summaryrefslogtreecommitdiff
path: root/sepolicy/credmgrd.te
blob: 9e9df9e8193ccaba753da65cf9ca8d77b25208ae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#credmgrd define
type credmgrd, domain; 
type credmgrd_exec, exec_type, file_type;
type credmgrd_data_file, file_type;
type credmgrd_socket, file_type;
init_daemon_domain(credmgrd); 

#credmgrd self
allow credmgrd self:socket create_socket_perms;
allow credmgrd self:file rw_file_perms;
allow credmgrd self:dir rw_file_perms;
allow credmgrd self:fifo_file rw_file_perms;
allow credmgrd credmgrd_data_file:file { getattr lock open read setattr write };
allow credmgrd cache_file:dir { remove_name write };
allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write };
allow credmgrd credmgrd_data_file:file { create unlink };


#credmgdr tad
allow credmgrd tad_block_device:blk_file { read write ioctl open };
allow credmgrd tad_socket:unix_dgram_socket sendto;
allow credmgrd tad_socket:unix_stream_socket connectto;
allow credmgrd tad:unix_stream_socket connectto;
allow credmgrd tad_socket:sock_file write;

#credmgrd camera server
allow credmgrd camera_socket:file { read write getattr open };
allow credmgrd camera_socket:unix_stream_socket sendto;
allow credmgrd camera_socket:unix_stream_socket connectto;

#credmgrd mediaserver
allow mediaserver credmgrd:unix_stream_socket connectto;

#credmgrd mm-qcamera
allow credmgrd mm-qcamerad:file { read write getattr open };
allow credmgrd mm-qcamerad:unix_stream_socket sendto;
allow credmgrd mm-qcamerad:unix_stream_socket connectto;

#credmgrd qseecomd tee
allow credmgrd tee_device:chr_file rw_file_perms;

#credmgrd suntrold
allow credmgrd suntrold_sock_socket:dir search;
allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto;
allow credmgrd suntrold_sock_socket:unix_stream_socket connectto;
allow credmgrd suntrold_sock_socket:sock_file write;
allow credmgrd suntrold:unix_stream_socket connectto;

#credmgrd iddd
allow credmgrd iddd:unix_dgram_socket sendto;
allow credmgrd iddd_file:dir search;
allow credmgrd iddd_file:sock_file write;
allow credmgrd iddd_file:unix_stream_socket connectto;
allow credmgrd iddd_file:unix_dgram_socket sendto;


#/mnt/idd is tmpfs
allow credmgrd tmpfs:dir search;
allow credmgrd tmpfs:lnk_file read;

#credmgrd ion
allow credmgrd ion_device:chr_file { ioctl open read };

#credmgrd files: 
#============= credmgrd ==============
allow credmgrd cache_file:dir search;

#============= credmgr init script ==============
allow credmgrd cache_file:dir add_name;
allow credmgrd cache_file:file { create getattr open read unlink write };
allow credmgrd credmgrd_data_file:dir { getattr rename search };
allow credmgrd devpts:chr_file { getattr ioctl open read write };
allow credmgrd init:unix_stream_socket connectto;
allow credmgrd property_socket:sock_file write;
allow credmgrd shell_exec:file { getattr read };
allow credmgrd system_data_file:dir { add_name remove_name write };
allow credmgrd system_file:file execute_no_trans;
allow credmgrd system_prop:property_service set;
allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read };
allow credmgrd credmgrd_data_file:dir { relabelto reparent rmdir };
allow credmgrd system_data_file:dir { create relabelfrom setattr };