diff options
| author | Alex Klyubin <klyubin@google.com> | 2017-04-07 17:50:14 -0700 |
|---|---|---|
| committer | Cosme Domínguez Díaz <cosme.ddiaz@gmail.com> | 2018-03-23 22:45:33 +0100 |
| commit | e44dd6e62ca4c28d81a195f59eec1e1c3543c4ec (patch) | |
| tree | 00fe55ded6b889a5ff5ff77af757bd46b3738c5e | |
| parent | 9c54344745a9d4570f58098aeb8aff6e9bbb6460 (diff) | |
msm8996-common: Grant system_server access to idc and keylayot dirs
system_server is configured to access idc and keylayout files in
/vendor/usr/idc and /vendor/usr/keylayout. This explicitly grants this
access to system_server, instead of relying on overly broad access
granted by hal_client_domain(system_server, ...) macros which is no
longer going to grant this overly broad access soon.
Test: Modify hal_client_domain to no longer associate hal_x_client with
hal_x, observe that there are no violations form system_server
trying to read /vendor/usr/idc and /vendor/usr/keylayouts.
Bug: 37160141
Change-Id: I136df8713f2f9ff03096e5f6cf35e3e804733040
| -rw-r--r-- | sepolicy/file.te | 4 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 4 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 5 |
3 files changed, 13 insertions, 0 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te index 54cc974..0039865 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -4,3 +4,7 @@ type sysfs_fpc_irq, sysfs_type, fs_type; type sysfs_fpc_proximity, sysfs_type, fs_type; type sysfs_fpc_utouch_disable, fs_type, sysfs_type; type thermal_data_file, data_file_type, file_type; + +# /vendor +type idc_file, file_type, vendor_file_type; +type keylayout_file, file_type, vendor_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index b084443..3b549c0 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -34,3 +34,7 @@ # audio amplifier /dev/tfa9890 u:object_r:audio_device:s0 + +# Misc files on /vendor +/vendor/usr/idc(/.*)? u:object_r:idc_file:s0 +/vendor/usr/keylayout(/.*)? u:object_r:keylayout_file:s0 diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index ef21160..975336c 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,3 +1,8 @@ allow system_server alarm_boot_prop:file { read open getattr }; allow system_server persist_file:dir write; allow system_server sysfs_fpc_utouch_disable:file rw_file_perms; + +# /vendor/usr/keylayout +r_dir_file(system_server, idc_file) +# /vendor/usr/idc +r_dir_file(system_server, keylayout_file) |