am 357842b1: Merge "Revert "Allow all domains access to /dev/qemu_trace.""

* commit '357842b109db31c85aebb8d1c9f70885fe1cb07c': Revert "Allow all domains access to /dev/qemu_trace."
2014-06-16 17:57:56 +00:00 · 2014-06-16 17:57:56 +00:00 · 8dea5006c5
commit 8dea5006c5
parent cd978db20e 357842b109
21 changed files with 28 additions and 4 deletions
--- a/target/board/generic/BoardConfig.mk
+++ b/target/board/generic/BoardConfig.mk
@ -77,13 +77,17 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true

 BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
 BOARD_SEPOLICY_UNION += \
+        adbd.te \
+        app.te \
        bootanim.te \
        device.te \
        domain.te \
        file.te \
        file_contexts \
+        mediaserver.te \
        qemud.te \
        rild.te \
        shell.te \
        surfaceflinger.te \
-        system_server.te
+        system_server.te \
+        zygote.te
--- a/target/board/generic/sepolicy/adbd.te
+++ b/target/board/generic/sepolicy/adbd.te
@ -0,0 +1 @@
+allow adbd qemu_device:chr_file rw_file_perms;
--- a/target/board/generic/sepolicy/app.te
+++ b/target/board/generic/sepolicy/app.te
@ -0,0 +1 @@
+allow appdomain qemu_device:chr_file rw_file_perms;
--- a/target/board/generic/sepolicy/bootanim.te
+++ b/target/board/generic/sepolicy/bootanim.te
@ -1,2 +1,3 @@
 allow bootanim self:process execmem;
 allow bootanim ashmem_device:chr_file execute;
+allow bootanim qemu_device:chr_file rw_file_perms;
--- a/target/board/generic/sepolicy/domain.te
+++ b/target/board/generic/sepolicy/domain.te
@ -1,3 +1,2 @@
 # For /sys/qemu_trace files in the emulator.
 allow domain sysfs_writable:file rw_file_perms;
-allow domain qemu_device:chr_file rw_file_perms;
--- a/target/board/generic/sepolicy/mediaserver.te
+++ b/target/board/generic/sepolicy/mediaserver.te
@ -0,0 +1 @@
+allow mediaserver qemu_device:chr_file rw_file_perms;
--- a/target/board/generic/sepolicy/rild.te
+++ b/target/board/generic/sepolicy/rild.te
@ -1 +1,2 @@
+allow rild qemu_device:chr_file rw_file_perms;
 unix_socket_connect(rild, qemud, qemud)
--- a/target/board/generic/sepolicy/surfaceflinger.te
+++ b/target/board/generic/sepolicy/surfaceflinger.te
@ -1,2 +1,3 @@
 allow surfaceflinger self:process execmem;
 allow surfaceflinger ashmem_device:chr_file execute;
+allow surfaceflinger qemu_device:chr_file rw_file_perms;
--- a/target/board/generic/sepolicy/system_server.te
+++ b/target/board/generic/sepolicy/system_server.te
@ -1 +1,2 @@
 unix_socket_connect(system_server, qemud, qemud)
+allow system_server qemu_device:chr_file rw_file_perms;
--- a/target/board/generic/sepolicy/zygote.te
+++ b/target/board/generic/sepolicy/zygote.te
@ -0,0 +1 @@
+allow zygote qemu_device:chr_file rw_file_perms;
--- a/target/board/generic_mips/BoardConfig.mk
+++ b/target/board/generic_mips/BoardConfig.mk
@ -59,11 +59,13 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true

 BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
 BOARD_SEPOLICY_UNION += \
+        adbd.te \
        bootanim.te \
        device.te \
        domain.te \
        file.te \
        file_contexts \
+        mediaserver.te \
        qemud.te \
        rild.te \
        shell.te \
--- a/target/board/generic_x86/BoardConfig.mk
+++ b/target/board/generic_x86/BoardConfig.mk
@ -44,6 +44,8 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true

 BOARD_SEPOLICY_DIRS += build/target/board/generic_x86/sepolicy
 BOARD_SEPOLICY_UNION += \
+        app.te \
+        adbd.te \
        bootanim.te \
        device.te \
        domain.te \
@ -51,8 +53,10 @@ BOARD_SEPOLICY_UNION += \
        file_contexts \
        healthd.te \
        installd.te \
+        mediaserver.te \
        qemud.te \
        rild.te \
        shell.te \
        surfaceflinger.te \
-        system_server.te
+        system_server.te \
+        zygote.te
--- a/target/board/generic_x86/sepolicy/adbd.te
+++ b/target/board/generic_x86/sepolicy/adbd.te
@ -0,0 +1 @@
+allow adbd qemu_device:chr_file rw_file_perms;
--- a/target/board/generic_x86/sepolicy/app.te
+++ b/target/board/generic_x86/sepolicy/app.te
@ -0,0 +1 @@
+allow appdomain qemu_device:chr_file rw_file_perms;
--- a/target/board/generic_x86/sepolicy/bootanim.te
+++ b/target/board/generic_x86/sepolicy/bootanim.te
@ -0,0 +1 @@
+allow bootanim qemu_device:chr_file rw_file_perms;
--- a/target/board/generic_x86/sepolicy/domain.te
+++ b/target/board/generic_x86/sepolicy/domain.te
@ -1,4 +1,3 @@
 # For /sys/qemu_trace files in the emulator.
 allow domain sysfs_writable:file rw_file_perms;
 allow domain cpuctl_device:dir search;
-allow domain qemu_device:chr_file rw_file_perms;
--- a/target/board/generic_x86/sepolicy/mediaserver.te
+++ b/target/board/generic_x86/sepolicy/mediaserver.te
@ -0,0 +1 @@
+allow mediaserver qemu_device:chr_file rw_file_perms;
--- a/target/board/generic_x86/sepolicy/rild.te
+++ b/target/board/generic_x86/sepolicy/rild.te
@ -1 +1,2 @@
+allow rild qemu_device:chr_file rw_file_perms;
 unix_socket_connect(rild, qemud, qemud)
--- a/target/board/generic_x86/sepolicy/surfaceflinger.te
+++ b/target/board/generic_x86/sepolicy/surfaceflinger.te
@ -0,0 +1 @@
+allow surfaceflinger qemu_device:chr_file rw_file_perms;
--- a/target/board/generic_x86/sepolicy/system_server.te
+++ b/target/board/generic_x86/sepolicy/system_server.te
@ -1,2 +1,3 @@
 allow system_server self:process execmem;
 unix_socket_connect(system_server, qemud, qemud)
+allow system_server qemu_device:chr_file rw_file_perms;
--- a/target/board/generic_x86/sepolicy/zygote.te
+++ b/target/board/generic_x86/sepolicy/zygote.te
@ -1,2 +1,3 @@
 allow zygote self:process execmem;
 allow zygote self:capability sys_nice;
+allow zygote qemu_device:chr_file rw_file_perms;
				`@ -0,0 +1 @@`
				`allow adbd qemu_device:chr_file rw_file_perms;`
				`@ -0,0 +1 @@`
				`allow appdomain qemu_device:chr_file rw_file_perms;`
				`@ -0,0 +1 @@`
				`allow mediaserver qemu_device:chr_file rw_file_perms;`
				`@ -0,0 +1 @@`
				`allow zygote qemu_device:chr_file rw_file_perms;`
				`@ -0,0 +1 @@`
				`allow bootanim qemu_device:chr_file rw_file_perms;`
				`@ -0,0 +1 @@`
				`allow surfaceflinger qemu_device:chr_file rw_file_perms;`