blob: 662b76dfd1b4055612fa14710cf3a4f1e6a18df0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
#credmgrd define
type credmgrd, domain;
type credmgrd_exec, exec_type, file_type;
type credmgrd_data_file, file_type;
type credmgrd_socket, file_type;
init_daemon_domain(credmgrd);
#credmgrd self
allow credmgrd self:socket create_socket_perms;
allow credmgrd self:file rw_file_perms;
allow credmgrd self:dir rw_file_perms;
allow credmgrd self:fifo_file rw_file_perms;
allow credmgrd cache_file:dir { remove_name write };
allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write };
allow credmgrd credmgrd_data_file:file { create getattr lock open read setattr unlink write };
#credmgdr tad
allow credmgrd tad:unix_stream_socket connectto;
allow credmgrd tad_block_device:blk_file { read write ioctl open };
allow credmgrd tad_socket:unix_dgram_socket sendto;
allow credmgrd tad_socket:unix_stream_socket connectto;
allow credmgrd tad_socket:sock_file write;
#credmgrd camera server
allow credmgrd camera_socket:file { read write getattr open };
allow credmgrd camera_socket:unix_stream_socket { connectto sendto };
#credmgrd mediaserver
allow mediaserver credmgrd:unix_stream_socket connectto;
#credmgrd mm-qcamera
allow credmgrd mm-qcamerad:file { read write getattr open };
allow credmgrd mm-qcamerad:unix_stream_socket { connectto sendto };
#credmgrd qseecomd tee
allow credmgrd tee_device:chr_file rw_file_perms;
#credmgrd suntrold
allow credmgrd suntrold:unix_stream_socket connectto;
allow credmgrd suntrold_sock_socket:dir search;
allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto;
allow credmgrd suntrold_sock_socket:unix_stream_socket connectto;
allow credmgrd suntrold_sock_socket:sock_file write;
#credmgrd iddd
allow credmgrd iddd:unix_dgram_socket sendto;
allow credmgrd iddd_file:dir search;
allow credmgrd iddd_file:sock_file write;
allow credmgrd iddd_file:unix_stream_socket connectto;
allow credmgrd iddd_file:unix_dgram_socket sendto;
#/mnt/idd is tmpfs
allow credmgrd tmpfs:dir search;
allow credmgrd tmpfs:lnk_file read;
#credmgrd ion
allow credmgrd ion_device:chr_file { ioctl open read };
#============= credmgr init script ==============
allow credmgrd cache_file:dir { add_name search };
allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search };
allow credmgrd credmgrd_data_file:file { append getattr open read unlink write };
allow credmgrd credmgrd_prop:property_service set;
allow credmgrd init:unix_stream_socket connectto;
allow credmgrd property_socket:sock_file write;
allow credmgrd shell_exec:file { getattr read };
allow credmgrd system_file:file execute_no_trans;
allow credmgrd system_prop:property_service set;
allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name setattr write };
#TODO: wrong labeled on dest socket?
allow credmgrd init:unix_stream_socket connectto;
#TODO: remove
allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read };
type credmgr, domain;
type credmgr_exec, exec_type, file_type;
init_daemon_domain(credmgr);
|
