am 9d87c647: Allow init to execute /sbin/slideshow

* commit '9d87c647afdc478245579090eae1ca2d1ae8d341': Allow init to execute /sbin/slideshow
2015-02-27 17:04:44 +00:00 · 2015-02-27 17:04:44 +00:00 · bd7da3eb5f
commit bd7da3eb5f
parent cd31111d5e 9d87c647af
3 changed files with 15 additions and 1 deletions
--- a/domain.te
+++ b/domain.te
@ -180,7 +180,7 @@ neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;

 # Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;

 # Limit raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
--- a/init.te
+++ b/init.te
@ -140,6 +140,7 @@ allow init sysfs_type:file w_file_perms;
 # Transitions to seclabel processes in init.rc
 domain_trans(init, rootfs, adbd)
 domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
 recovery_only(`
  domain_trans(init, rootfs, recovery)
 ')
--- a/slideshow.te
+++ b/slideshow.te
@ -0,0 +1,13 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+write_klog(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+