forked from ravindu644/Droidspaces-OSS
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdroidspaces_binary.cil
More file actions
52 lines (42 loc) · 2.32 KB
/
Copy pathdroidspaces_binary.cil
File metadata and controls
52 lines (42 loc) · 2.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
; Domain declaration for Droidspaces container runtime
(type droidspacesd)
(typeattributeset domain (droidspacesd))
(typepermissive droidspacesd)
; Exec type declaration for /vendor/bin/droidspaces
; Label the binary as droidspacesd_exec via file_contexts in your vendor partition
(type droidspacesd_exec)
(typeattributeset exec_type (droidspacesd_exec))
(typeattributeset file_type (droidspacesd_exec))
(typeattributeset system_file_type (droidspacesd_exec))
; seclabel in the service definition handles the domain transition directly,
; so no typetransition rule is needed here.
; Allow init to read and execute the binary directly at /vendor/bin/droidspaces
; which is labeled droidspacesd_exec - no symlink, no nosuid complications
(allow init droidspacesd_exec (file (read getattr open execute map)))
; Allow the domain transition into droidspacesd
(allow init droidspacesd (process (transition)))
; Allow init to run droidspaces_autoboot script
(allow init droidspacesd (process (noatsecure rlimitinh siginh)))
(allow init droidspacesd_exec (file (execute getattr open read)))
; Allow kernel to create and manage loop device nodes.
; Fixes: rootfs.img mounting failures - the kernel needs to create /dev/loop* block
; devices dynamically before droidspacesd can attach the rootfs image to them
(allow kernel device (blk_file (create setattr getattr unlink)))
(allow kernel droidspacesd (fd (use)))
; Allow kernel to read and write container data files.
; Fixes: rootfs.img open/read failures
(allow kernel system_data_file (file (read write open getattr)))
(allow kernel vold_data_file (file (read write open getattr)))
; Allow kernel to create character devices in /dev
(allow kernel device (chr_file (create setattr)))
; Allow servicemanager to inspect and call into droidspacesd over binder.
; Fixes: dumpsys failures in DNS resolution
(allow servicemanager droidspacesd (binder (call transfer)))
(allow servicemanager droidspacesd (dir (search)))
(allow servicemanager droidspacesd (file (read getattr open)))
(allow servicemanager droidspacesd (process (getattr)))
; Allow system_server to call into droidspacesd over binder and pass file descriptors.
; Fixes: dumpsys failures in DNS resolution
(allow system_server droidspacesd (binder (call transfer)))
(allow system_server droidspacesd (fd (use)))
(allow system_server droidspacesd (fifo_file (write)))