4a478c47f4
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.
This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.
Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
53 lines
1.9 KiB
Plaintext
53 lines
1.9 KiB
Plaintext
# rild - radio interface layer daemon
|
|
type rild, domain, domain_deprecated;
|
|
hal_server_domain(rild, hal_telephony)
|
|
|
|
net_domain(rild)
|
|
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
allow rild self:netlink_route_socket nlmsg_write;
|
|
allow rild kernel:system module_request;
|
|
allow rild self:capability { setpcap setgid setuid net_admin net_raw };
|
|
allow rild alarm_device:chr_file rw_file_perms;
|
|
allow rild cgroup:dir create_dir_perms;
|
|
allow rild cgroup:{ file lnk_file } r_file_perms;
|
|
allow rild radio_device:chr_file rw_file_perms;
|
|
allow rild radio_device:blk_file r_file_perms;
|
|
allow rild mtd_device:dir search;
|
|
allow rild efs_file:dir create_dir_perms;
|
|
allow rild efs_file:file create_file_perms;
|
|
allow rild shell_exec:file rx_file_perms;
|
|
allow rild bluetooth_efs_file:file r_file_perms;
|
|
allow rild bluetooth_efs_file:dir r_dir_perms;
|
|
# TODO (b/36601950) remove RILD's access to radio_data_file and
|
|
# system_data_file. Remove coredata_in_vendor_violators attribute.
|
|
typeattribute rild coredata_in_vendor_violators;
|
|
allow rild radio_data_file:dir rw_dir_perms;
|
|
allow rild radio_data_file:file create_file_perms;
|
|
allow rild sdcard_type:dir r_dir_perms;
|
|
allow rild system_data_file:dir r_dir_perms;
|
|
allow rild system_data_file:file r_file_perms;
|
|
allow rild system_file:file x_file_perms;
|
|
|
|
# property service
|
|
set_prop(rild, radio_prop)
|
|
|
|
allow rild tty_device:chr_file rw_file_perms;
|
|
|
|
# Allow rild to create and use netlink sockets.
|
|
allow rild self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
|
|
# Access to wake locks
|
|
wakelock_use(rild)
|
|
|
|
r_dir_file(rild, proc)
|
|
r_dir_file(rild, proc_net)
|
|
r_dir_file(rild, sysfs_type)
|
|
r_dir_file(rild, system_file)
|
|
|
|
# granting the ioctl permission for rild should be device specific
|
|
allow rild self:socket create_socket_perms_no_ioctl;
|
|
|