Move SELinux diag_device policy to userdebug/eng.
Also just remove all specific domain access and instead allow diag_device access for all domains on the userdebug/user builds. Change-Id: I2dc79eb47e05290902af2dfd61a361336ebc8bca Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
This commit is contained in:
parent
62d77eeceb
commit
ba571057fa
|
@ -113,6 +113,7 @@ BOARD_SEPOLICY_UNION += \
|
||||||
camera.te \
|
camera.te \
|
||||||
conn_init.te \
|
conn_init.te \
|
||||||
device.te \
|
device.te \
|
||||||
|
domain.te \
|
||||||
file.te \
|
file.te \
|
||||||
file_contexts \
|
file_contexts \
|
||||||
irsc_util.te \
|
irsc_util.te \
|
||||||
|
|
|
@ -8,9 +8,6 @@ init_daemon_domain(bridge)
|
||||||
# Uevent for usb connection
|
# Uevent for usb connection
|
||||||
allow bridge self:netlink_kobject_uevent_socket { create bind read };
|
allow bridge self:netlink_kobject_uevent_socket { create bind read };
|
||||||
|
|
||||||
# Allow logging diagnostic items to /dev/diag
|
|
||||||
allow bridge diag_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
# Talk to qmuxd (qmux_radio)
|
# Talk to qmuxd (qmux_radio)
|
||||||
qmux_socket(bridge)
|
qmux_socket(bridge)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
userdebug_or_eng(`
|
||||||
|
allow domain diag_device:chr_file rw_file_perms;
|
||||||
|
')
|
|
@ -20,9 +20,6 @@ allow netmgrd self:netlink_route_socket create_socket_perms;
|
||||||
# Talk to qmuxd (qmux_radio)
|
# Talk to qmuxd (qmux_radio)
|
||||||
qmux_socket(netmgrd)
|
qmux_socket(netmgrd)
|
||||||
|
|
||||||
# Allow logging diagnostic items (/dev/diag)
|
|
||||||
allow netmgrd diag_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
# Tries to access /data/data_test/ with toolbox. The data_test
|
# Tries to access /data/data_test/ with toolbox. The data_test
|
||||||
# directory doesn't exist so deny access.
|
# directory doesn't exist so deny access.
|
||||||
dontaudit netmgrd shell_exec:file rx_file_perms;
|
dontaudit netmgrd shell_exec:file rx_file_perms;
|
||||||
|
|
|
@ -12,8 +12,5 @@ allow qmux qmuxd_socket:sock_file { create setattr getattr unlink };
|
||||||
# /dev/hsicctl* node access
|
# /dev/hsicctl* node access
|
||||||
allow qmux radio_device:chr_file rw_file_perms;
|
allow qmux radio_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
# Allow logging diagnostic items
|
|
||||||
allow qmux diag_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
# wake lock access
|
# wake lock access
|
||||||
allow qmux sysfs_wake_lock:file { open append };
|
allow qmux sysfs_wake_lock:file { open append };
|
||||||
|
|
|
@ -1,5 +1 @@
|
||||||
userdebug_or_eng(`
|
|
||||||
allow rild diag_device:chr_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
qmux_socket(rild)
|
qmux_socket(rild)
|
||||||
|
|
|
@ -14,9 +14,6 @@ dontaudit sensors self:capability fsetid;
|
||||||
# Access /data/misc/sensors/debug and /data/system/sensors/settings
|
# Access /data/misc/sensors/debug and /data/system/sensors/settings
|
||||||
allow sensors self:capability { dac_read_search dac_override };
|
allow sensors self:capability { dac_read_search dac_override };
|
||||||
|
|
||||||
# Log diagnostic items (/dev/diag)
|
|
||||||
allow sensors diag_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
# Create /data/app/sensor_ctl_socket (Might want to change location).
|
# Create /data/app/sensor_ctl_socket (Might want to change location).
|
||||||
type_transition sensors apk_data_file:sock_file sensors_socket "sensor_ctl_socket";
|
type_transition sensors apk_data_file:sock_file sensors_socket "sensor_ctl_socket";
|
||||||
allow sensors sensors_socket:sock_file create_file_perms;
|
allow sensors sensors_socket:sock_file create_file_perms;
|
||||||
|
|
|
@ -14,8 +14,8 @@ allow thermald self:capability net_admin;
|
||||||
# Talk to qmuxd (/dev/socket/qmux_radio)
|
# Talk to qmuxd (/dev/socket/qmux_radio)
|
||||||
qmux_socket(thermald)
|
qmux_socket(thermald)
|
||||||
|
|
||||||
# Access shared logger (/dev/smem_log) and diagnostic logger (/dev/diag)
|
# Access shared logger (/dev/smem_log)
|
||||||
allow thermald { shared_log_device diag_device }:chr_file rw_file_perms;
|
allow thermald shared_log_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
# Access /sys/devices/system/cpu/
|
# Access /sys/devices/system/cpu/
|
||||||
allow thermald sysfs_devices_system_cpu:file rw_file_perms;
|
allow thermald sysfs_devices_system_cpu:file rw_file_perms;
|
||||||
|
|
Loading…
Reference in New Issue