From 70d78900fd33ff066ddb7df56777972df1defb4b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 3 Jan 2022 10:34:49 +0800 Subject: [PATCH] Grant init_citadel access Test: boot to home under enforcing mode Bug: 205655298 Bug: 205779736 Bug: 205904401 Change-Id: Ia7c1033240970122f3af79428bdb9012dcbc9d45 --- dauntless/init_citadel.te | 10 ++++++++++ tracking_denials/init_citadel.te | 12 ------------ 2 files changed, 10 insertions(+), 12 deletions(-) delete mode 100644 tracking_denials/init_citadel.te diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te index 35a93bc7..2e986d08 100644 --- a/dauntless/init_citadel.te +++ b/dauntless/init_citadel.te @@ -2,4 +2,14 @@ type init_citadel, domain; type init_citadel_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(init_citadel) + +# Citadel communication must be via citadeld +vndbinder_use(init_citadel) +binder_call(init_citadel, citadeld) allow init_citadel citadeld_service:service_manager find; + +# Many standard utils are actually vendor_toolbox (like xxd) +allow init_citadel vendor_toolbox_exec:file rx_file_perms; + +# init_citadel needs to invoke citadel_updater +allow init_citadel citadel_updater:file rx_file_perms; diff --git a/tracking_denials/init_citadel.te b/tracking_denials/init_citadel.te deleted file mode 100644 index 587d4ea4..00000000 --- a/tracking_denials/init_citadel.te +++ /dev/null @@ -1,12 +0,0 @@ -# b/205655298 -dontaudit init_citadel vndbinder_device:chr_file { ioctl }; -dontaudit init_citadel vndbinder_device:chr_file { map }; -dontaudit init_citadel vndbinder_device:chr_file { open }; -dontaudit init_citadel vndbinder_device:chr_file { read }; -dontaudit init_citadel vndbinder_device:chr_file { write }; -# b/205779736 -dontaudit init_citadel citadel_updater:file { execute_no_trans }; -dontaudit init_citadel vendor_toolbox_exec:file { execute_no_trans }; -# b/205904401 -dontaudit init_citadel citadeld:binder { call }; -dontaudit init_citadel vndservicemanager:binder { call };