287 files changed, 177798 insertions, 0 deletions
diff --git a/sepolicy/system_control.te b/sepolicy/system_control.te new file mode 100644 index 0000000..86715dc --- a/dev/null +++ b/sepolicy/system_control.te @@ -0,0 +1,105 @@ +type system_control, domain; +type system_control_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(system_control) + +allow system_control vndbinder_device:chr_file { read write open ioctl }; +allow system_control vndservicemanager:binder { call transfer }; +#allow system_control default_android_vndservice:service_manager { add }; + +allow system_control hwservicemanager:binder { call transfer }; +allow system_control { systemcontrol_hwservice hidl_base_hwservice }:hwservice_manager { add }; + +allow system_control self:capability dac_override; + +allow system_control sysfs:file rw_file_perms; +allow system_control sysfs_devices_system_cpu:file rw_file_perms; + +allow system_control system_control:netlink_kobject_uevent_socket { create setopt bind read shutdown }; +allow system_control self:capability { net_admin }; + + +#unix_socket_connect(system_control, vold, vold); +#unix_socket_connect(system_control, property, init); + +# Property Service write +set_prop(system_control, system_prop) +set_prop(system_control, dhcp_prop) +set_prop(system_control, net_radio_prop) +set_prop(system_control, system_radio_prop) +set_prop(system_control, debug_prop) +set_prop(system_control, powerctl_prop) + +get_prop(system_control, tv_config_prop) +get_prop(system_control, bcmdl_prop) +get_prop(system_control, safemode_prop) +get_prop(system_control, mmc_prop) +get_prop(system_control, device_logging_prop) + +set_prop(system_control, media_prop) +get_prop(system_control, media_prop) +get_prop(system_control, aml_display_prop) +set_prop(system_control, uboot_prop) +get_prop(system_control, uboot_prop) +set_prop(system_control, tv_prop) +get_prop(system_control, tv_prop) + +get_prop(system_control, wifi_prop) +set_prop(system_control, boottime_prop) +get_prop(system_control, boottime_prop) + +#get_prop(system_control, firstboot_prop) +#get_prop(system_control, serialno_prop) +set_prop(system_control, overlay_prop) +get_prop(system_control, overlay_prop) +set_prop(system_control, net_dns_prop) +get_prop(system_control, net_dns_prop) +set_prop(system_control, logpersistd_logging_prop) +get_prop(system_control, logpersistd_logging_prop) +set_prop(system_control, hwservicemanager_prop) +get_prop(system_control, hwservicemanager_prop) +set_prop(system_control, dumpstate_options_prop) +get_prop(system_control, dumpstate_options_prop) +set_prop(system_control, bluetooth_prop) +get_prop(system_control, bluetooth_prop) + +set_prop(system_control, persistent_properties_ready_prop) +get_prop(system_control, persistent_properties_ready_prop) + +# ctl interface +set_prop(system_control, ctl_default_prop) +set_prop(system_control, ctl_dhcp_pan_prop) +set_prop(system_control, ctl_bugreport_prop) + +allow system_control block_device:dir r_dir_perms; + +allow system_control sysfs_audio_cap:file {open getattr read}; +allow system_control sysfs_video:file rw_file_perms; +allow system_control app_data_file:file rw_file_perms; +#allow system_control system_control_service:service_manager add; +#allow system_control permission_service:service_manager find; +#allow system_control surfaceflinger_service:service_manager find; +# Allow system_control to read /proc/pid for all processes +r_dir_file(system_control, domain) +r_dir_file(system_control, binderservicedomain) +r_dir_file(system_control, appdomain) +r_dir_file(system_control, platform_app) + + +allow system_control appdomain:dir { getattr search }; +allow system_control appdomain:file { r_file_perms }; +allow system_control platform_app:dir { search }; + +allow system_control param_tv_file:dir { search read write open add_name remove_name rmdir }; +allow system_control param_tv_file:file { create open read write setattr getattr lock unlink }; + +#allow system_control shell_exec:file { execute_no_trans execute open read getattr }; +allow system_control sysfs_digital_codec:file { read write }; +#allow system_control system_file:file execute_no_trans; + +allow system_control env_device:blk_file { getattr read open write }; +allow system_control self:capability sys_nice; + +allow system_control system_app:binder { call }; +allow system_control droidvold_hwservice:hwservice_manager { find }; +allow system_control droidvold:binder { call };
\ No newline at end of file |