platform_system_sepolicy/public/rild.te
dcashman cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00

51 lines
1.8 KiB
Text

# rild - radio interface layer daemon
type rild, domain, domain_deprecated;
type rild_exec, exec_type, file_type;
net_domain(rild)
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
allow rild self:capability { setpcap setgid setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
allow rild cgroup:{ file lnk_file } r_file_perms;
allow rild radio_device:chr_file rw_file_perms;
allow rild radio_device:blk_file r_file_perms;
allow rild mtd_device:dir search;
allow rild efs_file:dir create_dir_perms;
allow rild efs_file:file create_file_perms;
allow rild shell_exec:file rx_file_perms;
allow rild bluetooth_efs_file:file r_file_perms;
allow rild bluetooth_efs_file:dir r_dir_perms;
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
allow rild sdcard_type:dir r_dir_perms;
allow rild system_data_file:dir r_dir_perms;
allow rild system_data_file:file r_file_perms;
allow rild system_file:file x_file_perms;
# property service
set_prop(rild, radio_prop)
set_prop(rild, net_radio_prop)
set_prop(rild, system_radio_prop)
auditallow rild net_radio_prop:property_service set;
auditallow rild system_radio_prop:property_service set;
allow rild tty_device:chr_file rw_file_perms;
# Allow rild to create and use netlink sockets.
allow rild self:netlink_socket create_socket_perms_no_ioctl;
allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Access to wake locks
wakelock_use(rild)
r_dir_file(rild, proc)
r_dir_file(rild, sysfs_type)
r_dir_file(rild, system_file)
# granting the ioctl permission for rild should be device specific
allow rild self:socket create_socket_perms_no_ioctl;