| # Copyright (c) 2019, The Linux Foundation. All rights reserved. |
| # |
| # Redistribution and use in source and binary forms, with or without |
| # modification, are permitted provided that the following conditions are |
| # met: |
| # * Redistributions of source code must retain the above copyright |
| # notice, this list of conditions and the following disclaimer. |
| # * Redistributions in binary form must reproduce the above |
| # copyright notice, this list of conditions and the following |
| # disclaimer in the documentation and/or other materials provided |
| # with the distribution. |
| # * Neither the name of The Linux Foundation nor the names of its |
| # contributors may be used to endorse or promote products derived |
| # from this software without specific prior written permission. |
| # |
| # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED |
| # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT |
| # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS |
| # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
| # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
| # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE |
| # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
| # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| |
| # rfs_access - rfs_access daemon |
| type rfs_access, domain; |
| type rfs_access_exec, exec_type, vendor_file_type, file_type; |
| init_daemon_domain(rfs_access) |
| |
| #The files created by rfs_access process in the /data folder will have type rfs_file |
| type_transition rfs_access vendor_data_file:dir rfs_shared_hlos_file "hlos_rfs"; |
| |
| type_transition rfs_access mnt_vendor_file:{ dir file } persist_rfs_file; |
| type_transition rfs_access mnt_vendor_file:dir persist_rfs_shared_hlos_file "hlos_rfs"; |
| |
| allow rfs_access { |
| #To read the uio char device |
| uio_device |
| #To read the smem log char device |
| smem_log_device |
| }:chr_file rw_file_perms; |
| |
| #For QMI sockets and IPCR Sockets |
| allow rfs_access self:{ socket qipcrtr_socket } create_socket_perms_no_ioctl; |
| |
| #For Wakelocks |
| wakelock_use(rfs_access) |
| |
| #To create the folders in /persist |
| allow rfs_access mnt_vendor_file:dir create_dir_perms; |
| |
| allow rfs_access persist_rfs_file:dir create_dir_perms; |
| allow rfs_access persist_rfs_file:file create_file_perms; |
| allow rfs_access persist_rfs_shared_hlos_file:dir create_dir_perms; |
| allow rfs_access persist_rfs_shared_hlos_file:file create_file_perms; |
| |
| # RFS vendor data |
| allow rfs_access rfs_file:dir create_dir_perms; |
| allow rfs_access rfs_file:file create_file_perms; |
| allow rfs_access rfs_shared_hlos_file:dir create_dir_perms; |
| allow rfs_access rfs_shared_hlos_file:file create_file_perms; |
| |
| # For ramdump entries in /data/vendor/tombstones. |
| allow rfs_access vendor_tombstone_data_file:dir create_dir_perms; |
| allow rfs_access vendor_tombstone_data_file:file create_file_perms; |
| |
| #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes). |
| r_dir_file(rfs_access, firmware_file) |
| |
| #For dropping permisions from root and wakelock |
| allow rfs_access self:capability { |
| setuid |
| setgid |
| setpcap |
| net_bind_service |
| }; |
| |
| # RFS UID and GIDs were changed and moved from old values to new ones OEM range. |
| # The below permissions are required to recursively update the folder ownership |
| # to the new values in the OEM range. |
| |
| allow rfs_access self:capability { chown }; |
| |
| #For access to the kmsg device |
| allow rfs_access kmsg_device:chr_file w_file_perms; |