diff options
author | Vishal Mahaveer <vishalm@ti.com> | 2017-04-27 13:18:06 -0400 |
---|---|---|
committer | Vishal Mahaveer <vishalm@ti.com> | 2017-04-27 14:37:49 -0400 |
commit | aee844f77a2bb0354a78111f8e45a644f99f1d5b (patch) | |
tree | 1ba91efb6230b8d067f4c25c0e38103928f0c5d3 | |
parent | 86ef7cc803ef9b425a4ee9a2c6d81edb7b1b9cbd (diff) | |
download | jacinto6evm-aee844f77a2bb0354a78111f8e45a644f99f1d5b.tar.gz |
jacinto6evm: sepolicy: update rules for N
- Allow pvrinit to access sysfs
- Add configfs rules that are not covered in core policies
- allow mediacodec to access rpmsg device
Change-Id: Ib6e046955adaa4e58b1c76e953bb8c8eacbf85f1
Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
-rw-r--r-- | sepolicy/init-cpuset-sh.te | 2 | ||||
-rw-r--r-- | sepolicy/init.te | 3 | ||||
-rw-r--r-- | sepolicy/mediacodec.te | 1 | ||||
-rw-r--r-- | sepolicy/pvr.te | 3 |
4 files changed, 8 insertions, 1 deletions
diff --git a/sepolicy/init-cpuset-sh.te b/sepolicy/init-cpuset-sh.te index 4547c45..2216660 100644 --- a/sepolicy/init-cpuset-sh.te +++ b/sepolicy/init-cpuset-sh.te @@ -4,4 +4,4 @@ type init-cpuset-sh_exec, exec_type, file_type; init_daemon_domain(init-cpuset-sh) allow init-cpuset-sh system_file:file execute_no_trans; -allow init-cpuset-sh shell_exec:file read; +allow init-cpuset-sh shell_exec:file { read getattr }; diff --git a/sepolicy/init.te b/sepolicy/init.te index 554ddb2..06da5fe 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -4,3 +4,6 @@ allow init self:capability sys_module; allow init tmpfs:lnk_file create_file_perms; # Allow module insertion allow init system_file:system module_load; +# Configfs +allow init configfs:file write; +allow init configfs:lnk_file { create unlink } ; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..290055e --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1 @@ +allow mediacodec rpmsg_device:chr_file { rw_file_perms }; diff --git a/sepolicy/pvr.te b/sepolicy/pvr.te index 1e9cfa8..747ee36 100644 --- a/sepolicy/pvr.te +++ b/sepolicy/pvr.te @@ -10,3 +10,6 @@ allow pvr gpu_device:chr_file rw_file_perms; # allow graphics driver initialization allow pvr self:capability sys_module; allow pvr system_file:system module_load; + +# allow reading /sys/devices/soc0/machine +allow pvr sysfs:file { r_file_perms }; |