diff options
| author | Luden <luden@ghostmail.com> | 2016-03-17 20:19:12 +0000 |
|---|---|---|
| committer | Ziyan <jaraidaniel@gmail.com> | 2016-04-03 15:49:30 +0200 |
| commit | 3977f65b1374e3365f69695771afe886165564d6 (patch) | |
| tree | a146b3b6135fc94fa2f4e62b54ed677f9bce4d6f /sepolicy/recovery.te | |
| parent | 3c60373689a44efea9a87b6cdac148530b02d775 (diff) | |
| download | device_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.zip device_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.tar.gz device_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.tar.bz2 | |
Implemented SELinux rules for tuna.
Change-Id: I0c82e620532cf968341cc8c5d268aa0788ebb94f
Diffstat (limited to 'sepolicy/recovery.te')
| -rw-r--r-- | sepolicy/recovery.te | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te new file mode 100644 index 0000000..dca6680 --- /dev/null +++ b/sepolicy/recovery.te @@ -0,0 +1,42 @@ +# recovery +type recovery_exec, exec_type, file_type; + +# Instead of 'init_daemon_domain(recovery)' we're using +# 'domain_auto_trans', which is the first part of 'init_daemon_domain'. +# We cannot use 'init_daemon_domain' directly as it also results +# in automatic transition from 'tmpfs' to 'recovery_tmpfs' which +# is not accounted for by existing recovery.te rules and, moreover, +# is forbidden by 'neverallow' that blocks execution of files not on +# 'tmpfs'. +domain_auto_trans(init, recovery_exec, recovery) + +# For running tunasetup +allow recovery shell_exec:file read; + +# For tee_fs setprop +allow recovery property_socket:sock_file write; +allow recovery init:unix_stream_socket connectto; +allow recovery tee_fs_prop:property_service set; + +# For creating or checking /tee +allow recovery tee_block_device:blk_file { getattr open ioctl read write }; +allow recovery unlabeled:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow recovery block_device:dir { search }; +allow recovery recovery:capability { chown dac_override fowner sys_admin }; +allow recovery kmsg_device:chr_file { getattr ioctl open write }; +allow recovery tee_file:dir { getattr open read relabelto setattr }; + +# For running mke2fs when creating tee +allow recovery system_file:file execute_no_trans; + +# For remounting and relabeling /factory and /system +allow recovery efs_block_device:blk_file { getattr open ioctl read write }; +allow recovery system_block_device:blk_file { open ioctl read }; +allow recovery labeledfs:filesystem { mount remount }; +allow recovery kernel:process setsched; +allow recovery rootfs:dir mounton; +allow recovery { efs_file radio_efs_file bluetooth_efs_file }:dir { getattr open read search setattr }; +allow recovery { efs_file radio_efs_file bluetooth_efs_file }:file { getattr open read relabelfrom relabelto setattr }; + +# For rebooting in tunasetup +allow recovery powerctl_prop:property_service set; |