a7c04dcd74
Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
9 lines
420 B
Text
9 lines
420 B
Text
# watchdogd seclabel is specified in init.<board>.rc
|
|
type watchdogd, domain;
|
|
allow watchdogd self:capability mknod;
|
|
allow watchdogd device:dir { add_name write remove_name };
|
|
allow watchdogd watchdog_device:chr_file rw_file_perms;
|
|
# because of /dev/__kmsg__ and /dev/__null__
|
|
write_klog(watchdogd)
|
|
type_transition watchdogd device:chr_file null_device "__null__";
|
|
allow watchdogd null_device:chr_file { create unlink };
|