* commit '289fe68b3ecbc05395d78bfe77fb15bc9512a571': Confine healthd, but leave it permissive for now.
This commit is contained in:
Nick Kralevich
Android Git Automerger
commit
4cafcfd294
2 changed files with 10 additions and 2 deletions
11
healthd.te
11
healthd.te
|
|
@ -4,8 +4,15 @@ type healthd, domain;
|
|||
type healthd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(healthd)
|
||||
unconfined_domain(healthd)
|
||||
allow healthd rootfs:file entrypoint;
|
||||
allow healthd rootfs:file { read entrypoint };
|
||||
write_klog(healthd)
|
||||
|
||||
allow healthd self:capability { net_admin mknod };
|
||||
allow healthd self:capability2 block_suspend;
|
||||
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
binder_use(healthd)
|
||||
binder_call(healthd, system_server)
|
||||
|
||||
# Workaround for 0x10 / block_suspend capability2 denials.
|
||||
# Requires a kernel patch to fix properly.
|
||||
permissive healthd;
|
||||
|
|
|
|||
|
|
@ -89,6 +89,7 @@ tmpfs_domain(system_server)
|
|||
binder_use(system_server)
|
||||
binder_call(system_server, binderservicedomain)
|
||||
binder_call(system_server, appdomain)
|
||||
binder_call(system_server, healthd)
|
||||
binder_service(system_server)
|
||||
|
||||
# Read /proc/pid files for Binder clients.
|
||||
|
|
|
|||
Loading…
Reference in a new issue