70 lines
2.5 KiB
Text
70 lines
2.5 KiB
Text
# rfs_access - rfs_access daemon
|
|
type rfs_access, domain, domain_deprecated;
|
|
type rfs_access_exec, exec_type, file_type;
|
|
init_daemon_domain(rfs_access)
|
|
|
|
#The files created by rfs_access process in the /data folder will have type rfs_file
|
|
type_transition rfs_access system_data_file:{ dir file } rfs_file;
|
|
type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";
|
|
|
|
#The files created by rfs_access process in the /persist folder will have type rfs_file
|
|
type_transition rfs_access persist_file:{ dir file } rfs_file;
|
|
type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs";
|
|
|
|
allow rfs_access {
|
|
#To read the uio char device
|
|
uio_device
|
|
#To read the smem log char device
|
|
smem_log_device
|
|
}:chr_file rw_file_perms;
|
|
|
|
#For QMI sockets and IPCR Sockets
|
|
allow rfs_access self:socket create_socket_perms;
|
|
|
|
#For Wakelocks
|
|
wakelock_use(rfs_access)
|
|
|
|
#To create the folders in /data
|
|
allow rfs_access system_data_file:dir create_dir_perms;
|
|
|
|
#To create the folders in /persist
|
|
allow rfs_access persist_file:dir create_dir_perms;
|
|
|
|
#For system folder entries
|
|
r_dir_file(rfs_access, rfs_system_file)
|
|
allow rfs_access rfs_system_file:lnk_file r_file_perms;
|
|
|
|
#For data folder entries
|
|
allow rfs_access rfs_file:dir create_dir_perms;
|
|
allow rfs_access rfs_file:file create_file_perms;
|
|
|
|
allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
|
|
allow rfs_access rfs_shared_hlos_file:file create_file_perms;
|
|
|
|
#For ramdump entries in /data/tombstones.
|
|
allow rfs_access tombstone_data_file:dir create_dir_perms;
|
|
allow rfs_access tombstone_data_file:file create_file_perms;
|
|
|
|
#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
|
|
r_dir_file(rfs_access, firmware_file)
|
|
|
|
#For dropping permisions from root and wakelock
|
|
allow rfs_access self:capability {
|
|
setuid
|
|
setgid
|
|
setpcap
|
|
net_bind_service
|
|
};
|
|
|
|
# RFS UID and GIDs were changed and moved from old values to new ones OEM range.
|
|
# The below permissions are required to recursively update the folder ownership
|
|
# to the new values in the OEM range.
|
|
|
|
allow rfs_access self:capability { dac_read_search chown dac_override };
|
|
|
|
#For access to the kmsg device
|
|
allow rfs_access kmsg_device:chr_file w_file_perms;
|
|
|
|
#Prevent other domains from accessing RFS data files.
|
|
neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms;
|
|
neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms;
|