diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-26 08:49:39 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-26 09:12:55 -0500 |
commit | 1c0e1cde7bdacf544453cf32a8c2a1727e278824 (patch) | |
tree | 6f0efe87b930e39f3cbacf93c339c43da1170d5b /target/board | |
parent | 66331624b5422a608607a9924f174ba533573032 (diff) | |
download | build-1c0e1cde7bdacf544453cf32a8c2a1727e278824.zip build-1c0e1cde7bdacf544453cf32a8c2a1727e278824.tar.gz build-1c0e1cde7bdacf544453cf32a8c2a1727e278824.tar.bz2 |
Add policy for MIPS emulator, fix x86 policy.
The qemud and /dev/qemu_pipe policy bits copied to generic
and generic_x86 by I620d4aef84a5d4565abb1695db54ce1653612bce
are required for generic_mips as well. In testing, we
further saw other denials for generic_mips that correspond
exactly to what is already allowed in the generic sepolicy, so
just inherit the sepolicy files from generic for now.
We could do likewise for the generic_x86 sepolicy for the files that are
identical with generic if desired, but that is not done by this change.
The generic_x86 sepolicy was missing a rule for /sys/qemu_trace
moved to the generic sepolicy by the prior change, so fix that omission.
The generic*64 variants will need something similar, either by inheriting
from one of the existing sepolicy directories as in the MIPS
case or by forking their own copies as in the x86 case.
Change-Id: Iec7c8825734a3f96f7db8ae1d10dce1f30b22bdf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'target/board')
-rw-r--r-- | target/board/generic_mips/BoardConfig.mk | 14 | ||||
-rw-r--r-- | target/board/generic_x86/sepolicy/domain.te | 2 |
2 files changed, 16 insertions, 0 deletions
diff --git a/target/board/generic_mips/BoardConfig.mk b/target/board/generic_mips/BoardConfig.mk index e16374b..85bf7d7 100644 --- a/target/board/generic_mips/BoardConfig.mk +++ b/target/board/generic_mips/BoardConfig.mk @@ -56,3 +56,17 @@ BOARD_CACHEIMAGE_PARTITION_SIZE := 69206016 BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4 BOARD_FLASH_BLOCK_SIZE := 512 TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true + +BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy +BOARD_SEPOLICY_UNION += \ + adbd.te \ + bootanim.te \ + device.te \ + domain.te \ + file.te \ + file_contexts \ + mediaserver.te \ + qemud.te \ + rild.te \ + surfaceflinger.te \ + system_server.te diff --git a/target/board/generic_x86/sepolicy/domain.te b/target/board/generic_x86/sepolicy/domain.te index 0bc8d87..c17950d 100644 --- a/target/board/generic_x86/sepolicy/domain.te +++ b/target/board/generic_x86/sepolicy/domain.te @@ -1 +1,3 @@ +# For /sys/qemu_trace files in the emulator. +allow domain sysfs_writable:file rw_file_perms; allow domain cpuctl_device:dir search; |