diff options
author | Yongqin Liu <yongqin.liu@linaro.org> | 2015-10-22 14:35:33 +0100 |
---|---|---|
committer | Yongqin Liu <yongqin.liu@linaro.org> | 2015-10-22 14:38:02 +0100 |
commit | 7ac0af23eb99825cee0e79f30f201c78063efe8a (patch) | |
tree | 1659f563499fd7c6fb480f096a50ce2fdaf4d25c | |
parent | bca322e6a71240259a9f95a5125b202237edd84d (diff) | |
download | common-7ac0af23eb99825cee0e79f30f201c78063efe8a.tar.gz |
sepolicy: add policies for scripts started in init for TC2
since Marshmallow has more strict selinux check, so we need the
rules added here.
add the linaro and linaro_exec domain for such scripts
Change-Id: I073e7ea37a541e5376962702f2f2ad39e67a5259
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
-rw-r--r-- | sepolicy/file_contexts | 1 | ||||
-rw-r--r-- | sepolicy/init.te | 4 | ||||
-rw-r--r-- | sepolicy/linaro.te | 9 |
3 files changed, 14 insertions, 0 deletions
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 19ea0d4..9de3217 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -6,3 +6,4 @@ /dev/mali u:object_r:gpu_device:s0 /dev/dri/card0 u:object_r:gpu_device:s0 /dev/hci_tty u:object_r:hci_attach_dev:s0 +/system/bin/faketsd u:object_r:linaro_exec:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te index 5bb167a..0b93bc1 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,6 +1,7 @@ userdebug_or_eng(` allow init su:process { transition dyntransition rlimitinh siginh }; ') + allow init self:capability { sys_module }; allow init self:tcp_socket create; allow init gatord:process { transition rlimitinh siginh }; @@ -9,3 +10,6 @@ allow init kernel:system module_request; allow init tmpfs:lnk_file create_file_perms; allow init cache_file:dir mounton; allow init storage_file:dir mounton; +allow init debugfs:dir mounton; +domain_trans(init, rootfs, linaro) +domain_trans(init, linaro_exec, linaro) diff --git a/sepolicy/linaro.te b/sepolicy/linaro.te new file mode 100644 index 0000000..7ed01fa --- /dev/null +++ b/sepolicy/linaro.te @@ -0,0 +1,9 @@ +type linaro, domain, mlstrustedsubject; +type linaro_exec, exec_type, file_type; + +allow linaro sysfs:file write; +allow linaro proc:file write; +allow linaro system_file:file execute_no_trans; +allow linaro shell_exec:file rx_file_perms; + +permissive linaro; |