Skip to content
Snippets Groups Projects
Commit dc0c51ea authored by Alex Deymo's avatar Alex Deymo Committed by android-build-merger
Browse files

Move boot_control HAL permissions to an attribute.

am: 0f8d9261

* commit '0f8d9261':
  Move boot_control HAL permissions to an attribute.

Change-Id: Id6f6814acb1fc48489e893cbd407972afb8ea220
parents b2af6f26 0f8d9261
No related branches found
No related tags found
No related merge requests found
...@@ -100,3 +100,8 @@ attribute bluetoothdomain; ...@@ -100,3 +100,8 @@ attribute bluetoothdomain;
# All domains used for binder service domains. # All domains used for binder service domains.
attribute binderservicedomain; attribute binderservicedomain;
# All domains that access the boot_control HAL. The permissions the HAL
# requires are specific to the implementation provided in each device, but
# common daemons need to be aware of those when calling into the HAL.
attribute boot_control_hal;
# Allow read/write bootctrl block device, if one is defined.
allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
# Domain for update_engine daemon. # Domain for update_engine daemon.
type update_engine, domain, domain_deprecated; # update_engine uses the boot_control_hal.
type update_engine, domain, domain_deprecated, boot_control_hal;
type update_engine_exec, exec_type, file_type; type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type; type update_engine_data_file, file_type, data_file_type;
...@@ -55,6 +56,3 @@ allow update_engine update_engine_service:service_manager { add }; ...@@ -55,6 +56,3 @@ allow update_engine update_engine_service:service_manager { add };
# Allow update_engine to call the callback function provided by priv_app. # Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app) binder_call(update_engine, priv_app)
# Allow read/write bootctrl block device.
allow update_engine bootctrl_block_device:blk_file rw_file_perms;
# update_verifier # update_verifier
type update_verifier, domain; # update_verifier uses the boot_control_hal.
type update_verifier, domain, boot_control_hal;
type update_verifier_exec, exec_type, file_type; type update_verifier_exec, exec_type, file_type;
init_daemon_domain(update_verifier) init_daemon_domain(update_verifier)
# Raw writes to bootctrl block device
allow update_verifier bootctrl_block_device:blk_file rw_file_perms;
# TODO: Add rules to allow update_verifier to read system_block_device. # TODO: Add rules to allow update_verifier to read system_block_device.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment