commit 6522991b6dad2c0e0809a09547d9d89f550a00ca
author Kenny Root <kroot@google.com> Tue Jun 09 11:43:38 2020 -0700
committer Kenny Root <kroot@google.com> Wed Jul 08 09:53:28 2020 -0700
tree fa01172b519340fb509b18ee20089b79a9efbef5
parent b10592276b268fcb6c75a944bbdfe938c399afd5

Citadel: move rules to common directory

Move all the common Citadel rules to a directory where they can all be
changed simultaneously and avoid accidental version skew between the
devices.

Test: build affected devices locally
Bug: 143330574
Change-Id: I381b8dc1e0c814fd564a7a3aeeed0fe8759a65bf

citadel/init_citadel.te

diff --git a/citadel/init_citadel.te b/citadel/init_citadel.te
new file mode 100644
index 0000000..1459ef4
--- /dev/null
+++ b/citadel/init_citadel.te
@@ -0,0 +1,17 @@
+type init_citadel, domain;
+type init_citadel_exec, exec_type, vendor_file_type, file_type;
+type citadel_updater_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_citadel)
+
+# Citadel communication must be via citadeld
+vndbinder_use(init_citadel)
+binder_call(init_citadel, citadeld)
+allow init_citadel citadeld_service:service_manager find;
+
+# Many standard utils are actually vendor_toolbox (like xxd)
+allow init_citadel vendor_toolbox_exec:file rx_file_perms;
+
+# init_citadel needs to invoke citadel_updater
+allow init_citadel citadel_updater_exec:file rx_file_perms;
+allow init_citadel citadel_device:chr_file rw_file_perms;