| ##################################### |
| # brillo_domain(domain) |
| # Allow a base set of permissions common across Brillo daemons. |
| define(`brillo_domain', ` |
| init_daemon_domain($1) |
| # Allow using binder and performing IPC to system services. |
| binder_use($1) |
| binder_service($1) |
| # Allow connections to dbus_daemon. |
| unix_socket_connect($1, dbus_daemon, dbus_daemon) |
| |
| # Allow access to files in /proc. |
| # Fixes denials like: |
| # avc: denied { read } for pid=1267 comm="peripheralman" name="misc" dev="proc" |
| # ino=4026531967 scontext=u:r:peripheralman:s0 |
| # tcontext=u:object_r:proc:s0 tclass=file permissive=0 |
| allow $1 proc:file r_file_perms; |
| |
| # Cut down on spam. |
| dontaudit $1 kernel:system module_request; |
| ') |
| |
| ##################################### |
| # allow_crash_reporter(domain) |
| # Allow crash_reporter to access crashes for a domain. |
| define(`allow_crash_reporter', ` |
| r_dir_file(crash_reporter, $1) |
| allow crash_reporter $1_exec:file r_file_perms; |
| ') |
| |
| ##################################### |
| # allow_power_management(domain) |
| # Allow a domain to control power management. |
| define(`allow_power_management', ` |
| allow $1 power_service:service_manager find; |
| binder_call($1, nativepowerman); |
| ') |
| |
| ##################################### |
| # bidi_binder_call(domain, otherdomain) |
| # Allow either domain to call the other over binder. |
| define(`bidi_binder_call', ` |
| binder_call($1, $2); |
| binder_call($2, $1); |
| ') |
| |
| ##################################### |
| # allow_metrics_reporting(domain) |
| # Allow a domain to log metrics using libmetrics. |
| define(`allow_metrics_reporting', ` |
| typeattribute $1 metrics_reporting; |
| ') |
| |
| ##################################### |
| # allow_metrics_event_reporting(domain) |
| # Allow a domain to report events using libmetricscollectorservice. |
| define(`allow_metrics_event_reporting', ` |
| typeattribute $1 metrics_event_reporting; |
| ') |
| |
| ##################################### |
| # allow_call_weave(domain) |
| # Allow a domain and weaved to communicate with each other over binder. |
| define(`allow_call_weave', ` |
| typeattribute $1 weave_client; |
| ') |
| |
| ##################################### |
| # allow_call_update_engine(domain) |
| # Allow a domain and update_engine to communicate with each other over binder. |
| define(`allow_call_update_engine', ` |
| typeattribute $1 update_engine_client; |
| ') |
| |
| ##################################### |
| # allow_call_webservd(domain) |
| # Allow a domain and webservd to communicate with each other over binder. |
| define(`allow_call_webservd', ` |
| typeattribute $1 webservd_client; |
| ') |
| |
| ##################################### |
| # allow_call_firewalld(domain) |
| # Allow a domain and firewalld to communicate with each other over binder. |
| define(`allow_call_firewalld', ` |
| typeattribute $1 firewalld_client; |
| ') |
| |
| ##################################### |
| # allow_call_shill(domain) |
| # Allow a domain and shill to communicate with each other over binder. |
| define(`allow_call_shill', ` |
| typeattribute $1 shill_client; |
| ') |
| |
| ##################################### |
| # allow_call_trunksd(domain) |
| # Allow a domain and trunksd to communicate with each other over binder. |
| define(`allow_call_trunksd', ` |
| typeattribute $1 trunks_client; |
| ') |