Skip to content
Snippets Groups Projects
Select Git revision
  • 2ff756281903c5d47e27b87c98f3fca3078cfbf8
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

init.te

Blame
    • Howard Chen's avatar
      a80e4d72
      SELinux changes for Treble Loadable Kernel Module · a80e4d72
      Howard Chen authored
      This change extends the recovery mode modprobe sepolicy
      to support loadable kernel module in normal mode by using
      statement below in init.rc:
      
      exec u:r:modprobe:s0 -- /system/bin/modprobe \
          -d /vendor/lib/modules mod
      
      Bug: b/35653245
      Test: sailfish  with local built kernel and LKM enabled
      Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
      a80e4d72
      History
      SELinux changes for Treble Loadable Kernel Module
      Howard Chen authored
      This change extends the recovery mode modprobe sepolicy
      to support loadable kernel module in normal mode by using
      statement below in init.rc:
      
      exec u:r:modprobe:s0 -- /system/bin/modprobe \
          -d /vendor/lib/modules mod
      
      Bug: b/35653245
      Test: sailfish  with local built kernel and LKM enabled
      Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
    vold.te 2.46 KiB
    # volume manager
    type vold, domain;
    type vold_exec, exec_type, file_type;
    
    init_daemon_domain(vold)
    
    typeattribute vold mlstrustedsubject;
    allow vold system_file:file x_file_perms;
    allow vold block_device:dir create_dir_perms;
    allow vold block_device:blk_file create_file_perms;
    allow vold device:dir write;
    allow vold devpts:chr_file rw_file_perms;
    allow vold rootfs:dir mounton;
    allow vold sdcard_type:dir mounton;
    allow vold sdcard_type:filesystem { mount remount unmount };
    allow vold sdcard_type:dir create_dir_perms;
    allow vold sdcard_type:file create_file_perms;
    allow vold tmpfs:filesystem { mount unmount };
    allow vold tmpfs:dir create_dir_perms;
    allow vold tmpfs:dir mounton;
    allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
    allow vold self:netlink_kobject_uevent_socket *;
    allow vold app_data_file:dir search;
    allow vold app_data_file:file rw_file_perms;
    allow vold loop_device:blk_file rw_file_perms;
    allow vold dm_device:chr_file rw_file_perms;
    # For vold Process::killProcessesWithOpenFiles function.
    allow vold domain:dir r_dir_perms;
    allow vold domain:{ file lnk_file } r_file_perms;
    allow vold domain:process { signal sigkill };
    allow vold self:capability { sys_ptrace kill };
    
    # For blkid
    allow vold shell_exec:file rx_file_perms;
    
    # XXX Label sysfs files with a specific type?
    allow vold sysfs:file rw_file_perms;
    
    write_klog(vold)
    
    # Log fsck results
    allow vold fscklogs:dir rw_dir_perms;
    allow vold fscklogs:file create_file_perms;
    
    #
    # Rules to support encrypted fs support.
    #
    
    # Set property.
    unix_socket_connect(vold, property, init)
    
    # Unmount and mount the fs.
    allow vold labeledfs:filesystem { mount unmount remount };
    
    # Access /efs/userdata_footer.
    # XXX Split into a separate type?
    allow vold efs_file:file rw_file_perms;
    
    # Create and mount on /data/tmp_mnt.
    allow vold system_data_file:dir { create rw_dir_perms mounton };
    
    # Set scheduling policy of kernel processes
    allow vold kernel:process setsched;
    
    # Property Service
    allow vold vold_prop:property_service set;
    allow vold powerctl_prop:property_service set;
    allow vold ctl_default_prop:property_service set;
    
    # ASEC
    allow vold asec_image_file:file create_file_perms;
    allow vold asec_image_file:dir rw_dir_perms;
    security_access_policy(vold)
    allow vold asec_apk_file:dir { rw_dir_perms setattr };
    allow vold asec_apk_file:file { r_file_perms setattr };
    
    # Handle wake locks (used for device encryption)
    allow vold sysfs_wake_lock:file rw_file_perms;
    allow vold self:capability2 block_suspend;