sepolicy/policy/chromeos/cros_cryptohomed.te - mirrors/cros/chromiumos/platform2 - Git at Google

 type cros_cryptohomed, chromeos_domain, domain;

 permissive cros_cryptohomed;

 domain_auto_trans(cros_init_scripts, cros_cryptohomed_exec, cros_cryptohomed);

 allow domain cros_cryptohomed:key search;

 log_writer(cros_cryptohomed);
 uma_writer(cros_cryptohomed);

 filetrans_pattern(cros_cryptohomed, cros_home, cros_home_shadow, dir, ".shadow");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_low_entropy_creds, dir, "low_entropy_creds");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_uid, dir);
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_root, dir, "root");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_user, dir, "user");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "Downloads");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "MyFiles");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_chaps, dir, "chaps");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_usb_bouncer, dir, "usb_bouncer");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_authpolicyd, dir, "authpolicyd");

 # Ephemeral mount should have the same treatment as normal mount.
 filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run, cros_run_cryptohome, dir, "cryptohome");
 filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run_cryptohome, cros_ephemeral_mount, dir, "ephemeral_mount");

 # Note that this transition is currently ineffective as the ephemeral mount is a new filesystem.
 # Setting the new ephemeral mount to cros_home_shadow_uid is done by cryptohome at the moment.
 filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_ephemeral_mount, cros_home_shadow_uid, dir);

 dev_only(
 auditallow domain cros_home_shadow_uid_root:dir create;
 auditallow domain cros_home_shadow_uid_user:dir create;
 )
	type cros_cryptohomed, chromeos_domain, domain;

	permissive cros_cryptohomed;

	domain_auto_trans(cros_init_scripts, cros_cryptohomed_exec, cros_cryptohomed);

	allow domain cros_cryptohomed:key search;

	log_writer(cros_cryptohomed);
	uma_writer(cros_cryptohomed);

	filetrans_pattern(cros_cryptohomed, cros_home, cros_home_shadow, dir, ".shadow");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_low_entropy_creds, dir, "low_entropy_creds");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_uid, dir);
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_root, dir, "root");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_user, dir, "user");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "Downloads");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "MyFiles");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_chaps, dir, "chaps");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_usb_bouncer, dir, "usb_bouncer");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_authpolicyd, dir, "authpolicyd");

	# Ephemeral mount should have the same treatment as normal mount.
	filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run, cros_run_cryptohome, dir, "cryptohome");
	filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run_cryptohome, cros_ephemeral_mount, dir, "ephemeral_mount");

	# Note that this transition is currently ineffective as the ephemeral mount is a new filesystem.
	# Setting the new ephemeral mount to cros_home_shadow_uid is done by cryptohome at the moment.
	filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_ephemeral_mount, cros_home_shadow_uid, dir);

	dev_only(
	auditallow domain cros_home_shadow_uid_root:dir create;
	auditallow domain cros_home_shadow_uid_user:dir create;
	)