7c34e83fcd
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
39 lines
1.1 KiB
Text
39 lines
1.1 KiB
Text
# uncrypt
|
|
type uncrypt, domain, mlstrustedsubject;
|
|
type uncrypt_exec, exec_type, file_type;
|
|
|
|
allow uncrypt self:capability dac_override;
|
|
|
|
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
|
|
r_dir_file(uncrypt, app_data_file)
|
|
|
|
userdebug_or_eng(`
|
|
# For debugging, allow /data/local/tmp access
|
|
r_dir_file(uncrypt, shell_data_file)
|
|
')
|
|
|
|
# Read /cache/recovery/command
|
|
# Read /cache/recovery/uncrypt_file
|
|
allow uncrypt cache_file:dir search;
|
|
allow uncrypt cache_recovery_file:dir rw_dir_perms;
|
|
allow uncrypt cache_recovery_file:file create_file_perms;
|
|
|
|
# Read OTA zip file at /data/ota_package/.
|
|
allow uncrypt ota_package_file:dir r_dir_perms;
|
|
allow uncrypt ota_package_file:file r_file_perms;
|
|
|
|
# Write to /dev/socket/uncrypt
|
|
unix_socket_connect(uncrypt, uncrypt, uncrypt)
|
|
|
|
# Set a property to reboot the device.
|
|
set_prop(uncrypt, powerctl_prop)
|
|
|
|
# Raw writes to block device
|
|
allow uncrypt self:capability sys_rawio;
|
|
allow uncrypt misc_block_device:blk_file w_file_perms;
|
|
allow uncrypt block_device:dir r_dir_perms;
|
|
|
|
# Access userdata block device.
|
|
allow uncrypt userdata_block_device:blk_file w_file_perms;
|
|
|
|
r_dir_file(uncrypt, rootfs)
|