| wangxl | 5b6293a | 2015-02-03 21:10:20 +0800 | [diff] [blame^] | 1 | #Policy for mdm_helper |
| 2 | #mdm_helper - mdm_helper domain |
| 3 | type mdm_helper, domain; |
| 4 | type mdm_helper_exec, exec_type, file_type; |
| 5 | init_daemon_domain(mdm_helper); |
| 6 | |
| 7 | #block_suspend capability is needed by kickstart(ks) |
| 8 | allow mdm_helper self:capability2 block_suspend; |
| 9 | |
| 10 | #Needed to power on the peripheral |
| 11 | allow mdm_helper ssr_device:chr_file { open read }; |
| 12 | |
| 13 | #Needed to access the esoc device to control the mdm |
| 14 | allow mdm_helper esoc_device:chr_file { read write ioctl open }; |
| 15 | allow mdm_helper esoc_device:dir { open search }; |
| 16 | |
| 17 | #Needed to detect presence of hsic bridge and to xfer images |
| 18 | allow mdm_helper ksbridgehsic_device:chr_file { read write open getattr ioctl}; |
| 19 | |
| 20 | #Needed to detect efs sync and for kickstart to run the efs sync server |
| 21 | allow mdm_helper efsbridgehsic_device:chr_file { read write open getattr ioctl}; |
| 22 | |
| 23 | #Needed for communication with the HSIC driver |
| 24 | allow mdm_helper sysfs_hsic:dir { open read search }; |
| 25 | allow mdm_helper sysfs_hsic:file { read write open }; |
| 26 | |
| 27 | #Needed by libmdmdetect to figure out the system configuration |
| 28 | allow mdm_helper sysfs_esoc:dir { open search read }; |
| 29 | allow mdm_helper sysfs_esoc:lnk_file { read }; |
| 30 | |
| 31 | #Needed by libmdmdetect to get system information regarding subsystems and to check their states |
| 32 | allow mdm_helper sysfs_ssr:dir { open search read }; |
| 33 | allow mdm_helper sysfs_ssr:lnk_file { read open }; |
| 34 | |
| 35 | #Needed in order to run kickstart |
| 36 | allow mdm_helper shell:fd { use }; |
| 37 | allow mdm_helper shell_exec:file { read open execute execute_no_trans }; |
| 38 | allow mdm_helper system_file:file { execute_no_trans }; |
| 39 | allow mdm_helper mdm_helper_exec:file {execute_no_trans }; |
| 40 | |
| 41 | #Needed to inform the hsic driver that mdm has booted up |
| 42 | allow mdm_helper sysfs:file { open read write getattr }; |
| 43 | |
| 44 | #Needed by ks in order to access the efs sync partitions. |
| 45 | allow mdm_helper efs_boot_dev:blk_file { open read getattr write}; |
| 46 | allow mdm_helper block_device:dir { getattr search write }; |
| 47 | |
| 48 | #Ks needs to aquire the wake lock |
| 49 | allow mdm_helper sysfs_wake_lock:file {open append}; |
| 50 | |
| 51 | #Needed in order to access the firmware partition |
| 52 | allow mdm_helper firmware_file:dir { search }; |
| 53 | allow mdm_helper firmware_file:file { open read getattr }; |
| 54 | |
| 55 | #Needed in order to collect ramdumps |
| 56 | allow mdm_helper tombstone_data_file:file { create read write open getattr }; |
| 57 | allow mdm_helper tombstone_data_file:dir { create search open read write getattr add_name }; |