5637099a25
As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
24 lines
604 B
Text
24 lines
604 B
Text
# phone subsystem
|
|
type radio, domain;
|
|
permissive radio;
|
|
app_domain(radio)
|
|
net_domain(radio)
|
|
bluetooth_domain(radio)
|
|
|
|
# Talks to init via the property socket.
|
|
unix_socket_connect(radio, property, init)
|
|
|
|
# Talks to rild via the rild socket.
|
|
unix_socket_connect(radio, rild, rild)
|
|
|
|
# Data file accesses.
|
|
allow radio radio_data_file:dir create_dir_perms;
|
|
allow radio radio_data_file:notdevfile_class_set create_file_perms;
|
|
|
|
allow radio alarm_device:chr_file rw_file_perms;
|
|
|
|
# Property service
|
|
allow radio radio_prop:property_service set;
|
|
|
|
# ctl interface
|
|
allow radio ctl_rildaemon_prop:property_service set;
|