5e37271df8
system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
42 lines
1.2 KiB
Text
42 lines
1.2 KiB
Text
# bootanimation oneshot service
|
|
type bootanim, domain;
|
|
type bootanim_exec, system_file_type, exec_type, file_type;
|
|
|
|
hal_client_domain(bootanim, hal_configstore)
|
|
hal_client_domain(bootanim, hal_graphics_allocator)
|
|
hal_client_domain(bootanim, hal_graphics_composer)
|
|
|
|
binder_use(bootanim)
|
|
binder_call(bootanim, surfaceflinger)
|
|
binder_call(bootanim, audioserver)
|
|
|
|
hwbinder_use(bootanim)
|
|
|
|
allow bootanim gpu_device:chr_file rw_file_perms;
|
|
|
|
# /oem access
|
|
allow bootanim oemfs:dir search;
|
|
allow bootanim oemfs:file r_file_perms;
|
|
|
|
allow bootanim audio_device:dir r_dir_perms;
|
|
allow bootanim audio_device:chr_file rw_file_perms;
|
|
|
|
allow bootanim audioserver_service:service_manager find;
|
|
allow bootanim surfaceflinger_service:service_manager find;
|
|
|
|
# Allow access to ion memory allocation device
|
|
allow bootanim ion_device:chr_file rw_file_perms;
|
|
allow bootanim hal_graphics_allocator:fd use;
|
|
|
|
# Fences
|
|
allow bootanim hal_graphics_composer:fd use;
|
|
|
|
# Read access to pseudo filesystems.
|
|
allow bootanim proc_meminfo:file r_file_perms;
|
|
|
|
# System file accesses.
|
|
allow bootanim system_file:dir r_dir_perms;
|
|
|
|
# Read ro.boot.bootreason b/30654343
|
|
get_prop(bootanim, bootloader_boot_reason_prop)
|
|
|