dd053a9b89
Introduce separate types for the userdata and cache block devices so that we can assign them and allow access to them in device-specific policy without allowing access to any other block device (e.g. system). These types will only be used if assigned to device node paths in the device-specific file_contexts configuration. Otherwise, this change will have no impact - the userdata and cache block devices will continue to default to block_device type. To avoid breakage when these new types are assigned to the userdata block device, allow access by vold and uncrypt, but auditallow these accesses to confirm that these are required. Change-Id: I99d24f06506f51ebf1d186d9c393b3cad60e98d7 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
34 lines
1 KiB
Text
34 lines
1 KiB
Text
# uncrypt
|
|
type uncrypt, domain;
|
|
type uncrypt_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(uncrypt)
|
|
|
|
allow uncrypt self:capability dac_override;
|
|
|
|
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
|
|
r_dir_file(uncrypt, app_data_file)
|
|
|
|
userdebug_or_eng(`
|
|
# For debugging, allow /data/local/tmp access
|
|
r_dir_file(uncrypt, shell_data_file)
|
|
')
|
|
|
|
# Create tmp file /cache/recovery/command.tmp
|
|
# Read /cache/recovery/command
|
|
# Rename /cache/recovery/command.tmp to /cache/recovery/command
|
|
allow uncrypt cache_file:dir rw_dir_perms;
|
|
allow uncrypt cache_file:file create_file_perms;
|
|
|
|
# Set a property to reboot the device.
|
|
unix_socket_connect(uncrypt, property, init)
|
|
allow uncrypt powerctl_prop:property_service set;
|
|
|
|
# Raw writes to block device
|
|
allow uncrypt self:capability sys_rawio;
|
|
allow uncrypt block_device:blk_file w_file_perms;
|
|
allow uncrypt block_device:dir r_dir_perms;
|
|
|
|
# Access userdata block device.
|
|
allow uncrypt userdata_block_device:blk_file rw_file_perms;
|
|
auditallow uncrypt userdata_block_device:blk_file rw_file_perms;
|