Merge "Move qemud and /dev/qemu policy bits to emulator-specific sepolicy."
This commit is contained in:
Nick Kralevich
Gerrit Code Review
@@ -77,6 +77,14 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
|
|||||||
|
|
||||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||||
BOARD_SEPOLICY_UNION += \
|
BOARD_SEPOLICY_UNION += \
|
||||||
|
adbd.te \
|
||||||
bootanim.te \
|
bootanim.te \
|
||||||
|
device.te \
|
||||||
domain.te \
|
domain.te \
|
||||||
surfaceflinger.te
|
file.te \
|
||||||
|
file_contexts \
|
||||||
|
mediaserver.te \
|
||||||
|
qemud.te \
|
||||||
|
rild.te \
|
||||||
|
surfaceflinger.te \
|
||||||
|
system_server.te
|
||||||
|
|||||||
1
target/board/generic/sepolicy/adbd.te
Normal file
1
target/board/generic/sepolicy/adbd.te
Normal file
@@ -0,0 +1 @@
|
|||||||
|
allow adbd qemu_device:chr_file rw_file_perms;
|
||||||
1
target/board/generic/sepolicy/device.te
Normal file
1
target/board/generic/sepolicy/device.te
Normal file
@@ -0,0 +1 @@
|
|||||||
|
type qemu_device, dev_type;
|
||||||
1
target/board/generic/sepolicy/file.te
Normal file
1
target/board/generic/sepolicy/file.te
Normal file
@@ -0,0 +1 @@
|
|||||||
|
type qemud_socket, file_type;
|
||||||
4
target/board/generic/sepolicy/file_contexts
Normal file
4
target/board/generic/sepolicy/file_contexts
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
/dev/qemu_.* u:object_r:qemu_device:s0
|
||||||
|
/dev/socket/qemud u:object_r:qemud_socket:s0
|
||||||
|
/system/bin/qemud u:object_r:qemud_exec:s0
|
||||||
|
/sys/qemu_trace(/.*)? -- u:object_r:sysfs_writable:s0
|
||||||
1
target/board/generic/sepolicy/mediaserver.te
Normal file
1
target/board/generic/sepolicy/mediaserver.te
Normal file
@@ -0,0 +1 @@
|
|||||||
|
allow mediaserver qemu_device:chr_file rw_file_perms;
|
||||||
6
target/board/generic/sepolicy/qemud.te
Normal file
6
target/board/generic/sepolicy/qemud.te
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
# qemu support daemon
|
||||||
|
type qemud, domain;
|
||||||
|
type qemud_exec, exec_type, file_type;
|
||||||
|
|
||||||
|
init_daemon_domain(qemud)
|
||||||
|
unconfined_domain(qemud)
|
||||||
2
target/board/generic/sepolicy/rild.te
Normal file
2
target/board/generic/sepolicy/rild.te
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
allow rild qemu_device:chr_file rw_file_perms;
|
||||||
|
unix_socket_connect(rild, qemud, qemud)
|
||||||
2
target/board/generic/sepolicy/system_server.te
Normal file
2
target/board/generic/sepolicy/system_server.te
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
unix_socket_connect(system_server, qemud, qemud)
|
||||||
|
allow system_server qemu_device:chr_file rw_file_perms;
|
||||||
@@ -45,8 +45,15 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
|
|||||||
|
|
||||||
BOARD_SEPOLICY_DIRS += build/target/board/generic_x86/sepolicy
|
BOARD_SEPOLICY_DIRS += build/target/board/generic_x86/sepolicy
|
||||||
BOARD_SEPOLICY_UNION += \
|
BOARD_SEPOLICY_UNION += \
|
||||||
|
adbd.te \
|
||||||
|
device.te \
|
||||||
domain.te \
|
domain.te \
|
||||||
|
file.te \
|
||||||
|
file_contexts \
|
||||||
healthd.te \
|
healthd.te \
|
||||||
installd.te \
|
installd.te \
|
||||||
|
mediaserver.te \
|
||||||
|
qemud.te \
|
||||||
|
rild.te \
|
||||||
system_server.te \
|
system_server.te \
|
||||||
zygote.te
|
zygote.te
|
||||||
|
|||||||
1
target/board/generic_x86/sepolicy/adbd.te
Normal file
1
target/board/generic_x86/sepolicy/adbd.te
Normal file
@@ -0,0 +1 @@
|
|||||||
|
allow adbd qemu_device:chr_file rw_file_perms;
|
||||||
1
target/board/generic_x86/sepolicy/device.te
Normal file
1
target/board/generic_x86/sepolicy/device.te
Normal file
@@ -0,0 +1 @@
|
|||||||
|
type qemu_device, dev_type;
|
||||||
1
target/board/generic_x86/sepolicy/file.te
Normal file
1
target/board/generic_x86/sepolicy/file.te
Normal file
@@ -0,0 +1 @@
|
|||||||
|
type qemud_socket, file_type;
|
||||||
4
target/board/generic_x86/sepolicy/file_contexts
Normal file
4
target/board/generic_x86/sepolicy/file_contexts
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
/dev/qemu_.* u:object_r:qemu_device:s0
|
||||||
|
/dev/socket/qemud u:object_r:qemud_socket:s0
|
||||||
|
/system/bin/qemud u:object_r:qemud_exec:s0
|
||||||
|
/sys/qemu_trace(/.*)? -- u:object_r:sysfs_writable:s0
|
||||||
1
target/board/generic_x86/sepolicy/mediaserver.te
Normal file
1
target/board/generic_x86/sepolicy/mediaserver.te
Normal file
@@ -0,0 +1 @@
|
|||||||
|
allow mediaserver qemu_device:chr_file rw_file_perms;
|
||||||
6
target/board/generic_x86/sepolicy/qemud.te
Normal file
6
target/board/generic_x86/sepolicy/qemud.te
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
# qemu support daemon
|
||||||
|
type qemud, domain;
|
||||||
|
type qemud_exec, exec_type, file_type;
|
||||||
|
|
||||||
|
init_daemon_domain(qemud)
|
||||||
|
unconfined_domain(qemud)
|
||||||
2
target/board/generic_x86/sepolicy/rild.te
Normal file
2
target/board/generic_x86/sepolicy/rild.te
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
allow rild qemu_device:chr_file rw_file_perms;
|
||||||
|
unix_socket_connect(rild, qemud, qemud)
|
||||||
@@ -1 +1,3 @@
|
|||||||
allow system_server self:process execmem;
|
allow system_server self:process execmem;
|
||||||
|
unix_socket_connect(system_server, qemud, qemud)
|
||||||
|
allow system_server qemu_device:chr_file rw_file_perms;
|
||||||
|
|||||||
Reference in New Issue
Block a user