diff options
| author | Vishal Bhoj <vishal.bhoj@linaro.org> | 2015-10-23 18:10:21 +0100 |
|---|---|---|
| committer | Dmitry Shmidt <dimitrysh@google.com> | 2015-11-09 11:06:27 -0800 |
| commit | e72c920c9e47d61a7a91310ef712cdf3af71fcad (patch) | |
| tree | 5d65120433322234a8e0037d65d30da509e3a33c /sepolicy | |
| parent | 5fd7639a9b8763b0444853915588d5e6b6c47dba (diff) | |
| download | hikey-e72c920c9e47d61a7a91310ef712cdf3af71fcad.tar.gz | |
Initial Hikey device configuration
Signed-off-by: Vishal Bhoj <vishal.bhoj@linaro.org>
Change-Id: I2697a8e4aec4991826f7351fd7f41eba324a6869
Diffstat (limited to 'sepolicy')
| -rw-r--r-- | sepolicy/debuggerd.te | 1 | ||||
| -rw-r--r-- | sepolicy/dex2oat.te | 1 | ||||
| -rw-r--r-- | sepolicy/drmserver.te | 1 | ||||
| -rw-r--r-- | sepolicy/file.te | 1 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 8 | ||||
| -rw-r--r-- | sepolicy/gatord.te | 3 | ||||
| -rw-r--r-- | sepolicy/genfs_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/init.te | 7 | ||||
| -rw-r--r-- | sepolicy/kernel.te | 1 | ||||
| -rw-r--r-- | sepolicy/logd.te | 2 | ||||
| -rw-r--r-- | sepolicy/mediaserver.te | 1 | ||||
| -rw-r--r-- | sepolicy/netd.te | 5 | ||||
| -rw-r--r-- | sepolicy/shell.te | 16 | ||||
| -rw-r--r-- | sepolicy/surfaceflinger.te | 3 | ||||
| -rw-r--r-- | sepolicy/zygote.te | 1 |
15 files changed, 52 insertions, 0 deletions
diff --git a/sepolicy/debuggerd.te b/sepolicy/debuggerd.te new file mode 100644 index 00000000..308d1b14 --- /dev/null +++ b/sepolicy/debuggerd.te @@ -0,0 +1 @@ +allow debuggerd kernel:system module_request; diff --git a/sepolicy/dex2oat.te b/sepolicy/dex2oat.te new file mode 100644 index 00000000..c6e8e737 --- /dev/null +++ b/sepolicy/dex2oat.te @@ -0,0 +1 @@ +allow dex2oat kernel:system module_request; diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te new file mode 100644 index 00000000..b98b158c --- /dev/null +++ b/sepolicy/drmserver.te @@ -0,0 +1 @@ +allow drmserver kernel:system module_request; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 00000000..45c51171 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1 @@ +type configfs, fs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 00000000..19ea0d4a --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,8 @@ +/data/linaro-android-kernel-test(/.*)? u:object_r:shell_data_file:s0 +/data/linaro-android-userspace-test(/.*)? u:object_r:shell_data_file:s0 +/data/nativebenchmark(/.*)? u:object_r:shell_data_file:s0 +/dev/ttyAMA0 u:object_r:console_device:s0 +/dev/ttyAMA3 u:object_r:console_device:s0 +/dev/mali u:object_r:gpu_device:s0 +/dev/dri/card0 u:object_r:gpu_device:s0 +/dev/hci_tty u:object_r:hci_attach_dev:s0 diff --git a/sepolicy/gatord.te b/sepolicy/gatord.te new file mode 100644 index 00000000..2943a9b3 --- /dev/null +++ b/sepolicy/gatord.te @@ -0,0 +1,3 @@ +type gatord, domain, mlstrustedsubject; + +permissive gatord; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 00000000..50c7cd7b --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1 @@ +genfscon configfs / u:object_r:configfs:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 00000000..a8cca763 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,7 @@ +userdebug_or_eng(` + allow init su:process { transition dyntransition rlimitinh siginh }; +') +allow init self:capability { sys_module }; +allow init self:tcp_socket create; +allow init gatord:process { transition rlimitinh siginh }; +allow init kernel:system module_request; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 00000000..9be9fd43 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1 @@ +allow kernel shell_data_file:file { read write }; diff --git a/sepolicy/logd.te b/sepolicy/logd.te new file mode 100644 index 00000000..a99d8bd1 --- /dev/null +++ b/sepolicy/logd.te @@ -0,0 +1,2 @@ +allow logd property_socket:sock_file write; +allow logd init:unix_stream_socket connectto; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 00000000..72acfbb5 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1 @@ +allow mediaserver debug_prop:property_service set; diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 00000000..42717f54 --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,5 @@ +allow netd usermodehelper:file r_file_perms; +allow netd debug_prop:property_service set; +allow netd kernel:system module_request; +allow netd gatord:fd use; +allow netd gatord:tcp_socket rw_socket_perms; diff --git a/sepolicy/shell.te b/sepolicy/shell.te new file mode 100644 index 00000000..f62b97aa --- /dev/null +++ b/sepolicy/shell.te @@ -0,0 +1,16 @@ +allow shell serial_device:chr_file rw_file_perms; + +# allow to use ndc command to enable dns work +allow shell netd_socket:sock_file write; + +# hack for running netcfg eth0 dhcp/ifconfig/ping on console session +allow shell self:packet_socket create_socket_perms; +allow shell system_prop:property_service set; + +# hack for running start adbd/stop adbd on console session +allow shell ctl_default_prop:property_service set; + +# hack for reading the mkshrc file after lava modified +allow shell unlabeled:file r_file_perms; + +allow shell kernel:system module_request; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 00000000..1d54ead9 --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,3 @@ +allow surfaceflinger self:process execmem; +allow surfaceflinger debug_prop:property_service set; +allow surfaceflinger ashmem_device:chr_file execute; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 00000000..04fc7d33 --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1 @@ +allow zygote kernel:system module_request; |