blob: 280718995c696e6f69d976d506661320d8787f83
1 | type imageserver, domain; |
2 | type imageserver_exec, exec_type, file_type; |
3 | |
4 | typeattribute imageserver mlstrustedsubject; |
5 | |
6 | init_daemon_domain(imageserver) |
7 | |
8 | allow imageserver shell_exec:file rx_file_perms; |
9 | allow imageserver system_file:file execute_no_trans; |
10 | |
11 | allow imageserver imageserver_service:service_manager add; |
12 | |
13 | allow imageserver imageserver_exec:file { entrypoint read }; |
14 | |
15 | allow imageserver self:process execmem; |
16 | |
17 | binder_use(imageserver); |
18 | binder_call(imageserver, binderservicedomain) |
19 | binder_call(imageserver, appdomain) |
20 | binder_service(imageserver) |
21 | |
22 | allow imageserver self:capability dac_override; |
23 | allow imageserver self:capability dac_read_search; |
24 | |
25 | #allow imageserver appdomain:file { r_file_perms }; |
26 | allow imageserver fuse:dir r_dir_perms; |
27 | allow imageserver fuse:file r_file_perms; |
28 | allow imageserver app_data_file:file rw_file_perms; |
29 | #allow imageserver system_file:file execmod; |
30 | |
31 | allow imageserver app_data_file:dir search; |
32 | |
33 | allow imageserver system_control_service:service_manager find; |
34 | |
35 | allow imageserver { mnt_user_file storage_file }:dir { getattr search }; |
36 | allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read }; |
37 | allow imageserver permission_service:service_manager find; |
38 | |
39 | allow imageserver picture_device:chr_file { read write open ioctl }; |
40 | allow imageserver kernel:system module_request; |
41 | |
42 | allow imageserver tmpfs:dir { getattr search }; |
43 |