aa376831e8
Denials seen on hammerhead but seem
appropriate for general policy.
<5>[ 8.339347] type=1400 audit(3731546.390:17): avc: denied { ioctl } for pid=314 comm="rild" path="socket:[7996]" dev="sockfs" ino=7996 scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket
<5>[ 8.339065] type=1400 audit(3731546.390:16): avc: denied { create } for pid=314 comm="rild" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket
<5>[ 11.232121] type=1400 audit(3731549.289:22): avc: denied { read } for pid=620 comm="rild" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket
Change-Id: Ieaca5360afbb44d5da21c7c24bdd5e7c5758f0a2
49 lines
1.7 KiB
Text
49 lines
1.7 KiB
Text
# rild - radio interface layer daemon
|
|
type rild, domain;
|
|
permissive rild;
|
|
type rild_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(rild)
|
|
net_domain(rild)
|
|
allow rild self:netlink_route_socket { setopt write };
|
|
allow rild kernel:system module_request;
|
|
unix_socket_connect(rild, property, init)
|
|
unix_socket_connect(rild, qemud, qemud)
|
|
allow rild self:capability { setuid net_admin net_raw };
|
|
allow rild alarm_device:chr_file rw_file_perms;
|
|
allow rild cgroup:dir create_dir_perms;
|
|
allow rild radio_device:chr_file rw_file_perms;
|
|
allow rild radio_device:blk_file r_file_perms;
|
|
allow rild qemu_device:chr_file rw_file_perms;
|
|
allow rild mtd_device:dir search;
|
|
allow rild efs_file:dir create_dir_perms;
|
|
allow rild efs_file:file create_file_perms;
|
|
allow rild shell_exec:file rx_file_perms;
|
|
allow rild bluetooth_efs_file:file r_file_perms;
|
|
allow rild bluetooth_efs_file:dir r_dir_perms;
|
|
allow rild radio_data_file:dir rw_dir_perms;
|
|
allow rild radio_data_file:file create_file_perms;
|
|
allow rild sdcard_type:dir r_dir_perms;
|
|
allow rild system_data_file:dir create_dir_perms;
|
|
allow rild system_data_file:file create_file_perms;
|
|
allow rild system_file:file x_file_perms;
|
|
dontaudit rild self:capability sys_admin;
|
|
|
|
# property service
|
|
allow rild rild_prop:property_service set;
|
|
allow rild radio_prop:property_service set;
|
|
|
|
# Read/Write to uart driver (for GPS)
|
|
allow rild gps_device:chr_file rw_file_perms;
|
|
|
|
allow rild tty_device:chr_file rw_file_perms;
|
|
|
|
# Allow rild to create, bind, read, write to itself through a netlink socket
|
|
allow rild self:netlink_socket { create bind read write };
|
|
|
|
allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
|
|
|
|
# Access to wake locks
|
|
allow rild sysfs_wake_lock:file rw_file_perms;
|
|
|
|
allow rild self:socket create_socket_perms;
|