Add restricted permissions to vendor_init

The core SEPolicy for vendor_init is being restricted to the proper Treble restrictions. Since this is a legacy device, it is tagged as a data_between_core_and_vendor_violators and the needed permissions are added to its device specific vendor_init.te Bug: 62875318 Test: boot walleye without audits Change-Id: I13aaa2278e71092d740216d3978dc720afafe8ea
2026-01-29 02:44:24 +00:00 · 2018-01-23 14:15:24 -08:00
parent 42921b4a54
commit a29b489370
3 changed files with 18 additions and 1 deletions
--- a/sepolicy/private/ramoops.te
+++ b/sepolicy/private/ramoops.te
@@ -1,5 +1,4 @@
 type ramoops, domain, coredomain;
-type ramoops_data_file, file_type, data_file_type, core_data_file_type;
 type ramoops_exec, exec_type, file_type;

 init_daemon_domain(ramoops);
--- a/sepolicy/public/ramoops.te
+++ b/sepolicy/public/ramoops.te
@@ -0,0 +1 @@
+type ramoops_data_file, file_type, data_file_type, core_data_file_type;
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -1,3 +1,20 @@
+typeattribute vendor_init data_between_core_and_vendor_violators;
+
+allow vendor_init {
+  dhcp_data_file
+  elabel_data_file
+  media_rw_data_file
+  ramoops_data_file
+  system_data_file
+  tombstone_data_file
+  unencrypted_data_file
+  wifi_data_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init {
+  unencrypted_data_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
 allow vendor_init debugfs_clk:file w_file_perms;
 dontaudit vendor_init kernel:system module_request;
				`@@ -0,0 +1 @@`
				`type ramoops_data_file, file_type, data_file_type, core_data_file_type;`