blob: 3bdb2cf26fef022e9e12d42f1f93e433da3ee93e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
type asus_config, domain;
type asus_config_exec, exec_type, file_type;
init_daemon_domain(asus_config)
set_prop(asus_config, audio_prop)
set_prop(asus_config, asus_prop)
set_prop(asus_config, config_prop)
set_prop(asus_config, radio_prop)
set_prop(asus_config, ctl_default_prop)
set_prop(asus_config, ctl_rildaemon_prop)
allow asus_config config_file:dir search;
allow asus_config config_file:file rw_file_perms;
allow asus_config bluetooth_efs_file:dir r_dir_perms;
allow asus_config bluetooth_efs_file:file { rw_file_perms setattr };
allow asus_config device:dir write;
allow asus_config efs_file:dir { r_dir_perms setattr };
allow asus_config efs_file:file { r_file_perms setattr };
allow asus_config factory_file:dir { mounton r_dir_perms setattr };
allow asus_config factory_file:file { r_file_perms setattr };
#allow asus_config labeledfs:filesystem { mount };
allow asus_config proc:file { r_file_perms };
allow asus_config rootfs:dir { mounton r_dir_perms };
allow asus_config rootfs:file { mounton r_file_perms };
allow asus_config rootfs:lnk_file r_file_perms;
allow asus_config sysfs:dir r_dir_perms;
allow asus_config sysfs:file rw_file_perms;
allow asus_config wifi_config_file:dir r_dir_perms;
allow asus_config wifi_config_file:file { rw_file_perms setattr };
# allow it to mount /local_cfg
allow asus_config self:capability sys_admin;
# Customize does all sorts of config by running system() and until we
# either reverse it or asus makes it saner, we can't do much about this:
allow asus_config shell_exec:file { read execute open execute_no_trans getattr };
allow asus_config self:capability { fowner fsetid chown dac_override };
allow asus_config toolbox_exec:file rx_file_perms;
# --------------------------
# Some denials that we allow
# --------------------------
# why is "customize" ueventd using __kmsg__ when it should just create
# and use /dev/kmsg instead?
# Looks like we have to kill their logging because mknod isn't allowed
# in anything except a few very restricted contexts.
#allow asus_config self:capability { mknod dac_override };
#type_transition asus_config device:chr_file klog_device "__kmsg__";
#allow asus_config klog_device:chr_file { create open write unlink };
# writes to /sys/class/android_usb/android0/iSerial which we don't need
# and therefore have a failure to write sysfs:fs
|
