Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d840374e654881fbd633acc68b827244d2a28768^! / .
commitd840374e654881fbd633acc68b827244d2a28768[log] [tgz]
authorTom Cherry <tomcherry@google.com>Wed Aug 01 15:48:20 2018 -0700
committerTom Cherry <tomcherry@google.com>Fri Aug 03 19:28:05 2018 +0000
tree421be2be8ca725ed2774876e0d2343254b6ec583
parent23c9d91b46352bd91cdc58f33d55378e5567dc1c [diff]
Move watchdogd out of init and into its own domain

Bug: 73660730
Test: watchdogd still runs
Change-Id: I31697c7c6fa2f7009731ff48c659af051838e42f

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index c8b7a1f..085948a 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil

@@ -279,7 +279,7 @@
 (typeattributeset incident_data_file_26_0 (incident_data_file))
 (typeattributeset incident_service_26_0 (incident_service))
 (typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec))
+(typeattributeset init_exec_26_0 (init_exec watchdogd_exec))
 (typeattributeset inotify_26_0 (inotify))
 (typeattributeset input_device_26_0 (input_device))
 (typeattributeset inputflinger_26_0 (inputflinger))

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f29703e..daeee95 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil

@@ -156,6 +156,7 @@
     wait_for_keymaster
     wait_for_keymaster_exec
     wait_for_keymaster_tmpfs
+    watchdogd_tmpfs
     wpantund
     wpantund_exec
     wpantund_service

diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index d0cb9b7..fcf4561 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil

@@ -993,7 +993,7 @@
 (typeattributeset incident_data_file_27_0 (incident_data_file))
 (typeattributeset incident_service_27_0 (incident_service))
 (typeattributeset init_27_0 (init))
-(typeattributeset init_exec_27_0 (init_exec))
+(typeattributeset init_exec_27_0 (init_exec watchdogd_exec))
 (typeattributeset inotify_27_0 (inotify))
 (typeattributeset input_device_27_0 (input_device))
 (typeattributeset inputflinger_27_0 (inputflinger))

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ad986fc..f99f9a7 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil

@@ -131,6 +131,7 @@
     wait_for_keymaster
     wait_for_keymaster_exec
     wait_for_keymaster_tmpfs
+    watchdogd_tmpfs
     wm_trace_data_file
     wpantund
     wpantund_exec

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index a784b44..054cca2 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil

@@ -1177,7 +1177,7 @@
 (typeattributeset incident_helper_28_0 (incident_helper))
 (typeattributeset incident_service_28_0 (incident_service))
 (typeattributeset init_28_0 (init))
-(typeattributeset init_exec_28_0 (init_exec))
+(typeattributeset init_exec_28_0 (init_exec watchdogd_exec))
 (typeattributeset inotify_28_0 (inotify))
 (typeattributeset input_device_28_0 (input_device))
 (typeattributeset inputflinger_28_0 (inputflinger))

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 1c09df8..ad7faa3 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil

@@ -13,4 +13,5 @@
     timedetector_service
     timezonedetector_service
     uri_grants_service
-    vrflinger_vsync_service))
+    vrflinger_vsync_service
+    watchdogd_tmpfs))

diff --git a/private/file_contexts b/private/file_contexts
index 9f3d817..e78c02f 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -296,6 +296,7 @@
 /system/bin/statsd               u:object_r:statsd_exec:s0
 /system/bin/bpfloader            u:object_r:bpfloader_exec:s0
 /system/bin/wait_for_keymaster   u:object_r:wait_for_keymaster_exec:s0
+/system/bin/watchdogd            u:object_r:watchdogd_exec:s0
 
 #############################
 # Vendor files

diff --git a/private/init.te b/private/init.te
index e9959d3..4cf6922 100644
--- a/private/init.te
+++ b/private/init.te

@@ -13,7 +13,6 @@
 ')
 domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
 domain_trans(init, init_exec, vendor_init)
 domain_trans(init, { rootfs toolbox_exec }, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)

diff --git a/private/watchdogd.te b/private/watchdogd.te
index 36dd30f..91ece70 100644
--- a/private/watchdogd.te
+++ b/private/watchdogd.te

@@ -1 +1,3 @@
 typeattribute watchdogd coredomain;
+
+init_daemon_domain(watchdogd)

diff --git a/public/watchdogd.te b/public/watchdogd.te
index 00292a9..d2718d8 100644
--- a/public/watchdogd.te
+++ b/public/watchdogd.te

@@ -1,4 +1,6 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
+type watchdogd_exec, exec_type, file_type;
+
 allow watchdogd watchdog_device:chr_file rw_file_perms;
 allow watchdogd kmsg_device:chr_file rw_file_perms;