| # cbd.te |
| |
| type cbd, domain; |
| type cbd_exec, exec_type, vendor_file_type, file_type; |
| |
| allow cbd self:capability setuid; |
| |
| # cbd is started by init, type transit from init domain to cbd domain |
| init_daemon_domain(cbd) |
| |
| # /dev/block/ |
| allow cbd block_device:dir search; |
| |
| # /data/vendor/log |
| allow cbd log_vendor_data_file:dir search; |
| |
| # /data/vendor/log/cbd |
| allow cbd log_cbd_vendor_data_file:dir create_dir_perms; |
| allow cbd log_cbd_vendor_data_file:file create_file_perms; |
| |
| # /dev/block/platform/.+/by-name/radio |
| allow cbd radio_block_device:blk_file r_file_perms; |
| |
| # /dev/kmsg |
| allow cbd kmsg_device:chr_file rw_file_perms; |
| |
| # /dev/umts_* |
| allow cbd vendor_radio_device:chr_file rw_file_perms; |
| |
| # /mnt/vendor/ |
| allow cbd mnt_vendor_file:dir search; |
| |
| # /mnt/vendor/efs/ |
| allow cbd efs_file:dir r_dir_perms; |
| |
| # /mnt/vendor/efs/factory.prop |
| allow cbd efs_file:file r_file_perms; |
| |
| # /mnt/vendor/efs/nv_data.bin |
| allow cbd bin_nv_data_efs_file:file r_file_perms; |
| |
| # /proc/cmdline |
| allow cbd proc_cmdline:file r_file_perms; |
| |
| # /sys/power/wake_unlock |
| allow cbd sysfs_wake_lock:file rw_file_perms; |
| |
| # /sys/devices/platform/10000.mif_pdata/sim/ |
| allow cbd sysfs_sim:dir r_dir_perms; |
| allow cbd sysfs_sim:file r_file_perms; |
| |
| # /sys/devices/platform/10000.mif_pdata/sim/ds_detect |
| allow cbd sysfs_sim_writable:file rw_file_perms; |
| |
| # kernel log |
| allow cbd kernel:system syslog_read; |
| |
| # vendor.cbd. |
| set_prop(cbd, vendor_cbd_prop) |
| |
| # FIXME: Can we be more specific? |
| allow cbd vendor_shell_exec:file execute_no_trans; |
| # FIXME END |