From 9d87c647afdc478245579090eae1ca2d1ae8d341 Mon Sep 17 00:00:00 2001
From: Sami Tolvanen <samitolvanen@google.com>
Date: Wed, 18 Feb 2015 13:59:38 +0000
Subject: [PATCH] Allow init to execute /sbin/slideshow

Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).

Needed by changes from
  I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d

Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0
---
 domain.te    |  2 +-
 init.te      |  1 +
 slideshow.te | 13 +++++++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 slideshow.te

diff --git a/domain.te b/domain.te
index bc5523798..d835ee940 100644
--- a/domain.te
+++ b/domain.te
@@ -180,7 +180,7 @@ neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
 
 # Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
 
 # Limit raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
diff --git a/init.te b/init.te
index 8b0ab422d..14e9f8065 100644
--- a/init.te
+++ b/init.te
@@ -140,6 +140,7 @@ allow init sysfs_type:file w_file_perms;
 # Transitions to seclabel processes in init.rc
 domain_trans(init, rootfs, adbd)
 domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
 recovery_only(`
   domain_trans(init, rootfs, recovery)
 ')
diff --git a/slideshow.te b/slideshow.te
new file mode 100644
index 000000000..1a22fb55c
--- /dev/null
+++ b/slideshow.te
@@ -0,0 +1,13 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+write_klog(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+
-- 
GitLab