- | sepolicy/workarounds.te | 64 |
2 files changed, 66 insertions, 0 deletions
diff --git a/sepolicy/idd.te b/sepolicy/idd.te index e9f6a0d..218bc0c 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -10,4 +10,6 @@ allow iddd iddd_file:dir rw_file_perms; type_transition iddd system_data_file:file iddd_file; +type credmgr, domain; type credmgr_exec, exec_type, file_type; +init_daemon_domain(credmgr); diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te new file mode 100644 index 0000000..1a776d3 --- /dev/null +++ b/sepolicy/workarounds.te @@ -0,0 +1,64 @@ +#============= credmgr ============== +allow credmgr iddd:unix_dgram_socket sendto; +allow credmgr iddd_file:sock_file write; +allow credmgr secd_data_file:file { write getattr setattr read lock open }; +allow credmgr self:capability dac_override; +allow credmgr socket_device:sock_file write; +allow credmgr suntrold:unix_stream_socket connectto; +allow credmgr tad:unix_stream_socket connectto; +allow credmgr tad_socket:sock_file write; +allow credmgr tee_device:chr_file { read write open ioctl }; + +#============= iddd ============== +allow iddd default_prop:property_service set; +allow iddd iddd_file:dir { remove_name search add_name }; +allow iddd iddd_file:file { rename create }; +allow iddd init:unix_stream_socket connectto; +allow iddd property_socket:sock_file write; +allow iddd iddd_file:file unlink; +allow iddd iddd_file:sock_file { write create unlink setattr }; +allow iddd logd:unix_stream_socket connectto; +allow iddd logdr_socket:sock_file write; +allow iddd self:netlink_socket { write bind create }; +allow iddd system_file:file execute_no_trans; + +#============= mediaserver ============== +allow mediaserver credmgr:unix_stream_socket connectto; +allow mediaserver socket_device:sock_file write; + +#============= suntrold ============== +allow suntrold self:capability dac_override; +allow suntrold socket_device:dir add_name; +allow suntrold socket_device:sock_file { create setattr }; +allow suntrold tad:unix_stream_socket connectto; +allow suntrold tad_socket:sock_file write; +allow suntrold tee_device:chr_file { read write ioctl open }; + +#============= system_server ============== +allow system_server ta_data_file:file { read open }; + +#============= ta_qmi ============== +allow ta_qmi self:capability { setuid setgid }; + +#============= tad ============== +allow tad block_device:blk_file { read write ioctl open }; +allow tad iddd:unix_dgram_socket sendto; +allow tad iddd_file:sock_file write; + +#============= thermanager ============== +allow thermanager sysfs_battery_supply:dir search; +allow thermanager sysfs_battery_supply:file { read write open }; + + + + +#============= init ============== +allow init block_device:blk_file setattr; +allow init debugfs:dir mounton; +allow init self:socket { read bind create write ioctl }; +allow init smem_log_device:chr_file { write ioctl }; +allow init socket_device:sock_file { create unlink setattr }; + +#============= taimport ============== +allow taimport ta_data_file:file unlink; + |