On 06/24/2014 01:00 AM, Dinesh Garg wrote:
> Would it be safe to provide "allow test block_device:dir search" rule? I
> wanted my daemon to have access to just ssd_device. Is there a way to
> restrict to ssd_device ?
That is safe; it only allows the test domain to search directories under
/dev/block (which is required to look up files under it), not to open
any other block device files under it other than the block device file
that you explicitly labeled with ssd_device. So your rules are:
allow test block_device:dir search;
allow test ssd_device:blk_file { read write getattr open ioctl };
If your test domain tries to open another block device, you should get a
denial because you do not allow test block_device:blk_file anywhere.
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
