Commits

Anonymous committed bc7426f Merge

Merge "New sensors-config selinux policy."

  • Participants
  • Parent commits 62b7856, b5a701c

Comments (0)

Files changed (2)

File init.grouper.rc

     chown bluetooth net_bt_stack /data/misc/bluetooth
 
     # sensors-config
-    mkdir /data/sensors 751 system system
-    mkdir /data/lightsensor 751 system system
+    mkdir /data/sensors 751
+    # /data/sensors was owned by system/system earlier.
+    # Force it to root/root if it already exists.
+    chown root root /data/sensors
+    mkdir /data/lightsensor 751
+    # /data/lightsensor was owned by system/system earlier.
+    # Force it to root/root if it already exists.
+    chown root root /data/lightsensor
     mkdir /data/calibration
     mkdir /data/amit
 

File sepolicy/sensors_config.te

 type sensors_data_file, file_type, data_file_type;
 init_daemon_domain(sensors_config)
 file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
-unconfined_domain(sensors_config)
+
+# Execute toolbox commands
+allow sensors_config shell_exec:file rx_file_perms;
+allow sensors_config system_file:file execute_no_trans;
+
+# Mount /dev/block/platform/sdhci-tegra.3/by-name/PER
+allow sensors_config sensors_data_file:dir mounton;
+allow sensors_config sdcard_external:filesystem { mount unmount };
+allow sensors_config { sdcard_external block_device }:dir search;
+
+# Read from the mounted PER partition
+allow sensors_config sdcard_external:file r_file_perms;
+
+# Need to chmod and chown files (/data/lightsensor, /data/sensors)
+allow sensors_config self:capability { chown fowner };
+
+# Checked as a side effect on the chmod (don't allow)
+dontaudit sensors_config self:capability { fsetid };
+
+# Needed for mount/umount
+allow sensors_config self:capability sys_admin;
+
+# Tries to delete /data/calibration (don't allow)
+dontaudit sensors_config system_data_file:dir remove_name;
+dontaudit sensors_config self:capability dac_override;