device/amlogic-o.git - Unnamed repository; edit this file 'description' to name the repository.

1 type droidvold, domain;
2 type droidvold_exec, exec_type, vendor_file_type, file_type;
3
4 init_daemon_domain(droidvold)
5
6 # Read access to pseudo filesystems.
7 r_dir_file(droidvold, proc)
8 r_dir_file(droidvold, sysfs_type)
9
10
11 allow droidvold proc_meminfo:file r_file_perms;
12 allow droidvold self:capability { setgid setuid };
13
14 allow droidvold cpuctl_device:dir search;
15
16 allow droidvold device:dir { open read };
17 allow droidvold usb_device:dir { open read search };
18 allow droidvold system_data_file:fifo_file { open read write };
19
20 allow droidvold block_device:dir { create read write search add_name };
21
22 allow droidvold fuseblk:filesystem { mount unmount };
23
24 allow droidvold self:capability { net_admin dac_override sys_admin sys_rawio chown fowner fsetid };
25
26 allow droidvold tmpfs:dir create_dir_perms;
27 allow droidvold tmpfs:dir mounton;
28
29 allow droidvold kernel:system module_request;
30 allow droidvold mnt_media_rw_file:dir { r_dir_perms };
31 allow droidvold mnt_media_rw_stub_file:dir { r_dir_perms mounton };
32
33 allow droidvold droidvold:netlink_kobject_uevent_socket { create setopt bind read getopt };
34
35 allow droidvold rootfs:dir mounton;
36 allow droidvold rootfs:file { read open getattr };
37
38 allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:dir { open read search };
39 allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:file { write open read };
40
41 allow droidvold file_contexts_file:file r_file_perms;
42
43 allow proc_net proc:filesystem { associate };
44
45 allow droidvold self:process { setexec setfscreate };
46 allow droidvold sysfs:file { getattr };
47 # For sgdisk launched through popen()
48 # allow droidvold shell_exec:file rx_file_perms;
49
50 allow droidvold hwservicemanager_prop:file { open read getattr };
51
52 allow droidvold hwservicemanager:binder { call transfer };
53 allow droidvold { droidvold_hwservice  hidl_base_hwservice }:hwservice_manager { add };
54
55 allow droidvold system_app:binder { call transfer };
56
57 allow droidvold mnt_media_rw_file:dir { create_dir_perms mounton };
58 allow droidvold mnt_media_rw_file:file create_file_perms;
59
60 allow droidvold ntfs:filesystem { mount unmount};
61 allow droidvold exfat:filesystem { mount unmount};
62 allow droidvold vfat:filesystem { mount unmount};
63 allow droidvold { vfat exfat ntfs }:dir rw_dir_perms;
64
65 allow droidvold iso9660:filesystem { mount unmount};
66 allow droidvold hfsplus:filesystem { mount unmount};
67
68 # For vold Process::killProcessesWithOpenFiles function.
69 allow droidvold domain:dir r_dir_perms;
70 allow droidvold domain:{ file lnk_file } r_file_perms;
71 allow droidvold domain:process { signal sigkill };
72 allow droidvold self:capability { kill };
73
74 allow droidvold platform_app:file r_file_perms;
75 allow droidvold platform_app:dir { open read getattr search };
76 allow droidvold init:file r_file_perms;
77 allow droidvold init:dir { r_dir_perms search };
78
79 allow droidvold platform_app:lnk_file { open getattr read };
80 allow droidvold init:lnk_file { open getattr read };
81 allow droidvold untrusted_app:lnk_file { open getattr read };
82
83
84 # Allowed read-only access to droidvold block devices to extract UUID/label
85 allow droidvold vold_device:blk_file r_file_perms;
86 allow droidvold sda_block_device:dir search;
87 allow droidvold sda_block_device:blk_file r_file_perms;
88
89 allow droidvold fuse_device:chr_file r_file_perms;
90
91 allow droidvold devpts:chr_file rw_file_perms;
92
93 domain_auto_trans(droidvold, ntfs_3g_exec, ntfs_3g);
94
1	type droidvold, domain;
2	type droidvold_exec, exec_type, vendor_file_type, file_type;
3
4	init_daemon_domain(droidvold)
5
6	# Read access to pseudo filesystems.
7	r_dir_file(droidvold, proc)
8	r_dir_file(droidvold, sysfs_type)
9
10
11	allow droidvold proc_meminfo:file r_file_perms;
12	allow droidvold self:capability { setgid setuid };
13
14	allow droidvold cpuctl_device:dir search;
15
16	allow droidvold device:dir { open read };
17	allow droidvold usb_device:dir { open read search };
18	allow droidvold system_data_file:fifo_file { open read write };
19
20	allow droidvold block_device:dir { create read write search add_name };
21
22	allow droidvold fuseblk:filesystem { mount unmount };
23
24	allow droidvold self:capability { net_admin dac_override sys_admin sys_rawio chown fowner fsetid };
25
26	allow droidvold tmpfs:dir create_dir_perms;
27	allow droidvold tmpfs:dir mounton;
28
29	allow droidvold kernel:system module_request;
30	allow droidvold mnt_media_rw_file:dir { r_dir_perms };
31	allow droidvold mnt_media_rw_stub_file:dir { r_dir_perms mounton };
32
33	allow droidvold droidvold:netlink_kobject_uevent_socket { create setopt bind read getopt };
34
35	allow droidvold rootfs:dir mounton;
36	allow droidvold rootfs:file { read open getattr };
37
38	allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:dir { open read search };
39	allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:file { write open read };
40
41	allow droidvold file_contexts_file:file r_file_perms;
42
43	allow proc_net proc:filesystem { associate };
44
45	allow droidvold self:process { setexec setfscreate };
46	allow droidvold sysfs:file { getattr };
47	# For sgdisk launched through popen()
48	# allow droidvold shell_exec:file rx_file_perms;
49
50	allow droidvold hwservicemanager_prop:file { open read getattr };
51
52	allow droidvold hwservicemanager:binder { call transfer };
53	allow droidvold { droidvold_hwservice hidl_base_hwservice }:hwservice_manager { add };
54
55	allow droidvold system_app:binder { call transfer };
56
57	allow droidvold mnt_media_rw_file:dir { create_dir_perms mounton };
58	allow droidvold mnt_media_rw_file:file create_file_perms;
59
60	allow droidvold ntfs:filesystem { mount unmount};
61	allow droidvold exfat:filesystem { mount unmount};
62	allow droidvold vfat:filesystem { mount unmount};
63	allow droidvold { vfat exfat ntfs }:dir rw_dir_perms;
64
65	allow droidvold iso9660:filesystem { mount unmount};
66	allow droidvold hfsplus:filesystem { mount unmount};
67
68	# For vold Process::killProcessesWithOpenFiles function.
69	allow droidvold domain:dir r_dir_perms;
70	allow droidvold domain:{ file lnk_file } r_file_perms;
71	allow droidvold domain:process { signal sigkill };
72	allow droidvold self:capability { kill };
73
74	allow droidvold platform_app:file r_file_perms;
75	allow droidvold platform_app:dir { open read getattr search };
76	allow droidvold init:file r_file_perms;
77	allow droidvold init:dir { r_dir_perms search };
78
79	allow droidvold platform_app:lnk_file { open getattr read };
80	allow droidvold init:lnk_file { open getattr read };
81	allow droidvold untrusted_app:lnk_file { open getattr read };
82
83
84	# Allowed read-only access to droidvold block devices to extract UUID/label
85	allow droidvold vold_device:blk_file r_file_perms;
86	allow droidvold sda_block_device:dir search;
87	allow droidvold sda_block_device:blk_file r_file_perms;
88
89	allow droidvold fuse_device:chr_file r_file_perms;
90
91	allow droidvold devpts:chr_file rw_file_perms;
92
93	domain_auto_trans(droidvold, ntfs_3g_exec, ntfs_3g);
94