watchdog security policy.

Initial policy for software watchdog daemon which is started by init. Change-Id: I042a5b1698bf53ce2e50ea06851c374e5123ee2c Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

watchdog security policy.
Initial policy for software watchdog daemon which is started by init. Change-Id: I042a5b1698bf53ce2e50ea06851c374e5123ee2c Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
bac9992e · rpcraig · Gerrit Code Review · 1f5939a9 · bac9992e · bac9992e
Commit bac9992e authored 12 years ago by rpcraig Committed by Gerrit Code Review 11 years ago
--- a/device.te
+++ b/device.te
@@ -41,6 +41,7 @@ type fuse_device, dev_type;
 type ion_device, dev_type;
 type gps_device, dev_type;
 type qtaguid_device, dev_type;
+type watchdog_device, dev_type;

 # All devices have a uart for the hci
 # attach service. The uart dev node

--- a/file_contexts
+++ b/file_contexts
@@ -104,6 +104,7 @@
 /dev/urandom		u:object_r:urandom_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
+/dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
 #############################

--- a/watchdogd.te
+++ b/watchdogd.te
+# watchdogd seclabel is specified in init.<board>.rc
+type watchdogd, domain;
+allow watchdogd rootfs:file { entrypoint r_file_perms };
+allow watchdogd self:capability mknod;
+allow watchdogd device:dir { add_name write remove_name };
+allow watchdogd watchdog_device:chr_file rw_file_perms;
+# because of /dev/__kmsg__ and /dev/__null__
+allow watchdogd device:chr_file create_file_perms;