| Pierre-Hugues Husson | 40ae104 | 2017-12-19 13:08:26 +0100 | [diff] [blame] | 1 | type phhsu_daemon, domain; |
| 2 | type phhsu_exec, exec_type, file_type; |
| 3 | |
| 4 | typeattribute phhsu_daemon coredomain; |
| 5 | permissive phhsu_daemon; |
| 6 | |
| 7 | tmpfs_domain(phhsu_daemon); |
| 8 | domain_auto_trans(init, phhsu_exec, phhsu_daemon); |
| 9 | file_type_auto_trans(phhsu_daemon, device, phhsu_daemon); |
| 10 | |
| 11 | allow { appdomain shell } phhsu_daemon:unix_stream_socket { connectto write read }; |
| 12 | allow { appdomain shell } phhsu_daemon:sock_file { write read }; |
| 13 | allow { appdomain shell } phhsu_exec:file { getattr read open execute execute_no_trans }; |
| 14 | |
| 15 | create_pty(shell) |
| 16 | allowxperm shell devpts:chr_file ioctl TCSETSF; |
| Pierre-Hugues Husson | 2623dc5 | 2018-08-07 12:49:42 +0200 | [diff] [blame] | 17 | #allowxperm untrusted_app untrusted_app_devpts:chr_file ioctl TCSETSF; |
| Pierre-Hugues Husson | 40ae104 | 2017-12-19 13:08:26 +0100 | [diff] [blame] | 18 | |
| 19 | allow servicemanager phhsu_daemon:dir { search read }; |
| 20 | allow servicemanager phhsu_daemon:file { open read }; |
| 21 | allow servicemanager phhsu_daemon:process { getattr }; |
| 22 | allow servicemanager phhsu_daemon:binder { call transfer }; |
| 23 | |
| 24 | typeattribute phhsu_daemon mlstrustedobject; |
| 25 | typeattribute phhsu_daemon mlstrustedsubject; |
| 26 | |
| 27 | allow shell su_exec:file getattr; |
| 28 | typeattribute su mlstrustedsubject; |
| 29 | |
| 30 | allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find; |
| 31 | |
| Pierre-Hugues Husson | e5bf6a5 | 2018-05-19 13:39:22 +0200 | [diff] [blame] | 32 | allow system_server phhsu_daemon:fifo_file { read write }; |
| Pierre-Hugues Husson | 40ae104 | 2017-12-19 13:08:26 +0100 | [diff] [blame] | 33 | allow system_server phhsu_daemon:fd use; |
| Pierre-Hugues Husson | b91085d | 2017-12-21 23:20:52 +0100 | [diff] [blame] | 34 | allow system_server phhsu_daemon:binder { call transfer }; |
| 35 | allow system_server shell_devpts:chr_file { read write }; |
| Pierre-Hugues Husson | 40ae104 | 2017-12-19 13:08:26 +0100 | [diff] [blame] | 36 | |
| 37 | # Add su to various domains |
| Pierre-Hugues Husson | dbfa3c7 | 2018-05-01 22:03:36 +0200 | [diff] [blame] | 38 | net_domain(phhsu_daemon) |
| Pierre-Hugues Husson | 40ae104 | 2017-12-19 13:08:26 +0100 | [diff] [blame] | 39 | |
| Pierre-Hugues Husson | dbfa3c7 | 2018-05-01 22:03:36 +0200 | [diff] [blame] | 40 | hwbinder_use(phhsu_daemon) |
| Pierre-Hugues Husson | 40ae104 | 2017-12-19 13:08:26 +0100 | [diff] [blame] | 41 | |
| 42 | allow phhsu_daemon toolbox_exec:file { read open execute_no_trans }; |
| Pierre-Hugues Husson | 2623dc5 | 2018-08-07 12:49:42 +0200 | [diff] [blame] | 43 | #allow phhsu_daemon untrusted_app_devpts:chr_file { getattr }; |
| Pierre-Hugues Husson | 40ae104 | 2017-12-19 13:08:26 +0100 | [diff] [blame] | 44 | allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr }; |
| 45 | |
| Pierre-Hugues Husson | 2623dc5 | 2018-08-07 12:49:42 +0200 | [diff] [blame] | 46 | #allow phhsu_daemon phhsu_daemon:capability { setuid setgid dac_override chown}; |
| Pierre-Hugues Husson | 40ae104 | 2017-12-19 13:08:26 +0100 | [diff] [blame] | 47 | |
| 48 | allow appdomain phhsu_daemon:dir { search }; |