Add directory read permissions to certain domains.

am: 49e35884 Change-Id: Ib96dbc7f6467e55d595426242c59b9551e9ae75f

Add directory read permissions to certain domains.
am: 49e35884 Change-Id: Ib96dbc7f6467e55d595426242c59b9551e9ae75f
d9bd9e69 · Nick Kralevich · android-build-merger · 3f77c683 · 49e35884 · d9bd9e69
Commit d9bd9e69 authored 8 years ago by Nick Kralevich Committed by android-build-merger 8 years ago
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -27,6 +27,7 @@ allow domain_deprecated system_file:file r_file_perms;
 auditallow {
  domain_deprecated
  -appdomain
+  -fingerprintd
  -init
  -installd
  -rild

--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -3,6 +3,9 @@ type fingerprintd_exec, exec_type, file_type;

 binder_use(fingerprintd)

+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
 # need to find KeyStore and add self
 allow fingerprintd fingerprintd_service:service_manager { add find };


--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -10,6 +10,9 @@ allow gatekeeperd ion_device:chr_file r_file_perms;
 # need to find KeyStore and add self
 allow gatekeeperd gatekeeper_service:service_manager { add find };

+# Scan through /system/lib64/hw looking for installed HALs
+allow gatekeeperd system_file:dir r_dir_perms;
+
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
 allow gatekeeperd keystore:keystore_key { add_auth };

--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -13,6 +13,9 @@ allow hwservicemanager { domain -init }:binder transfer;

 set_prop(hwservicemanager, hwservicemanager_prop)

+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
 # TODO once hwservicemanager checks whether HALs are
 # allowed to register a certain service, add policy here
 # for allowing to check SELinux permissions.