From 1c0e1cde7bdacf544453cf32a8c2a1727e278824 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 26 Feb 2014 08:49:39 -0500 Subject: [PATCH] Add policy for MIPS emulator, fix x86 policy. The qemud and /dev/qemu_pipe policy bits copied to generic and generic_x86 by I620d4aef84a5d4565abb1695db54ce1653612bce are required for generic_mips as well. In testing, we further saw other denials for generic_mips that correspond exactly to what is already allowed in the generic sepolicy, so just inherit the sepolicy files from generic for now. We could do likewise for the generic_x86 sepolicy for the files that are identical with generic if desired, but that is not done by this change. The generic_x86 sepolicy was missing a rule for /sys/qemu_trace moved to the generic sepolicy by the prior change, so fix that omission. The generic*64 variants will need something similar, either by inheriting from one of the existing sepolicy directories as in the MIPS case or by forking their own copies as in the x86 case. Change-Id: Iec7c8825734a3f96f7db8ae1d10dce1f30b22bdf Signed-off-by: Stephen Smalley --- target/board/generic_mips/BoardConfig.mk | 14 ++++++++++++++ target/board/generic_x86/sepolicy/domain.te | 2 ++ 2 files changed, 16 insertions(+) diff --git a/target/board/generic_mips/BoardConfig.mk b/target/board/generic_mips/BoardConfig.mk index e16374bfc5..85bf7d77dd 100644 --- a/target/board/generic_mips/BoardConfig.mk +++ b/target/board/generic_mips/BoardConfig.mk @@ -56,3 +56,17 @@ BOARD_CACHEIMAGE_PARTITION_SIZE := 69206016 BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4 BOARD_FLASH_BLOCK_SIZE := 512 TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true + +BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy +BOARD_SEPOLICY_UNION += \ + adbd.te \ + bootanim.te \ + device.te \ + domain.te \ + file.te \ + file_contexts \ + mediaserver.te \ + qemud.te \ + rild.te \ + surfaceflinger.te \ + system_server.te diff --git a/target/board/generic_x86/sepolicy/domain.te b/target/board/generic_x86/sepolicy/domain.te index 0bc8d871ff..c17950d9fb 100644 --- a/target/board/generic_x86/sepolicy/domain.te +++ b/target/board/generic_x86/sepolicy/domain.te @@ -1 +1,3 @@ +# For /sys/qemu_trace files in the emulator. +allow domain sysfs_writable:file rw_file_perms; allow domain cpuctl_device:dir search;