diff options
| author | Alex Vakulenko <avakulenko@google.com> | 2015-12-29 16:13:29 -0800 |
|---|---|---|
| committer | Alex Vakulenko <avakulenko@google.com> | 2016-01-07 16:11:09 -0800 |
| commit | bfc956c8810c0fc736cc4286a2041092a2134088 (patch) | |
| tree | d5ef9da952a537d02e04a03a15d946f488aade9f | |
| parent | c73b9919d3723e8c18574f13fad95211c53b3d19 (diff) | |
| download | brillo-bfc956c8810c0fc736cc4286a2041092a2134088.tar.gz | |
Add SELinux policies to allow processes to talk to weaved over binder
Created necessary rules to allow Brillo daemons to talk to weaved
over binder and for weaved to send command notifications to those
daemons.
BUG: 23782171
Change-Id: I9f02b9d396d6b7484bda4bc0a81852d31ecf0bff
| -rw-r--r-- | sepolicy/metrics_collector.te | 3 | ||||
| -rw-r--r-- | sepolicy/service.te | 1 | ||||
| -rw-r--r-- | sepolicy/service_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/te_macros | 9 | ||||
| -rw-r--r-- | sepolicy/update_engine.te | 3 | ||||
| -rw-r--r-- | sepolicy/weave.te | 2 |
6 files changed, 19 insertions, 0 deletions
diff --git a/sepolicy/metrics_collector.te b/sepolicy/metrics_collector.te index 8eb8eab..8dc481b 100644 --- a/sepolicy/metrics_collector.te +++ b/sepolicy/metrics_collector.te @@ -19,6 +19,9 @@ allow metrics_collector metrics_data_file:file create_file_perms; # metrics_collector adds metricscollectorservice binder interface. allow metrics_collector metricscollectorservice:service_manager { add find }; +# Allow metrics_collector to talk to weaved over binder. +allow_weave_service(metrics_collector) + # Rules for the metrics_collector daemon. allow metrics_collector metrics_collector_data_file:dir rw_dir_perms; allow metrics_collector metrics_collector_data_file:file create_file_perms; diff --git a/sepolicy/service.te b/sepolicy/service.te index bc8df5e..82fd0c5 100644 --- a/sepolicy/service.te +++ b/sepolicy/service.te @@ -1,2 +1,3 @@ type metricsd_service, service_manager_type; type metricscollectorservice, service_manager_type; +type weave_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index 1786e66..bc1f1cd 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -1,2 +1,3 @@ android.brillo.metrics.IMetricsd u:object_r:metricsd_service:s0 android.brillo.metrics.IMetricsCollectorService u:object_r:metricscollectorservice:s0 +weave_service u:object_r:weave_service:s0 diff --git a/sepolicy/te_macros b/sepolicy/te_macros index f71588e..2489cc5 100644 --- a/sepolicy/te_macros +++ b/sepolicy/te_macros @@ -60,3 +60,12 @@ allow $1 webservd:fd use; allow $1 webservd:fifo_file rw_file_perms; allow $1 webservd_data_file:file r_file_perms; ') + +##################################### +# allow_weave_service(domain) +# Allow a domain and weaved to communicate with each other over binder. +define(`allow_weave_service', ` +allow $1 weave_service:service_manager find; +binder_call($1, weaved) +binder_call(weaved, $1) +') diff --git a/sepolicy/update_engine.te b/sepolicy/update_engine.te index cadbe98..1b0f012 100644 --- a/sepolicy/update_engine.te +++ b/sepolicy/update_engine.te @@ -18,3 +18,6 @@ r_dir_file(update_engine, os_release_file); # Allow crash_reporter access to core dump files. allow_crash_reporter(update_engine) + +# Allow update_engine to talk to weaved over binder. +allow_weave_service(update_engine) diff --git a/sepolicy/weave.te b/sepolicy/weave.te index 96c1270..52f2af8 100644 --- a/sepolicy/weave.te +++ b/sepolicy/weave.te @@ -13,6 +13,8 @@ allow_crash_reporter(weaved) # Allow setting weave properties. set_prop(weaved, weave_prop) +allow weaved weave_service:service_manager { add find }; + allow weaved weaved_data_file:dir w_dir_perms; allow weaved weaved_data_file:file create_file_perms; |