287 files changed, 177798 insertions, 0 deletions
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..4c58d4f --- a/dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,49 @@ +#allow system_server fuse:dir search; +# +#allow system_server mediaserver:process {signal sigkill}; +#allow system_server { system_app_data_file media_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; +# +#allow system_server self:capability sys_module; +# +#allow system_server { system_control_service tvserver_service hdmi_cec_service }:service_manager find; +# +#allow system_server storage_stub_file:dir { getattr read open }; +# +#allow system_server debugfs:dir { getattr read open }; +#allow system_server debugfs:file r_file_perms; +# +#allow system_server system_app:fifo_file { read write getattr }; +# +#allow system_server param_tv_file:dir { search }; +# +#set_prop(system_server, uboot_prop) +#get_prop(system_server, uboot_prop) +# +#allow system_server { system_app platform_app untrusted_app priv_app }:file { write }; +#allow system_server uhid_device:chr_file {write open ioctl}; +#allow system_server dvb_device:chr_file rw_file_perms; +# + +typeattribute system_server mlstrustedsubject; + +allow system_server vendor_file:file { getattr read open execute }; +allow system_server vendor_framework_file:dir { search getattr }; +allow system_server vendor_framework_file:file { read getattr open }; + +get_prop(system_server, media_prop) + +# For writing to /proc/<tid>/timerslack_ns (XXX - this is probably wrong) +allow system_server priv_app:file write; +allow system_server untrusted_app:file write; +allow system_server untrusted_app_25:file write; +allow system_server platform_app:file write; +allow system_server system_app:file write; +allow system_server isolated_app:file write; +allow system_server bluetooth:file write; + +allow system_server audioserver:file write; + +allow system_server socket_device:sock_file { write }; +allow system_server hidraw_device:chr_file {open read write ioctl}; +allow system_server audio_prop:property_service { set }; +allow system_server uhid_device:chr_file { write open ioctl }; |