Skip to content
This repository was archived by the owner on Nov 24, 2024. It is now read-only.

Commit ca39e00

Browse files
0xf104a0xf104a
committed
[valor] [sepolicy] [config]: bring back SEPolicy, integrate it with Android.mk
1 parent 006b29c commit ca39e00

File tree

2 files changed

+72
-0
lines changed

2 files changed

+72
-0
lines changed

Android.mk

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@ LOCAL_C_INCLUDES := \
2929
$(LOCAL_PATH) \
3030
$(LOCAL_PATH)/src/valord
3131

32+
LOCAL_SEPOLICY_DIRS := $(LOCAL_PATH)/sepolicy
33+
3234
LOCAL_MODULE := valord
3335
LOCAL_CFLAGS := -O1 -g -W -Wall # TODO: Pre-release: Change to -O2 -W -Wall
3436
LOCAL_SHARED_LIBRARIES := liblog

sepolicy/valord.te

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
type valord, domain;
2+
type valor_db, file_type, system_file_type;
3+
type valord_exec, exec_type, file_type, system_file_type;
4+
5+
typeattribute valord app_monitor;
6+
7+
init_daemon_domain(valord)
8+
domain_auto_trans(init, valord_exec, valord)
9+
r_dir_file(valord, proc)
10+
11+
allow valord appdomain:process sigkill;
12+
allow valord appdomain:file open;
13+
allow valord appdomain:file getattr;
14+
allow valord appdomain:file read;
15+
allow valord appdomain:dir open;
16+
allow valord appdomain:dir getattr;
17+
allow valord appdomain:dir search;
18+
allow valord valor_db:file open;
19+
allow valord valor_db:file read;
20+
allow valord valor_db:file getattr;
21+
allow valord proc:dir open;
22+
allow valord proc:dir getattr;
23+
allow valord proc:dir search;
24+
allow valord self:global_capability_class_set sys_ptrace;
25+
allow valord domain:process getattr;
26+
allow valord kernel:file read;
27+
allow valord init:file read;
28+
allow valord kernel:dir search;
29+
allow valord kernel:lnk_file read;
30+
allow valord init:dir open;
31+
allow valord init:dir search;
32+
allow valord init:dir getattr;
33+
allow valord init:file open;
34+
allow valord init:file read;
35+
allow valord init:file getattr;
36+
allow valord init:lnk_file read;
37+
allow valord init_exec:file read;
38+
allow valord domain:dir open;
39+
allow valord domain:dir search;
40+
allow valord domain:dir r_dir_perms;
41+
allow valord domain:file r_file_perms;
42+
allow valord domain:lnk_file read;
43+
allow valord domain:lnk_file r_file_perms;
44+
allow valord untrusted_app:dir r_dir_perms;
45+
allow valord untrusted_app:dir open;
46+
allow valord untrusted_app:dir search;
47+
allow valord untrusted_app:dir getattr;
48+
allow valord untrusted_app:dir r_dir_perms;
49+
allow valord untrusted_app:file open;
50+
allow valord untrusted_app:file read;
51+
allow valord untrusted_app:file r_file_perms;
52+
allow valord untrusted_app:process getattr;
53+
allow valord untrusted_app:lnk_file read;
54+
allow valord untrusted_app:lnk_file open;
55+
allow valord untrusted_app:lnk_file r_file_perms;
56+
allow valord untrusted_app:lnk_file getattr;
57+
allow valord self:global_capability_class_set dac_override;
58+
allow valord self:global_capability_class_set dac_read_search;
59+
allow valord app_data_file:file open;
60+
allow valord app_data_file:file read;
61+
allow valord app_data_file:file getattr;
62+
allow valord app_data_file:dir open;
63+
allow valord app_data_file:dir getattr;
64+
allow valord app_data_file:dir search;
65+
allow valord untrusted_app_27:dir open;
66+
allow valord untrusted_app_27:dir search;
67+
allow valord untrusted_app_27:dir getattr;
68+
allow valord untrusted_app_27:file open;
69+
allow valord untrusted_app_27:file read;
70+
allow valord untrusted_app_27:file getattr;

0 commit comments

Comments
 (0)