以下是從aosp 中,分析如何定義的type 和allow 規則
1.定義type (domain)
hal_light 這個type的定義
type hal_light_default, domain;
hal_server_domain(hal_light_default, hal_light)
aosp/system/sepolicy/vendor/qcom/common/hal_light_default.te
define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')
2.定義 Object type
aosp/device/google/crosshatch-sepolicy/vendor/qcom/common/file.te
type sysfs_graphics, sysfs_type, fs_type;
type sysfs_lights, sysfs_type, fs_type;
(attribute )
3.Labeing Object
genfscon sysfs /devices/platform/soc/894000.i2c/i2c-3/3-0043/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/894000.i2c/i2c-3/3-005a/leds u:object_r:sysfs_leds:s0
genfs_contexts:51:genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@51/backlight/panel0-backlight/vr_mode u:object_r:sysfs_lights:s0
4.allow 語句
device/google/crosshatch-sepolicy/vendor/qcom/common/hal_light.te
allow 語句:
allow hal_light sysfs_graphics:dir search;
allow hal_light sysfs_graphics:file rw_file_perms;
allow hal_light sysfs_lights:dir search;
allow hal_light sysfs_lights:file rw_file_perms;