| # rfs_access - rfs_access daemon |
| type rfs_access, domain, domain_deprecated; |
| type rfs_access_exec, exec_type, file_type; |
| init_daemon_domain(rfs_access) |
| |
| #The files created by rfs_access process in the /data folder will have type rfs_file |
| type_transition rfs_access system_data_file:{ dir file } rfs_file; |
| type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs"; |
| |
| #The files created by rfs_access process in the /persist folder will have type rfs_file |
| type_transition rfs_access persist_file:{ dir file } rfs_file; |
| type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs"; |
| |
| allow rfs_access { |
| #To read the uio char device |
| uio_device |
| #To read the smem log char device |
| smem_log_device |
| }:chr_file rw_file_perms; |
| |
| #For QMI sockets and IPCR Sockets |
| allow rfs_access self:socket create_socket_perms; |
| |
| #For Wakelocks |
| wakelock_use(rfs_access) |
| |
| #To create the folders in /data |
| allow rfs_access system_data_file:dir create_dir_perms; |
| |
| #To create the folders in /persist |
| allow rfs_access persist_file:dir create_dir_perms; |
| |
| #For system folder entries |
| r_dir_file(rfs_access, rfs_system_file) |
| allow rfs_access rfs_system_file:lnk_file r_file_perms; |
| |
| #For data folder entries |
| allow rfs_access rfs_file:dir create_dir_perms; |
| allow rfs_access rfs_file:file create_file_perms; |
| |
| allow rfs_access rfs_shared_hlos_file:dir create_dir_perms; |
| allow rfs_access rfs_shared_hlos_file:file create_file_perms; |
| |
| #For ramdump entries in /data/tombstones. |
| allow rfs_access tombstone_data_file:dir create_dir_perms; |
| allow rfs_access tombstone_data_file:file create_file_perms; |
| |
| #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes). |
| r_dir_file(rfs_access, firmware_file) |
| |
| #For dropping permisions from root and wakelock |
| allow rfs_access self:capability { |
| setuid |
| setgid |
| setpcap |
| net_raw |
| }; |
| |
| # RFS UID and GIDs were changed and moved from old values to new ones OEM range. |
| # The below permissions are required to recursively update the folder ownership |
| # to the new values in the OEM range. |
| |
| allow rfs_access self:capability { dac_read_search chown dac_override }; |
| |
| #Prevent other domains from accessing RFS data files. |
| neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms; |
| neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms; |