Allow cppreopts to work with selinux
Bug: 29278988 Change-Id: I199572377a6b5c33116c718a545159ddcf50df30
This commit is contained in:
Alex Light
parent
0989a53163
commit
d3edd6b577
8 changed files with 51 additions and 1 deletions
28
cppreopts.te
Normal file
28
cppreopts.te
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
# cppreopts
|
||||
#
|
||||
# This command copies preopted files from the system_b partition to the data
|
||||
# partition. This domain ensures that we are only copying into specific
|
||||
# directories.
|
||||
|
||||
type cppreopts, domain, mlstrustedsubject;
|
||||
type cppreopts_exec, exec_type, file_type;
|
||||
|
||||
# Technically not a daemon but we do want the transition from init domain to
|
||||
# cppreopts to occur.
|
||||
init_daemon_domain(cppreopts)
|
||||
|
||||
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
|
||||
|
||||
# Allow cppreopts copy files into the dalvik-cache
|
||||
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
|
||||
allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
|
||||
|
||||
# Allow cppreopts to execute itself using #!/system/bin/sh
|
||||
allow cppreopts shell_exec:file rx_file_perms;
|
||||
|
||||
# Allow us to run find on /postinstall
|
||||
allow cppreopts system_file:dir { open read };
|
||||
|
||||
# Allow running the cp command using cppreopts permissions. Needed so we can
|
||||
# write into dalvik-cache
|
||||
allow cppreopts toolbox_exec:file rx_file_perms;
|
||||
|
|
@ -378,6 +378,7 @@ neverallow {
|
|||
-zygote
|
||||
-installd
|
||||
-postinstall_dexopt
|
||||
-cppreopts
|
||||
-dex2oat
|
||||
} dalvikcache_data_file:file no_w_file_perms;
|
||||
|
||||
|
|
@ -386,6 +387,7 @@ neverallow {
|
|||
-init
|
||||
-installd
|
||||
-postinstall_dexopt
|
||||
-cppreopts
|
||||
-dex2oat
|
||||
-zygote
|
||||
} dalvikcache_data_file:dir no_w_dir_perms;
|
||||
|
|
|
|||
|
|
@ -203,6 +203,8 @@
|
|||
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
|
||||
/system/bin/logwrapper u:object_r:system_file:s0
|
||||
/system/bin/vdc u:object_r:vdc_exec:s0
|
||||
/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
|
||||
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
|
||||
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
|
||||
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
|
||||
# patchoat executable has (essentially) the same requirements as dex2oat.
|
||||
|
|
|
|||
2
init.te
2
init.te
|
|
@ -44,7 +44,7 @@ allow init self:capability sys_admin;
|
|||
|
||||
# Create and mount on directories in /.
|
||||
allow init rootfs:dir create_dir_perms;
|
||||
allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
|
||||
allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
|
||||
|
||||
# Mount on /dev/usb-ffs/adb.
|
||||
allow init device:dir mounton;
|
||||
|
|
|
|||
13
preopt2cachename.te
Normal file
13
preopt2cachename.te
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
# preopt2cachename executable
|
||||
#
|
||||
# This executable translates names from the preopted versions the build system
|
||||
# creates to the names the runtime expects in the data directory.
|
||||
type preopt2cachename, domain;
|
||||
type preopt2cachename_exec, exec_type, file_type;
|
||||
|
||||
# Allow write to stdout.
|
||||
allow preopt2cachename cppreopts:fd use;
|
||||
allow preopt2cachename cppreopts:fifo_file { getattr read write };
|
||||
|
||||
# Allow write to logcat.
|
||||
allow preopt2cachename proc_net:file r_file_perms;
|
||||
|
|
@ -31,6 +31,7 @@ type security_prop, property_type, core_property_type;
|
|||
type bluetooth_prop, property_type, core_property_type;
|
||||
type pan_result_prop, property_type, core_property_type;
|
||||
type powerctl_prop, property_type, core_property_type;
|
||||
type cppreopt_prop, property_type, core_property_type;
|
||||
type nfc_prop, property_type, core_property_type;
|
||||
type dalvik_prop, property_type, core_property_type;
|
||||
type config_prop, property_type, core_property_type;
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ ro.runtime. u:object_r:system_prop:s0
|
|||
hw. u:object_r:system_prop:s0
|
||||
ro.hw. u:object_r:system_prop:s0
|
||||
sys. u:object_r:system_prop:s0
|
||||
sys.cppreopt u:object_r:cppreopt_prop:s0
|
||||
sys.powerctl u:object_r:powerctl_prop:s0
|
||||
sys.usb.ffs. u:object_r:ffs_prop:s0
|
||||
service. u:object_r:system_prop:s0
|
||||
|
|
|
|||
|
|
@ -347,6 +347,9 @@ userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
|
|||
set_prop(system_server, ctl_default_prop)
|
||||
set_prop(system_server, ctl_bugreport_prop)
|
||||
|
||||
# cppreopt property
|
||||
set_prop(system_server, cppreopt_prop)
|
||||
|
||||
# Create a socket for receiving info from wpa.
|
||||
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
|
||||
type_transition system_server wpa_socket:sock_file system_wpa_socket;
|
||||
|
|
|
|||
Loading…
Reference in a new issue