summaryrefslogtreecommitdiff
path: root/sepolicy
diff options
context:
space:
mode:
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/audioserver.te3
-rw-r--r--sepolicy/credmgrd.te10
-rw-r--r--sepolicy/file_contexts1
-rw-r--r--sepolicy/vold.te3
4 files changed, 9 insertions, 8 deletions
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
new file mode 100644
index 0000000..67f2692
--- /dev/null
+++ b/sepolicy/audioserver.te
@@ -0,0 +1,3 @@
+allow audioserver tad_socket:sock_file write;
+allow audioserver tad:unix_stream_socket connectto;
+
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
index 662b76d..5383834 100644
--- a/sepolicy/credmgrd.te
+++ b/sepolicy/credmgrd.te
@@ -3,6 +3,7 @@ type credmgrd, domain;
type credmgrd_exec, exec_type, file_type;
type credmgrd_data_file, file_type;
type credmgrd_socket, file_type;
+type credmgrd_prop, property_type;
init_daemon_domain(credmgrd);
#credmgrd self
@@ -14,7 +15,6 @@ allow credmgrd cache_file:dir { remove_name write };
allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write };
allow credmgrd credmgrd_data_file:file { create getattr lock open read setattr unlink write };
-
#credmgdr tad
allow credmgrd tad:unix_stream_socket connectto;
allow credmgrd tad_block_device:blk_file { read write ioctl open };
@@ -50,7 +50,6 @@ allow credmgrd iddd_file:sock_file write;
allow credmgrd iddd_file:unix_stream_socket connectto;
allow credmgrd iddd_file:unix_dgram_socket sendto;
-
#/mnt/idd is tmpfs
allow credmgrd tmpfs:dir search;
allow credmgrd tmpfs:lnk_file read;
@@ -58,13 +57,12 @@ allow credmgrd tmpfs:lnk_file read;
#credmgrd ion
allow credmgrd ion_device:chr_file { ioctl open read };
-
#============= credmgr init script ==============
allow credmgrd cache_file:dir { add_name search };
+allow credmgrd cache_file:file { create getattr open read unlink write };
allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search };
allow credmgrd credmgrd_data_file:file { append getattr open read unlink write };
allow credmgrd credmgrd_prop:property_service set;
-allow credmgrd init:unix_stream_socket connectto;
allow credmgrd property_socket:sock_file write;
allow credmgrd shell_exec:file { getattr read };
allow credmgrd system_file:file execute_no_trans;
@@ -74,9 +72,5 @@ allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name se
#TODO: wrong labeled on dest socket?
allow credmgrd init:unix_stream_socket connectto;
-#TODO: remove
allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read };
-type credmgr, domain;
-type credmgr_exec, exec_type, file_type;
-init_daemon_domain(credmgr);
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7c5353b..d817851 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -41,6 +41,7 @@
/dev/socket/credmgr u:object_r:credmgrd_socket:s0
/data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0
/cache/CredentialManagerData u:object_r:credmgrd_data_file:s0
+/cache/credmgr.log u:object_r:credmgrd_data_file:s0
/ta(/.*)? -- u:object_r:ta_data_file:s0
#cam_socket
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index e5b776e..dc3885b 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1,6 +1,9 @@
allow vold diag_data_file:dir { read open ioctl };
allow vold tee_prop:file { getattr open read };
allow vold firmware_file:file { getattr open read };
+allow vold iddd_file:dir { open read };
+allow vold tee_device:unix_stream_socket connectto;
+allow vold tee_device:sock_file write;
allow vold iddd_file:dir read;
allow vold tee_device:unix_stream_socket connectto;
allow vold tee_device:sock_file write;