domain: Create a dummy domain for qc's rmt and let it access /dev/mem

Old (pre-L) binaries will fail hard if unable to access mem. Create a domain that rmt_storage can use to get those perms
TeslaOS · Nov 6, 2014 · ef41902 · ef41902
1 parent 73a2b73
commit ef41902
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/domain.te b/domain.te
@@ -176,8 +176,9 @@ neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability
 # Limit device node creation to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
 
+attribute rmt_placeholder;
 # Limit raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee -rmt_placeholder } self:capability sys_rawio;
 
 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
 neverallow domain self:memprotect mmap_zero;
@@ -233,8 +234,8 @@ neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_
 neverallow domain { file_type -exec_type }:file entrypoint;
 
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+neverallow { domain -rmt_placeholder -kernel -ueventd -init } kmem_device:chr_file *;
+neverallow { domain -rmt_placeholder } kmem_device:chr_file ~{ create relabelto unlink setattr };
 
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.