summaryrefslogtreecommitdiffstats
path: root/target/board
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2014-02-26 08:49:39 -0500
committerStephen Smalley <sds@tycho.nsa.gov>2014-02-26 09:12:55 -0500
commit1c0e1cde7bdacf544453cf32a8c2a1727e278824 (patch)
tree6f0efe87b930e39f3cbacf93c339c43da1170d5b /target/board
parent66331624b5422a608607a9924f174ba533573032 (diff)
downloadbuild-1c0e1cde7bdacf544453cf32a8c2a1727e278824.zip
build-1c0e1cde7bdacf544453cf32a8c2a1727e278824.tar.gz
build-1c0e1cde7bdacf544453cf32a8c2a1727e278824.tar.bz2
Add policy for MIPS emulator, fix x86 policy.
The qemud and /dev/qemu_pipe policy bits copied to generic and generic_x86 by I620d4aef84a5d4565abb1695db54ce1653612bce are required for generic_mips as well. In testing, we further saw other denials for generic_mips that correspond exactly to what is already allowed in the generic sepolicy, so just inherit the sepolicy files from generic for now. We could do likewise for the generic_x86 sepolicy for the files that are identical with generic if desired, but that is not done by this change. The generic_x86 sepolicy was missing a rule for /sys/qemu_trace moved to the generic sepolicy by the prior change, so fix that omission. The generic*64 variants will need something similar, either by inheriting from one of the existing sepolicy directories as in the MIPS case or by forking their own copies as in the x86 case. Change-Id: Iec7c8825734a3f96f7db8ae1d10dce1f30b22bdf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'target/board')
-rw-r--r--target/board/generic_mips/BoardConfig.mk14
-rw-r--r--target/board/generic_x86/sepolicy/domain.te2
2 files changed, 16 insertions, 0 deletions
diff --git a/target/board/generic_mips/BoardConfig.mk b/target/board/generic_mips/BoardConfig.mk
index e16374b..85bf7d7 100644
--- a/target/board/generic_mips/BoardConfig.mk
+++ b/target/board/generic_mips/BoardConfig.mk
@@ -56,3 +56,17 @@ BOARD_CACHEIMAGE_PARTITION_SIZE := 69206016
BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_FLASH_BLOCK_SIZE := 512
TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
+
+BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
+BOARD_SEPOLICY_UNION += \
+ adbd.te \
+ bootanim.te \
+ device.te \
+ domain.te \
+ file.te \
+ file_contexts \
+ mediaserver.te \
+ qemud.te \
+ rild.te \
+ surfaceflinger.te \
+ system_server.te
diff --git a/target/board/generic_x86/sepolicy/domain.te b/target/board/generic_x86/sepolicy/domain.te
index 0bc8d87..c17950d 100644
--- a/target/board/generic_x86/sepolicy/domain.te
+++ b/target/board/generic_x86/sepolicy/domain.te
@@ -1 +1,3 @@
+# For /sys/qemu_trace files in the emulator.
+allow domain sysfs_writable:file rw_file_perms;
allow domain cpuctl_device:dir search;