am bd7da3eb: am 9d87c647: Allow init to execute /sbin/slideshow

* commit 'bd7da3eb': Allow init to execute /sbin/slideshow

am bd7da3eb: am 9d87c647: Allow init to execute /sbin/slideshow
3efd41df · Sami Tolvanen · Android Git Automerger · ca77ce09 · bd7da3eb · 3efd41df
Commit 3efd41df authored 10 years ago by Sami Tolvanen Committed by Android Git Automerger 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -180,7 +180,7 @@ neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
 # Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
 # Limit raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;

--- a/init.te
+++ b/init.te
@@ -140,6 +140,7 @@ allow init sysfs_type:file w_file_perms;
 # Transitions to seclabel processes in init.rc
 domain_trans(init, rootfs, adbd)
 domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
 recovery_only(`
  domain_trans(init, rootfs, recovery)
 ')

--- a/slideshow.te
+++ b/slideshow.te
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+write_klog(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;