Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 50c5d731e0aa4098aac293e4024b213b5c445b99^1..50c5d731e0aa4098aac293e4024b213b5c445b99 / .
commit50c5d731e0aa4098aac293e4024b213b5c445b99[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Mon Jan 06 16:09:45 2020 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Mon Jan 06 16:09:45 2020 +0000
tree28903b75e6b54e628a9714e2dffd47c4d55667c8
parent5357e7672a5af307c341c0b72367433c89568d34 [diff]
parent004539ef7c22f0e0dd29d176452e18b8829944f4 [diff]
Merge "Add sepolicy for binderfs"
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index fe622bb..3e3e1bf 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -12,6 +12,9 @@
     auth_service
     ashmem_libcutils_device
     blob_store_service
+    binderfs
+    binderfs_logs
+    binderfs_logs_proc
     boringssl_self_test
     charger_prop
     cold_boot_done_prop

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5b956da..07c44ca 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -290,9 +290,15 @@
 
 genfscon debugfs /kcov								 u:object_r:debugfs_kcov:s0
 
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
 
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
 genfscon exfat / u:object_r:exfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0

diff --git a/public/domain.te b/public/domain.te
index 4ae6c9a..88093f9 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -80,6 +80,10 @@
 # /dev/binder can be accessed by ... everyone! :)
 allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
 
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
 allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;

diff --git a/public/file.te b/public/file.te
index 73ac226..9573ad0 100644
--- a/public/file.te
+++ b/public/file.te

@@ -4,6 +4,9 @@
 type sockfs, fs_type;
 type rootfs, fs_type;
 type proc, fs_type, proc_type;
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type, proc_type;
 type proc_drop_caches, fs_type, proc_type;