From 611c2d70a06107d22dfee4f3b1eaf29224b64b33 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Tue, 21 Nov 2017 13:17:09 -0800 Subject: [PATCH] Move hal_bootctl rules to hal_bootctl_default This more clearly attributes the permissions to the actual domain and prevents a build breakage when building recovery due to a userdebug-only neverallow exemption for hal_bootctl. Bug: 69566734 Test: build user build Change-Id: I5ed3c04b3709ac7b00234402788f5f1ae88e6f61 --- sepolicy/vendor/hal_bootctl.te | 31 -------------------------- sepolicy/vendor/hal_bootctl_default.te | 31 ++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 31 deletions(-) delete mode 100644 sepolicy/vendor/hal_bootctl.te create mode 100644 sepolicy/vendor/hal_bootctl_default.te diff --git a/sepolicy/vendor/hal_bootctl.te b/sepolicy/vendor/hal_bootctl.te deleted file mode 100644 index bdb9e124..00000000 --- a/sepolicy/vendor/hal_bootctl.te +++ /dev/null @@ -1,31 +0,0 @@ -# These are the permissions required to use the boot_control HAL implemented -# here: hardware/qcom/bootctrl/boot_control.c - -# Getting and setting GPT attributes for the bootloader iterates over all the -# partition names in the block_device directory /dev/block/.../by-name -allow hal_bootctl block_device:dir r_dir_perms; - -# Edit the attributes stored in the GPT. -allow hal_bootctl gpt_block_device:blk_file rw_file_perms; -allow hal_bootctl ab_block_device:blk_file getattr; -allow hal_bootctl boot_block_device:blk_file rw_file_perms; -allow hal_bootctl modem_block_device:blk_file getattr; -allow hal_bootctl system_block_device:blk_file getattr; -allow hal_bootctl misc_block_device:blk_file rw_file_perms; - -# Access /dev/sgN devices (generic SCSI) to write the -# A/B slot selection for the XBL partition. Allow also to issue a -# UFS_IOCTL_QUERY ioctl. -allow hal_bootctl sg_device:chr_file rw_file_perms; -allow hal_bootctl self:capability sys_admin; -allow hal_bootctl tmpfs:lnk_file r_file_perms; - -# Read the sysfs to lookup what /dev/sgN device -# corresponds to the XBL partitions. -allow hal_bootctl sysfs:dir r_dir_perms; - -# Write to the XBL devices. -allow hal_bootctl xbl_block_device:blk_file rw_file_perms; - -# Expose a socket for brokered boot message access for hal_oemlock. -allow hal_bootctl hal_bootctl_socket:sock_file create_file_perms; diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te new file mode 100644 index 00000000..09a00891 --- /dev/null +++ b/sepolicy/vendor/hal_bootctl_default.te @@ -0,0 +1,31 @@ +# These are the permissions required to use the boot_control HAL implemented +# here: hardware/qcom/bootctrl/boot_control.c + +# Getting and setting GPT attributes for the bootloader iterates over all the +# partition names in the block_device directory /dev/block/.../by-name +allow hal_bootctl_default block_device:dir r_dir_perms; + +# Edit the attributes stored in the GPT. +allow hal_bootctl_default gpt_block_device:blk_file rw_file_perms; +allow hal_bootctl_default ab_block_device:blk_file getattr; +allow hal_bootctl_default boot_block_device:blk_file rw_file_perms; +allow hal_bootctl_default modem_block_device:blk_file getattr; +allow hal_bootctl_default system_block_device:blk_file getattr; +allow hal_bootctl_default misc_block_device:blk_file rw_file_perms; + +# Access /dev/sgN devices (generic SCSI) to write the +# A/B slot selection for the XBL partition. Allow also to issue a +# UFS_IOCTL_QUERY ioctl. +allow hal_bootctl_default sg_device:chr_file rw_file_perms; +allow hal_bootctl_default self:capability sys_admin; +allow hal_bootctl_default tmpfs:lnk_file r_file_perms; + +# Read the sysfs to lookup what /dev/sgN device +# corresponds to the XBL partitions. +allow hal_bootctl_default sysfs:dir r_dir_perms; + +# Write to the XBL devices. +allow hal_bootctl_default xbl_block_device:blk_file rw_file_perms; + +# Expose a socket for brokered boot message access for hal_oemlock. +allow hal_bootctl_default hal_bootctl_socket:sock_file create_file_perms;