Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / affa6f323cc82a8f1d378cb7f229aa427ed0d947^! / .
commitaffa6f323cc82a8f1d378cb7f229aa427ed0d947[log] [tgz]
authorKiyoung Kim <kiyoungkim@google.com>Mon Jul 08 19:02:05 2019 +0900
committerKiyoung Kim <kiyoungkim@google.com>Fri Jul 12 12:32:19 2019 +0900
tree98cb073e1890f568bc14fd92eb0c8c30ca70ff7c
parent31056ae11df558601ab788bcdab6751d02eba282 [diff]
Add linker config generator and output file to sepolicy

Sepolicy for linkerconfig generator and ld.config.txt file from
generator

Bug: 135004088
Test: m -j & tested from device
Change-Id: I2ea7653a33996dde67a84a2e7a0efa660886434a

diff --git a/private/domain.te b/private/domain.te
index d2d0209..670e353 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -82,6 +82,9 @@
   allow domain su:key search;
 ')
 
+# Allow access to linkerconfig file
+allow domain linkerconfig_file:file r_file_perms;
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {

diff --git a/private/file.te b/private/file.te
index a856792..26b58f4 100644
--- a/private/file.te
+++ b/private/file.te

@@ -20,3 +20,6 @@
 # /data/misc_[ce|de]/rollback : Used by installd to store snapshots
 # of application data.
 type rollback_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/linkerconfig(/.*)?
+type linkerconfig_file, file_type;

diff --git a/private/file_contexts b/private/file_contexts
index 8150fa6..6924f54 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -99,6 +99,7 @@
 /dev/iio:device[0-9]+   u:object_r:iio_device:s0
 /dev/ion		u:object_r:ion_device:s0
 /dev/keychord   u:object_r:keychord_device:s0
+/dev/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
 /dev/loop-control	u:object_r:loop_control_device:s0
 /dev/modem.*		u:object_r:radio_device:s0
 /dev/mtp_usb		u:object_r:mtp_device:s0
@@ -261,6 +262,7 @@
 /system/bin/healthd     u:object_r:healthd_exec:s0
 /system/bin/clatd	u:object_r:clatd_exec:s0
 /system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
 /system/bin/llkd        u:object_r:llkd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0

diff --git a/private/linkerconfig.te b/private/linkerconfig.te
new file mode 100644
index 0000000..8acd734
--- /dev/null
+++ b/private/linkerconfig.te

@@ -0,0 +1,10 @@
+type linkerconfig, domain, coredomain;
+type linkerconfig_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(linkerconfig)
+
+## Read and write linkerconfig subdirectory.
+allow linkerconfig linkerconfig_file:dir rw_dir_perms;
+allow linkerconfig linkerconfig_file:file create_file_perms;
+
+neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;