Home | History | Annotate | Download | only in sepolicy 
      1 # gpsd - GPS daemon
      2 type gpsd, domain;
      3 type gpsd_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(gpsd)
      6 net_domain(gpsd)
      7 allow gpsd gps_data_file:dir rw_dir_perms;
      8 allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
      9 # Socket is created by the daemon, not by init, and under /data/gps,
     10 # not under /dev/socket.
     11 type_transition gpsd gps_data_file:sock_file gps_socket;
     12 allow gpsd gps_socket:sock_file create_file_perms;
     13 # XXX Label sysfs files with a specific type?
     14 allow gpsd sysfs:file rw_file_perms;
     15 
     16 # TODO: added to match above sysfs rule. Remove me?
     17 allow gpsd sysfs_usb:file w_file_perms;
     18 
     19 allow gpsd gps_device:chr_file rw_file_perms;
     20 
     21 # Execute the shell or system commands.
     22 allow gpsd shell_exec:file rx_file_perms;
     23 allow gpsd system_file:file rx_file_perms;
     24 allow gpsd toolbox_exec:file rx_file_perms;
     25 
     26 ###
     27 ### neverallow
     28 ###
     29 
     30 # gpsd can never have capabilities other than block_suspend
     31 neverallow gpsd self:capability *;
     32 neverallow gpsd self:capability2 ~block_suspend;
     33