From aa884cbd87daf8f19d72da7cecdbdc601e6aabd3 Mon Sep 17 00:00:00 2001 From: nailyk-fr Date: Sat, 6 May 2017 17:14:57 +0200 Subject: shinano-common: sepolicy: Rework credmgr init * Credmgrdinit script had some mistakes. Adjust policies according to the new changes. Change-Id: I6e865f756225a1d8decdbc1833123dced27e75de --- sepolicy/audioserver.te | 3 +++ sepolicy/credmgrd.te | 10 ++-------- sepolicy/file_contexts | 1 + sepolicy/vold.te | 3 +++ 4 files changed, 9 insertions(+), 8 deletions(-) create mode 100644 sepolicy/audioserver.te (limited to 'sepolicy') diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..67f2692 --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,3 @@ +allow audioserver tad_socket:sock_file write; +allow audioserver tad:unix_stream_socket connectto; + diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te index 662b76d..5383834 100644 --- a/sepolicy/credmgrd.te +++ b/sepolicy/credmgrd.te @@ -3,6 +3,7 @@ type credmgrd, domain; type credmgrd_exec, exec_type, file_type; type credmgrd_data_file, file_type; type credmgrd_socket, file_type; +type credmgrd_prop, property_type; init_daemon_domain(credmgrd); #credmgrd self @@ -14,7 +15,6 @@ allow credmgrd cache_file:dir { remove_name write }; allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write }; allow credmgrd credmgrd_data_file:file { create getattr lock open read setattr unlink write }; - #credmgdr tad allow credmgrd tad:unix_stream_socket connectto; allow credmgrd tad_block_device:blk_file { read write ioctl open }; @@ -50,7 +50,6 @@ allow credmgrd iddd_file:sock_file write; allow credmgrd iddd_file:unix_stream_socket connectto; allow credmgrd iddd_file:unix_dgram_socket sendto; - #/mnt/idd is tmpfs allow credmgrd tmpfs:dir search; allow credmgrd tmpfs:lnk_file read; @@ -58,13 +57,12 @@ allow credmgrd tmpfs:lnk_file read; #credmgrd ion allow credmgrd ion_device:chr_file { ioctl open read }; - #============= credmgr init script ============== allow credmgrd cache_file:dir { add_name search }; +allow credmgrd cache_file:file { create getattr open read unlink write }; allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search }; allow credmgrd credmgrd_data_file:file { append getattr open read unlink write }; allow credmgrd credmgrd_prop:property_service set; -allow credmgrd init:unix_stream_socket connectto; allow credmgrd property_socket:sock_file write; allow credmgrd shell_exec:file { getattr read }; allow credmgrd system_file:file execute_no_trans; @@ -74,9 +72,5 @@ allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name se #TODO: wrong labeled on dest socket? allow credmgrd init:unix_stream_socket connectto; -#TODO: remove allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read }; -type credmgr, domain; -type credmgr_exec, exec_type, file_type; -init_daemon_domain(credmgr); diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 7c5353b..d817851 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -41,6 +41,7 @@ /dev/socket/credmgr u:object_r:credmgrd_socket:s0 /data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0 /cache/CredentialManagerData u:object_r:credmgrd_data_file:s0 +/cache/credmgr.log u:object_r:credmgrd_data_file:s0 /ta(/.*)? -- u:object_r:ta_data_file:s0 #cam_socket diff --git a/sepolicy/vold.te b/sepolicy/vold.te index e5b776e..dc3885b 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -1,6 +1,9 @@ allow vold diag_data_file:dir { read open ioctl }; allow vold tee_prop:file { getattr open read }; allow vold firmware_file:file { getattr open read }; +allow vold iddd_file:dir { open read }; +allow vold tee_device:unix_stream_socket connectto; +allow vold tee_device:sock_file write; allow vold iddd_file:dir read; allow vold tee_device:unix_stream_socket connectto; allow vold tee_device:sock_file write; -- cgit v1.2.3