diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2018-01-30 13:54:42 -0800 |
---|---|---|
committer | Jeff Vander Stoep <jeffv@google.com> | 2018-01-30 13:54:42 -0800 |
commit | 21b2b203f447de27f8b0ca5d4cd7e1180b1ed648 (patch) | |
tree | 96baa06daafdc5748bd895bb0ac49b8c846d7e79 | |
parent | ef44fea5846fa8c70d4b7f604e7234d2dfcceeac (diff) | |
download | dragon-21b2b203f447de27f8b0ca5d4cd7e1180b1ed648.tar.gz |
Correctly label data typesandroid-p-preview-1
Data outside /data/vendor must have the core_data_file_type
attribute.
Test: build (this is a build time test)
Bug: 34980020
Change-Id: I7edb172242ad9edca14f2fde6c4fb1f8ee888ae7
-rw-r--r-- | sepolicy/crash_collector.te | 2 | ||||
-rw-r--r-- | sepolicy/dump_bq25892.te | 2 | ||||
-rw-r--r-- | sepolicy/file_contexts | 2 | ||||
-rw-r--r-- | sepolicy/tee.te | 5 | ||||
-rw-r--r-- | sepolicy/touch_fw_update.te | 2 |
5 files changed, 8 insertions, 5 deletions
diff --git a/sepolicy/crash_collector.te b/sepolicy/crash_collector.te index 3aa612b..ac89e1c 100644 --- a/sepolicy/crash_collector.te +++ b/sepolicy/crash_collector.te @@ -1,6 +1,6 @@ type crash_collector, domain, device_domain_deprecated; type crash_collector_exec, exec_type, file_type; -type crash_reports_data_file, file_type, data_file_type; +type crash_reports_data_file, file_type, data_file_type, core_data_file_type; # To start crash_collector via /proc/sys/core_pattern. domain_auto_trans(kernel, crash_collector_exec, crash_collector) diff --git a/sepolicy/dump_bq25892.te b/sepolicy/dump_bq25892.te index 286de95..6f397c7 100644 --- a/sepolicy/dump_bq25892.te +++ b/sepolicy/dump_bq25892.te @@ -2,7 +2,7 @@ # which is used to debug information about the state of the charger chip type dump_bq25892, domain, device_domain_deprecated; type dump_bq25892_exec, exec_type, file_type; -type fw_logs_data_file, file_type, data_file_type; +type fw_logs_data_file, file_type, data_file_type, core_data_file_type; init_daemon_domain(dump_bq25892) diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index de95310..4b47ea2 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -62,7 +62,7 @@ /dev/tlk_device u:object_r:tee_device:s0 # secure os storage -/data/ss(/.*)? u:object_r:tee_data_file:s0 +/data/ss(/.*)? u:object_r:dragon_tee_data_file:s0 # tlk_daemon /vendor/bin/tlk_daemon u:object_r:tee_exec:s0 diff --git a/sepolicy/tee.te b/sepolicy/tee.te index 6888483..5788c22 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -1,4 +1,7 @@ -allow tee tee_data_file:dir create_dir_perms; +type dragon_tee_data_file, file_type, data_file_type, core_data_file_type; + +allow tee dragon_tee_data_file:dir create_dir_perms; +allow tee dragon_tee_data_file:file create_file_perms; allow tee self:capability { setuid setgid sys_rawio }; allow tee block_device:dir search; allow tee rpmb_block_device:blk_file rw_file_perms; diff --git a/sepolicy/touch_fw_update.te b/sepolicy/touch_fw_update.te index 2f62e04..5f5d775 100644 --- a/sepolicy/touch_fw_update.te +++ b/sepolicy/touch_fw_update.te @@ -1,7 +1,7 @@ # init runs /system/bin/touchfwup.sh type touch_fw_update, domain, device_domain_deprecated; type touch_fw_update_exec, exec_type, file_type; -type touch_fw_update_log_file, file_type, data_file_type; +type touch_fw_update_log_file, file_type, data_file_type, core_data_file_type; init_daemon_domain(touch_fw_update) |