blob: f65ff08f2f4b90db5a1033c97a92130578639743 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
#============= sensorhubd ==============
type sensorhubd, domain;
type sensorhubd_exec, exec_type, file_type;
init_daemon_domain(sensorhubd)
allow sensorhubd config_file:dir search;
allow sensorhubd config_file:file r_file_perms;
allow sensorhubd efs_file:dir search;
allow sensorhubd efs_file:file r_file_perms;
allow sensorhubd factory_file:dir search;
allow sensorhubd factory_file:file rw_file_perms;
allow sensorhubd sensor_sysfs_file:dir {read open search};
allow sensorhubd sensor_sysfs_file:file rw_file_perms;
allow sensorhubd sensor_sysfs_file:lnk_file r_file_perms;
allow sensorhubd sysfs_coretemp:file rw_file_perms;
allow sensorhubd self:capability dac_override;
# Note: sensorhubd tries to exec a script to update the firmware, we
# specifically do not allow that since we don't ship the script
# anyway.
# Note: sensorhubd executes pidof sensorhubd | wc -w > /data/pids
# (wtf??) and we also specifically let that be disallowed.
# You can ignore:
# allow sensorhubd shell_exec:file { read execute open execute_no_trans };
allow sensorhubd system_data_file:dir create_file_perms;
allow sensorhubd sensorhubd_debug_file:file rw_file_perms;
|
