diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-25 13:37:06 -0500 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-25 13:49:57 -0500 |
| commit | 768ff518f03a0d0cb181d7a5b7f7aff0038ccd78 (patch) | |
| tree | 6fb633e83cec8d64fbb85fd752978b58fb182c78 /target/board/generic/sepolicy | |
| parent | 0e0c48796d9d0ebe415b1ccc9f67ae95f9c716c9 (diff) | |
| download | build-768ff518f03a0d0cb181d7a5b7f7aff0038ccd78.zip build-768ff518f03a0d0cb181d7a5b7f7aff0038ccd78.tar.gz build-768ff518f03a0d0cb181d7a5b7f7aff0038ccd78.tar.bz2 | |
Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.
Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'target/board/generic/sepolicy')
| -rw-r--r-- | target/board/generic/sepolicy/adbd.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/device.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/file.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/file_contexts | 4 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/mediaserver.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/qemud.te | 6 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/rild.te | 2 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/system_server.te | 2 |
8 files changed, 18 insertions, 0 deletions
diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te new file mode 100644 index 0000000..f65cfb3 --- /dev/null +++ b/target/board/generic/sepolicy/adbd.te @@ -0,0 +1 @@ +allow adbd qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/device.te b/target/board/generic/sepolicy/device.te new file mode 100644 index 0000000..e4af13c --- /dev/null +++ b/target/board/generic/sepolicy/device.te @@ -0,0 +1 @@ +type qemu_device, dev_type; diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te new file mode 100644 index 0000000..6fad80a --- /dev/null +++ b/target/board/generic/sepolicy/file.te @@ -0,0 +1 @@ +type qemud_socket, file_type; diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts new file mode 100644 index 0000000..f204cde --- /dev/null +++ b/target/board/generic/sepolicy/file_contexts @@ -0,0 +1,4 @@ +/dev/qemu_.* u:object_r:qemu_device:s0 +/dev/socket/qemud u:object_r:qemud_socket:s0 +/system/bin/qemud u:object_r:qemud_exec:s0 +/sys/qemu_trace(/.*)? -- u:object_r:sysfs_writable:s0 diff --git a/target/board/generic/sepolicy/mediaserver.te b/target/board/generic/sepolicy/mediaserver.te new file mode 100644 index 0000000..90b8cf8 --- /dev/null +++ b/target/board/generic/sepolicy/mediaserver.te @@ -0,0 +1 @@ +allow mediaserver qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/qemud.te b/target/board/generic/sepolicy/qemud.te new file mode 100644 index 0000000..4ff02ec --- /dev/null +++ b/target/board/generic/sepolicy/qemud.te @@ -0,0 +1,6 @@ +# qemu support daemon +type qemud, domain; +type qemud_exec, exec_type, file_type; + +init_daemon_domain(qemud) +unconfined_domain(qemud) diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te new file mode 100644 index 0000000..5de171a --- /dev/null +++ b/target/board/generic/sepolicy/rild.te @@ -0,0 +1,2 @@ +allow rild qemu_device:chr_file rw_file_perms; +unix_socket_connect(rild, qemud, qemud) diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te new file mode 100644 index 0000000..ef4ce4a --- /dev/null +++ b/target/board/generic/sepolicy/system_server.te @@ -0,0 +1,2 @@ +unix_socket_connect(system_server, qemud, qemud) +allow system_server qemu_device:chr_file rw_file_perms; |