6b0bd4e1a1
Include coredomain in initial definition of boringssl_self_test rather than adding it later. This addresses an outstanding review comment from http://r.android.com/1110523 Test: Treehugger Bug: 137267623 Change-Id: I4e8d4e2e76b1c3a9b5a1f806e43e885b51cb7a60
20 lines
807 B
Text
20 lines
807 B
Text
type boringssl_self_test, domain, coredomain;
|
|
type boringssl_self_test_exec, system_file_type, exec_type, file_type;
|
|
type boringssl_self_test_marker, file_type;
|
|
|
|
# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
|
|
init_daemon_domain(boringssl_self_test)
|
|
|
|
# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
|
|
# files.
|
|
allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
|
|
allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
|
|
|
|
# No other process should be able to create these files because their existence causes the
|
|
# boringssl self test to be skipped.
|
|
neverallow {
|
|
domain
|
|
-boringssl_self_test
|
|
-init
|
|
-vendor_init
|
|
} boringssl_self_test_marker:file no_rw_file_perms;
|