diff options
Diffstat (limited to 'prebuilts/api/32.0/private/lpdumpd.te')
| -rw-r--r-- | prebuilts/api/32.0/private/lpdumpd.te | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/lpdumpd.te b/prebuilts/api/32.0/private/lpdumpd.te new file mode 100644 index 000000000..9f5f87ebd --- /dev/null +++ b/prebuilts/api/32.0/private/lpdumpd.te @@ -0,0 +1,37 @@ +type lpdumpd, domain, coredomain; +type lpdumpd_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(lpdumpd) + +# Allow lpdumpd to register itself as a service. +binder_use(lpdumpd) +add_service(lpdumpd, lpdump_service) + +# Allow lpdumpd to find the super partition block device. +allow lpdumpd block_device:dir r_dir_perms; + +# Allow lpdumpd to read super partition metadata. +allow lpdumpd super_block_device_type:blk_file r_file_perms; + +# Allow lpdumpd to read fstab. +allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms; +allow lpdumpd sysfs_dt_firmware_android:file r_file_perms; +read_fstab(lpdumpd) + +### Neverallow rules + +# Disallow other domains to get lpdump_service and call lpdumpd. +neverallow { + domain + -dumpstate + -lpdumpd + -shell +} lpdump_service:service_manager find; + +neverallow { + domain + -dumpstate + -lpdumpd + -shell + -servicemanager +} lpdumpd:binder call; |