| Inseob Kim | 338f81b | 2023-01-30 16:27:37 +0900 | [diff] [blame] | 1 | ;; complement CIL file for compatibility between ToT policy and 29.0 vendors. |
| 2 | ;; will be compiled along with other normal policy files, on 29.0 vendors. |
| 3 | ;; |
| 4 | |
| Jeff Vander Stoep | fb69c8e | 2019-10-16 15:19:40 +0200 | [diff] [blame] | 5 | (typeattribute vendordomain) |
| 6 | (typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) |
| 7 | (allow vendordomain self (netlink_route_socket (nlmsg_readpriv))) |
| Alan Stokes | 8bf8a26 | 2020-11-16 18:10:33 +0000 | [diff] [blame] | 8 | |
| 9 | (typeattributeset mlsvendorcompat (and appdomain vendordomain)) |
| 10 | (allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) |
| 11 | (allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) |
| 12 | (allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) |
| 13 | (allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) |
| Inseob Kim | edf5824 | 2024-04-15 15:23:54 +0900 | [diff] [blame] | 14 | |
| 15 | ;; permission for devices (older than S) where debugfs restriction doesn't apply. |
| 16 | (typeattribute debugfs_file_type) |
| 17 | (typeattributeset debugfs_file_type (and debugfs_type file_type)) |
| 18 | (typeattribute debugfs_fs_type) |
| 19 | (typeattributeset debugfs_fs_type (and debugfs_type fs_type)) |
| 20 | |
| 21 | (allow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads))) |
| 22 | (allow dumpstate debugfs_mmc (file (ioctl read getattr lock map open watch watch_reads))) |
| 23 | (allow dumpstate debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads))) |
| 24 | (auditallow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads))) |
| 25 | |
| 26 | (allow init debugfs (dir (getattr relabelfrom))) |
| 27 | (allow init debugfs (file (getattr relabelfrom))) |
| 28 | (allow init debugfs (lnk_file (getattr relabelfrom))) |
| 29 | (allow init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map))) |
| 30 | (allow init debugfs_fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget watch))) |
| 31 | (allow init debugfs_type (dir (getattr relabelto))) |
| 32 | (allow init debugfs_type (file (getattr relabelto))) |
| 33 | (allow init debugfs_type (lnk_file (getattr relabelto))) |
| 34 | |
| 35 | (allow system_server debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads))) |
| 36 | |
| 37 | (allow vendor_init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map))) |
| 38 | (allow vendor_init debugfs_fs_type (file (open read setattr map))) |