3e8dbf01ef
app_domain was split up in commit:2e00e6373f
to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit:76035ea019
) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
42 lines
1.3 KiB
Plaintext
42 lines
1.3 KiB
Plaintext
# phone subsystem
|
|
type radio, domain, domain_deprecated, mlstrustedsubject;
|
|
|
|
net_domain(radio)
|
|
bluetooth_domain(radio)
|
|
binder_service(radio)
|
|
|
|
# Talks to rild via the rild socket.
|
|
unix_socket_connect(radio, rild, rild)
|
|
|
|
# Data file accesses.
|
|
allow radio radio_data_file:dir create_dir_perms;
|
|
allow radio radio_data_file:notdevfile_class_set create_file_perms;
|
|
|
|
allow radio alarm_device:chr_file rw_file_perms;
|
|
|
|
allow radio net_data_file:dir search;
|
|
allow radio net_data_file:file r_file_perms;
|
|
|
|
# Property service
|
|
set_prop(radio, radio_prop)
|
|
set_prop(radio, system_radio_prop)
|
|
set_prop(radio, net_radio_prop)
|
|
auditallow radio net_radio_prop:property_service set;
|
|
auditallow radio system_radio_prop:property_service set;
|
|
|
|
# ctl interface
|
|
set_prop(radio, ctl_rildaemon_prop)
|
|
|
|
allow radio audioserver_service:service_manager find;
|
|
allow radio cameraserver_service:service_manager find;
|
|
allow radio drmserver_service:service_manager find;
|
|
allow radio mediaserver_service:service_manager find;
|
|
allow radio nfc_service:service_manager find;
|
|
allow radio radio_service:service_manager { add find };
|
|
allow radio surfaceflinger_service:service_manager find;
|
|
allow radio app_api_service:service_manager find;
|
|
allow radio system_api_service:service_manager find;
|
|
|
|
# Allow access to hwservicemanager for binderized hal
|
|
binder_call(radio, hwservicemanager)
|
|
binder_call(radio, rild) |