diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-25 13:37:06 -0500 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-25 13:49:57 -0500 |
| commit | 768ff518f03a0d0cb181d7a5b7f7aff0038ccd78 (patch) | |
| tree | 6fb633e83cec8d64fbb85fd752978b58fb182c78 /target | |
| parent | 0e0c48796d9d0ebe415b1ccc9f67ae95f9c716c9 (diff) | |
| download | build-768ff518f03a0d0cb181d7a5b7f7aff0038ccd78.zip build-768ff518f03a0d0cb181d7a5b7f7aff0038ccd78.tar.gz build-768ff518f03a0d0cb181d7a5b7f7aff0038ccd78.tar.bz2 | |
Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.
Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'target')
| -rw-r--r-- | target/board/generic/BoardConfig.mk | 10 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/adbd.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/device.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/file.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/file_contexts | 4 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/mediaserver.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/qemud.te | 6 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/rild.te | 2 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/system_server.te | 2 | ||||
| -rw-r--r-- | target/board/generic_x86/BoardConfig.mk | 7 | ||||
| -rw-r--r-- | target/board/generic_x86/sepolicy/adbd.te | 1 | ||||
| -rw-r--r-- | target/board/generic_x86/sepolicy/device.te | 1 | ||||
| -rw-r--r-- | target/board/generic_x86/sepolicy/file.te | 1 | ||||
| -rw-r--r-- | target/board/generic_x86/sepolicy/file_contexts | 4 | ||||
| -rw-r--r-- | target/board/generic_x86/sepolicy/mediaserver.te | 1 | ||||
| -rw-r--r-- | target/board/generic_x86/sepolicy/qemud.te | 6 | ||||
| -rw-r--r-- | target/board/generic_x86/sepolicy/rild.te | 2 | ||||
| -rw-r--r-- | target/board/generic_x86/sepolicy/system_server.te | 2 |
18 files changed, 52 insertions, 1 deletions
diff --git a/target/board/generic/BoardConfig.mk b/target/board/generic/BoardConfig.mk index e0ad23a..53a5512 100644 --- a/target/board/generic/BoardConfig.mk +++ b/target/board/generic/BoardConfig.mk @@ -77,6 +77,14 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy BOARD_SEPOLICY_UNION += \ + adbd.te \ bootanim.te \ + device.te \ domain.te \ - surfaceflinger.te + file.te \ + file_contexts \ + mediaserver.te \ + qemud.te \ + rild.te \ + surfaceflinger.te \ + system_server.te diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te new file mode 100644 index 0000000..f65cfb3 --- /dev/null +++ b/target/board/generic/sepolicy/adbd.te @@ -0,0 +1 @@ +allow adbd qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/device.te b/target/board/generic/sepolicy/device.te new file mode 100644 index 0000000..e4af13c --- /dev/null +++ b/target/board/generic/sepolicy/device.te @@ -0,0 +1 @@ +type qemu_device, dev_type; diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te new file mode 100644 index 0000000..6fad80a --- /dev/null +++ b/target/board/generic/sepolicy/file.te @@ -0,0 +1 @@ +type qemud_socket, file_type; diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts new file mode 100644 index 0000000..f204cde --- /dev/null +++ b/target/board/generic/sepolicy/file_contexts @@ -0,0 +1,4 @@ +/dev/qemu_.* u:object_r:qemu_device:s0 +/dev/socket/qemud u:object_r:qemud_socket:s0 +/system/bin/qemud u:object_r:qemud_exec:s0 +/sys/qemu_trace(/.*)? -- u:object_r:sysfs_writable:s0 diff --git a/target/board/generic/sepolicy/mediaserver.te b/target/board/generic/sepolicy/mediaserver.te new file mode 100644 index 0000000..90b8cf8 --- /dev/null +++ b/target/board/generic/sepolicy/mediaserver.te @@ -0,0 +1 @@ +allow mediaserver qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/qemud.te b/target/board/generic/sepolicy/qemud.te new file mode 100644 index 0000000..4ff02ec --- /dev/null +++ b/target/board/generic/sepolicy/qemud.te @@ -0,0 +1,6 @@ +# qemu support daemon +type qemud, domain; +type qemud_exec, exec_type, file_type; + +init_daemon_domain(qemud) +unconfined_domain(qemud) diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te new file mode 100644 index 0000000..5de171a --- /dev/null +++ b/target/board/generic/sepolicy/rild.te @@ -0,0 +1,2 @@ +allow rild qemu_device:chr_file rw_file_perms; +unix_socket_connect(rild, qemud, qemud) diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te new file mode 100644 index 0000000..ef4ce4a --- /dev/null +++ b/target/board/generic/sepolicy/system_server.te @@ -0,0 +1,2 @@ +unix_socket_connect(system_server, qemud, qemud) +allow system_server qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic_x86/BoardConfig.mk b/target/board/generic_x86/BoardConfig.mk index 61c8cf5..5da767e 100644 --- a/target/board/generic_x86/BoardConfig.mk +++ b/target/board/generic_x86/BoardConfig.mk @@ -45,8 +45,15 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true BOARD_SEPOLICY_DIRS += build/target/board/generic_x86/sepolicy BOARD_SEPOLICY_UNION += \ + adbd.te \ + device.te \ domain.te \ + file.te \ + file_contexts \ healthd.te \ installd.te \ + mediaserver.te \ + qemud.te \ + rild.te \ system_server.te \ zygote.te diff --git a/target/board/generic_x86/sepolicy/adbd.te b/target/board/generic_x86/sepolicy/adbd.te new file mode 100644 index 0000000..f65cfb3 --- /dev/null +++ b/target/board/generic_x86/sepolicy/adbd.te @@ -0,0 +1 @@ +allow adbd qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic_x86/sepolicy/device.te b/target/board/generic_x86/sepolicy/device.te new file mode 100644 index 0000000..e4af13c --- /dev/null +++ b/target/board/generic_x86/sepolicy/device.te @@ -0,0 +1 @@ +type qemu_device, dev_type; diff --git a/target/board/generic_x86/sepolicy/file.te b/target/board/generic_x86/sepolicy/file.te new file mode 100644 index 0000000..6fad80a --- /dev/null +++ b/target/board/generic_x86/sepolicy/file.te @@ -0,0 +1 @@ +type qemud_socket, file_type; diff --git a/target/board/generic_x86/sepolicy/file_contexts b/target/board/generic_x86/sepolicy/file_contexts new file mode 100644 index 0000000..f204cde --- /dev/null +++ b/target/board/generic_x86/sepolicy/file_contexts @@ -0,0 +1,4 @@ +/dev/qemu_.* u:object_r:qemu_device:s0 +/dev/socket/qemud u:object_r:qemud_socket:s0 +/system/bin/qemud u:object_r:qemud_exec:s0 +/sys/qemu_trace(/.*)? -- u:object_r:sysfs_writable:s0 diff --git a/target/board/generic_x86/sepolicy/mediaserver.te b/target/board/generic_x86/sepolicy/mediaserver.te new file mode 100644 index 0000000..90b8cf8 --- /dev/null +++ b/target/board/generic_x86/sepolicy/mediaserver.te @@ -0,0 +1 @@ +allow mediaserver qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic_x86/sepolicy/qemud.te b/target/board/generic_x86/sepolicy/qemud.te new file mode 100644 index 0000000..4ff02ec --- /dev/null +++ b/target/board/generic_x86/sepolicy/qemud.te @@ -0,0 +1,6 @@ +# qemu support daemon +type qemud, domain; +type qemud_exec, exec_type, file_type; + +init_daemon_domain(qemud) +unconfined_domain(qemud) diff --git a/target/board/generic_x86/sepolicy/rild.te b/target/board/generic_x86/sepolicy/rild.te new file mode 100644 index 0000000..5de171a --- /dev/null +++ b/target/board/generic_x86/sepolicy/rild.te @@ -0,0 +1,2 @@ +allow rild qemu_device:chr_file rw_file_perms; +unix_socket_connect(rild, qemud, qemud) diff --git a/target/board/generic_x86/sepolicy/system_server.te b/target/board/generic_x86/sepolicy/system_server.te index 5d98a14..9bfe5fe 100644 --- a/target/board/generic_x86/sepolicy/system_server.te +++ b/target/board/generic_x86/sepolicy/system_server.te @@ -1 +1,3 @@ allow system_server self:process execmem; +unix_socket_connect(system_server, qemud, qemud) +allow system_server qemu_device:chr_file rw_file_perms; |