| type minijail, cros_miscdomain, chromeos_domain, domain, minijail_domain, mlstrustedobject; |
| |
| permissive minijail; |
| |
| |
| r_dir_file(minijail_domain, cros_network_conf_file); |
| r_dir_file(minijail_domain, cros_passwd_file); |
| |
| #TODO(fqj): init boot-update-firmware.conf didn't enter minijail. |
| domain_auto_trans(cros_init, cros_minijail_exec, minijail); |
| domain_auto_trans(cros_init_scripts, cros_minijail_exec, minijail); |
| |
| minijail_static_uses_tmpfile(minijail, minijail); |
| minijail_mounts(minijail, , cros_minijail_minijail_tmp_file, cros_var_log); |
| minijail_mountdev(minijail, cros_minijail_minijail_tmp_file); |
| minijail_seccomp(minijail); |
| minijail_netns_new(minijail); |
| minijail_chroot(minijail); |
| minijail_rlimit(minijail); |
| log_writer(minijail); |
| use_init_fd(minijail); |
| |
| allow minijail cros_init_scripts:fifo_file { write ioctl }; |
| |
| # For monitoring purpose. |
| domain_auto_trans({ chromeos_domain -cros_debugd -minijail_executor_domain}, cros_minijail_exec, minijail); |
| auditallow { |
| chromeos_domain |
| -minijail |
| -minijail_executor_domain |
| -cros_init |
| -cros_init_scripts |
| -cros_init_shill |
| -cros_debugd |
| } cros_minijail_exec:file execute; |
| |
| auditallow minijail tmpfs:dir create_file_perms; |
