625a3526f1
A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
32 lines
948 B
Text
32 lines
948 B
Text
# uncrypt
|
|
type uncrypt, domain, mlstrustedsubject;
|
|
type uncrypt_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(uncrypt)
|
|
|
|
allow uncrypt self:capability dac_override;
|
|
|
|
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
|
|
r_dir_file(uncrypt, app_data_file)
|
|
|
|
userdebug_or_eng(`
|
|
# For debugging, allow /data/local/tmp access
|
|
r_dir_file(uncrypt, shell_data_file)
|
|
')
|
|
|
|
# Create tmp file /cache/recovery/command.tmp
|
|
# Read /cache/recovery/command
|
|
# Rename /cache/recovery/command.tmp to /cache/recovery/command
|
|
allow uncrypt cache_file:dir rw_dir_perms;
|
|
allow uncrypt cache_file:file create_file_perms;
|
|
|
|
# Set a property to reboot the device.
|
|
set_prop(uncrypt, powerctl_prop)
|
|
|
|
# Raw writes to block device
|
|
allow uncrypt self:capability sys_rawio;
|
|
allow uncrypt block_device:blk_file w_file_perms;
|
|
allow uncrypt block_device:dir r_dir_perms;
|
|
|
|
# Access userdata block device.
|
|
allow uncrypt userdata_block_device:blk_file w_file_perms;
|