Allow init to execute /sbin/slideshow
Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).
Needed by changes from
I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d
Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0
diff --git a/domain.te b/domain.te
index bc55237..d835ee9 100644
--- a/domain.te
+++ b/domain.te
@@ -180,7 +180,7 @@
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
# Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
# Limit raw I/O to these whitelisted domains.
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
diff --git a/init.te b/init.te
index 8b0ab42..14e9f80 100644
--- a/init.te
+++ b/init.te
@@ -140,6 +140,7 @@
# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
recovery_only(`
domain_trans(init, rootfs, recovery)
')
diff --git a/slideshow.te b/slideshow.te
new file mode 100644
index 0000000..1a22fb5
--- /dev/null
+++ b/slideshow.te
@@ -0,0 +1,13 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+write_klog(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+