diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2017-11-10 16:46:49 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-11-10 16:46:49 +0000 |
commit | f93b03683acf08e1e954472b7ef1178c72b8c8ab (patch) | |
tree | 77e9c979c856ffe6b3d53fcdb01c4591b62e8b54 | |
parent | d382d4e7f32cd6c72ca3c8f24db346ab87e02763 (diff) | |
parent | e90a5e2713629717522a99de9a83c98e2c05f306 (diff) | |
download | bullhead-f93b03683acf08e1e954472b7ef1178c72b8c8ab.tar.gz |
Move platform/vendor data violations to device policy
am: e90a5e2713
Change-Id: I5a29fd4a7b415ea24a09ce24117284e21f6c9cfa
-rw-r--r-- | sepolicy/hal_drm.te | 3 | ||||
-rw-r--r-- | sepolicy/hal_fingerprint.te | 4 | ||||
-rw-r--r-- | sepolicy/hal_nfc.te | 3 | ||||
-rw-r--r-- | sepolicy/hal_wifi_supplicant.te | 6 | ||||
-rw-r--r-- | sepolicy/hostapd.te | 9 |
5 files changed, 25 insertions, 0 deletions
diff --git a/sepolicy/hal_drm.te b/sepolicy/hal_drm.te new file mode 100644 index 0000000..1bbb734 --- /dev/null +++ b/sepolicy/hal_drm.te @@ -0,0 +1,3 @@ +# Allow access to app_data and media_data_files +allow hal_drm media_data_file:dir create_dir_perms; +allow hal_drm media_data_file:file create_file_perms; diff --git a/sepolicy/hal_fingerprint.te b/sepolicy/hal_fingerprint.te index a339bc7..dfb641e 100644 --- a/sepolicy/hal_fingerprint.te +++ b/sepolicy/hal_fingerprint.te @@ -17,3 +17,7 @@ allow hal_fingerprint persist_file:dir search; # allow access to sysfs files r_dir_file(hal_fingerprint, sysfs_type) + +# allow HAL module to read/write dir contents and read/write/unlink files +allow hal_fingerprint fingerprintd_data_file:file create_file_perms; +allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms; diff --git a/sepolicy/hal_nfc.te b/sepolicy/hal_nfc.te new file mode 100644 index 0000000..664eaa9 --- /dev/null +++ b/sepolicy/hal_nfc.te @@ -0,0 +1,3 @@ +# Data file accesses. +allow hal_nfc nfc_data_file:dir create_dir_perms; +allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms; diff --git a/sepolicy/hal_wifi_supplicant.te b/sepolicy/hal_wifi_supplicant.te new file mode 100644 index 0000000..b1f24d8 --- /dev/null +++ b/sepolicy/hal_wifi_supplicant.te @@ -0,0 +1,6 @@ +allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms; +allow hal_wifi_supplicant wifi_data_file:file create_file_perms; + +# Create a socket for receiving info from wpa +allow hal_wifi_supplicant wpa_socket:dir create_dir_perms; +allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms; diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te new file mode 100644 index 0000000..15064a0 --- /dev/null +++ b/sepolicy/hostapd.te @@ -0,0 +1,9 @@ +# hostapd can read and write WiFi related data and configuration. +# For example, the entropy file is periodically updated. +allow hostapd wifi_data_file:file rw_file_perms; +r_dir_file(hostapd, wifi_data_file) + +# hostapd wants to create the directory holding its control socket. +allow hostapd hostapd_socket:dir create_dir_perms; +# hostapd needs to create, bind to, read, and write its control socket. +allow hostapd hostapd_socket:sock_file create_file_perms; |