diff options
author | Michael Bestas <mikeioannina@gmail.com> | 2017-02-04 17:22:37 +0200 |
---|---|---|
committer | Michael Bestas <mikeioannina@gmail.com> | 2017-02-04 17:22:37 +0200 |
commit | b07464afa7cd4edf8459c540e42480ee9f5846f1 (patch) | |
tree | 064bfe0d1471c003c617875ecf114cbba1324eb9 | |
parent | d9d06c2c5b83dd352d6158e547bda89fcc247649 (diff) | |
parent | 2e57b1e2db7737adb8a6692eda2d11056d944519 (diff) | |
download | android_device_qcom_sepolicy-staging/cm-14.1-cafmerge.tar.gz android_device_qcom_sepolicy-staging/cm-14.1-cafmerge.tar.bz2 android_device_qcom_sepolicy-staging/cm-14.1-cafmerge.zip |
Merge remote-tracking branch 'caf/LA.BR.1.2.9_rb1.11' into cm-14.1staging/cm-14.1-cafmerge
Change-Id: I57fd423a2baca4bd14376415abc38641485455bd
-rw-r--r-- | common/bluetooth.te | 5 | ||||
-rw-r--r-- | common/dataservice_app.te | 1 | ||||
-rw-r--r-- | common/device.te | 3 | ||||
-rw-r--r-- | common/file.te | 7 | ||||
-rw-r--r-- | common/file_contexts | 7 | ||||
-rw-r--r-- | common/init.te | 3 | ||||
-rw-r--r-- | common/init_shell.te | 7 | ||||
-rwxr-xr-x | common/mmi.te | 2 | ||||
-rw-r--r-- | common/nqnfcinfo.te | 39 | ||||
-rwxr-xr-x | common/property.te | 10 | ||||
-rwxr-xr-x | common/property_contexts | 7 | ||||
-rwxr-xr-x[-rw-r--r--] | common/qcomsysd.te | 3 | ||||
-rw-r--r-- | common/qseecomd.te | 3 | ||||
-rw-r--r-- | common/recovery.te | 6 | ||||
-rw-r--r-- | common/rfs_access.te | 1 | ||||
-rw-r--r-- | common/rmt_storage.te | 2 | ||||
-rw-r--r-- | common/system_server.te | 2 | ||||
-rw-r--r-- | common/thermal-engine.te | 3 | ||||
-rw-r--r-- | common/wcnss_filter.te | 4 | ||||
-rw-r--r-- | common/wcnss_service.te | 4 | ||||
-rw-r--r-- | common/wfdservice.te | 3 | ||||
-rw-r--r-- | msm8909/untrusted_app.te | 2 | ||||
-rw-r--r-- | msm8909/zygote.te | 1 | ||||
-rw-r--r-- | msm8937/untrusted_app.te | 2 | ||||
-rw-r--r-- | msm8952/mediaserver.te | 1 | ||||
-rw-r--r-- | msm8952/system_server.te | 5 | ||||
-rw-r--r-- | msm8953/untrusted_app.te | 2 | ||||
-rw-r--r-- | msm8992/file_contexts | 2 | ||||
-rw-r--r-- | msm8994/file_contexts | 2 | ||||
-rw-r--r-- | msm8998/app.te | 30 | ||||
-rw-r--r-- | msm8998/bootanim.te (renamed from msmcobalt/bootanim.te) | 0 | ||||
-rw-r--r-- | msm8998/device.te (renamed from msmcobalt/device.te) | 0 | ||||
-rw-r--r-- | msm8998/file.te (renamed from msmcobalt/file.te) | 6 | ||||
-rw-r--r-- | msm8998/file_contexts (renamed from msmcobalt/file_contexts) | 21 | ||||
-rw-r--r-- | msm8998/idmap.te (renamed from msmcobalt/idmap.te) | 0 | ||||
-rw-r--r-- | msm8998/init-qcom-fbe-sh.te | 36 | ||||
-rw-r--r-- | msm8998/init_shell.te (renamed from msmcobalt/init_shell.te) | 3 | ||||
-rw-r--r-- | msm8998/mm-qcamerad.te | 29 | ||||
-rw-r--r-- | msm8998/platform_app.te (renamed from msmcobalt/platform_app.te) | 0 | ||||
-rw-r--r-- | msm8998/priv_app.te (renamed from msmcobalt/priv_app.te) | 0 | ||||
-rw-r--r-- | msm8998/property.te (renamed from msmcobalt/untrusted_app.te) | 5 | ||||
-rw-r--r-- | msm8998/property_contexts | 28 | ||||
-rw-r--r-- | msm8998/qseecomd.te (renamed from msmcobalt/qseecomd.te) | 0 | ||||
-rw-r--r-- | msm8998/qti-logkit.te (renamed from msmcobalt/qti-logkit.te) | 0 | ||||
-rw-r--r-- | msm8998/qvop.te (renamed from msmcobalt/qvop.te) | 0 | ||||
-rw-r--r-- | msm8998/qvrd.te | 99 | ||||
-rw-r--r-- | msm8998/recovery.te (renamed from msmcobalt/recovery.te) | 0 | ||||
-rw-r--r-- | msm8998/ridl.te (renamed from msmcobalt/ridl.te) | 0 | ||||
-rw-r--r-- | msm8998/service.te (renamed from msmcobalt/service.te) | 0 | ||||
-rw-r--r-- | msm8998/service_contexts (renamed from msmcobalt/service_contexts) | 0 | ||||
-rw-r--r-- | msm8998/surfaceflinger.te (renamed from msmcobalt/surfaceflinger.te) | 0 | ||||
-rw-r--r-- | msm8998/system_app.te (renamed from msmcobalt/system_app.te) | 0 | ||||
-rw-r--r-- | msm8998/system_server.te (renamed from msmcobalt/system_server.te) | 0 | ||||
-rw-r--r-- | msm8998/untrusted_app.te | 32 | ||||
-rw-r--r-- | msm8998/zygote.te (renamed from msmcobalt/zygote.te) | 0 |
55 files changed, 411 insertions, 17 deletions
diff --git a/common/bluetooth.te b/common/bluetooth.te index ffe1ed90..eef36b8d 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -11,6 +11,10 @@ type btsnoop, bluetoothdomain, domain_deprecated; type btsnoop_exec, exec_type, file_type; domain_auto_trans(init, btsnoop_exec, bluetooth) +type bt_logger, bluetoothdomain; +type bt_logger_exec, exec_type, file_type; +domain_auto_trans(init, bt_logger_exec, bluetooth) + type btnvtool, bluetoothdomain, domain_deprecated; type btnvtool_exec, exec_type, file_type; domain_auto_trans(init, btnvtool_exec, bluetooth) @@ -37,6 +41,7 @@ allow bluetooth { serial_device #BT needes read and write on smd device node smd_device + bt_device }:chr_file rw_file_perms; #Access to persist_file diff --git a/common/dataservice_app.te b/common/dataservice_app.te index 36056c17..140f0363 100644 --- a/common/dataservice_app.te +++ b/common/dataservice_app.te @@ -33,6 +33,7 @@ net_domain(dataservice_app) allow dataservice_app { qtitetherservice_service dpmservice cne_service } :service_manager { add find } ; allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find; +set_prop(dataservice_app, persist_dpm_prop) set_prop(dataservice_app, sys_usb_tethering_prop) diff --git a/common/device.te b/common/device.te index 362be377..22179749 100644 --- a/common/device.te +++ b/common/device.te @@ -138,3 +138,6 @@ type avtimer_device, dev_type; #define AT device type at_device, dev_type; + +#define Bluetooth device +type bt_device, dev_type; diff --git a/common/file.te b/common/file.te index 2d31a6d4..997d025d 100644 --- a/common/file.te +++ b/common/file.te @@ -190,13 +190,11 @@ type ssr_ramdump_data_file, file_type, data_file_type; # Regionalization files type regionalization_file, file_type; +type regionalization_data_file, file_type, data_file_type; # /data/system/swap/swapfile - swapfile type swap_data_file, file_type, data_file_type; -# dynamic nv files -type dynamic_nv_data_file, file_type, data_file_type; - # wififtmd socket file type wififtmd_socket, file_type; @@ -206,3 +204,6 @@ type persist_time_file, file_type; # kgsl file type for sysfs access type sysfs_kgsl, sysfs_type, fs_type; + +# secure touch files +type sysfs_securetouch, fs_type, sysfs_type; diff --git a/common/file_contexts b/common/file_contexts index b0bb68b6..cd93c2f7 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -10,6 +10,7 @@ /dev/bhi u:object_r:bhi_device:s0 /dev/msm_.* u:object_r:audio_device:s0 /dev/i2c-6 u:object_r:audio_device:s0 +/dev/wcd_dsp0_control u:object_r:audio_device:s0 /dev/wcd-dsp-glink u:object_r:audio_device:s0 /dev/usf1 u:object_r:usf_device:s0 /dev/msm_dsps u:object_r:sensors_device:s0 @@ -25,6 +26,7 @@ /dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0 /dev/seemplog u:object_r:seemplog_device:s0 /dev/radio0 u:object_r:fm_radio_device:s0 +/dev/btpower u:object_r:bt_device:s0 /dev/rtc0 u:object_r:rtc_device:s0 /dev/sdsprpc-smd u:object_r:dsp_device:s0 /dev/sensors u:object_r:sensors_device:s0 @@ -135,6 +137,7 @@ /system/bin/ATFWD-daemon u:object_r:atfwd_exec:s0 /system/bin/PktRspTest u:object_r:diag_exec:s0 /system/bin/audiod u:object_r:audiod_exec:s0 +/system/vendor/bin/nqnfcinfo u:object_r:nqnfcinfo_exec:s0 /system/bin/charger_monitor u:object_r:charger_monitor_exec:s0 /system/bin/hvdcp_opti u:object_r:hvdcp_exec:s0 /system/bin/cnd u:object_r:cnd_exec:s0 @@ -231,6 +234,7 @@ /system/bin/sapd u:object_r:sapd_exec:s0 /system/bin/btnvtool u:object_r:btnvtool_exec:s0 /system/bin/btsnoop u:object_r:btsnoop_exec:s0 +/system/bin/bt_logger u:object_r:bt_logger_exec:s0 /system/bin/dun-server u:object_r:dun-server_exec:s0 /system/bin/wfdservice u:object_r:wfdservice_exec:s0 /system/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0 @@ -344,10 +348,9 @@ /data/misc/qti-logkit/socket-privileged(/.*)? u:object_r:qti_logkit_priv_socket:s0 /data/misc/qti-logkit/socket-public(/.*)? u:object_r:qti_logkit_pub_socket:s0 /data/system/swap(/.*)? u:object_r:swap_data_file:s0 -/data/misc/wifi/nvbin(/.*)? u:object_r:dynamic_nv_data_file:s0 /data/misc/wifi/wigig_sockets(/.*)? u:object_r:wpa_socket:s0 /data/misc/wifi/wigig_sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0 - +/data/app-regional(/.*)? u:object_r:regionalization_data_file:s0 ################################### # persist files # diff --git a/common/init.te b/common/init.te index 6cde24b0..772e5fe4 100644 --- a/common/init.te +++ b/common/init.te @@ -31,3 +31,6 @@ allow init configfs:lnk_file create_file_perms; #Allow init to mount non-hlos partitions in A/B builds allow init firmware_file:dir { mounton }; allow init bt_firmware_file:dir { mounton }; + +#dontaudit non configfs usb denials +dontaudit init sysfs:dir write; diff --git a/common/init_shell.te b/common/init_shell.te index 487caf05..3962d296 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -96,6 +96,10 @@ allow qti_init_shell { sys_usb_configfs_prop #Needed for setting hwui properties in post_boot hwui_prop + #Needed for setting bservice in post_boot + bservice_prop + #Needed for setting Delayed Service Reschedule in post_boot + reschedule_service_prop graphics_vulkan_prop }:property_service set; @@ -160,6 +164,9 @@ allow qti_init_shell kernel:key search; # To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr }; +# To change owner/permissions of secure touch sysfs files +r_dir_file(qti_init_shell, sysfs_securetouch) + # core-ctl allow qti_init_shell cgroup:dir add_name; diff --git a/common/mmi.te b/common/mmi.te index 3fedc290..417f6009 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -61,6 +61,8 @@ allow mmi bluetooth_data_file:dir rw_dir_perms; allow mmi bluetooth_data_file:file create_file_perms; allow mmi bluetooth_prop:property_service set; allow mmi smd_device:chr_file rw_file_perms; +allow mmi persist_bluetooth_file:file r_file_perms; +allow mmi wcnss_filter:unix_stream_socket connectto; #GPS case allow mmi location_data_file:fifo_file create_file_perms; diff --git a/common/nqnfcinfo.te b/common/nqnfcinfo.te new file mode 100644 index 00000000..3efc94c3 --- /dev/null +++ b/common/nqnfcinfo.te @@ -0,0 +1,39 @@ +#Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +#Redistribution and use in source and binary forms, with or without +#modification, are permitted provided that the following conditions are +#met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type nqnfcinfo, domain; +type nqnfcinfo_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(nqnfcinfo) + +r_dir_file(nqnfcinfo, sysfs_socinfo); + +set_prop(nqnfcinfo, nfc_nq_prop); + +# Access device nodes inside /dev/nq-nci +allow nqnfcinfo nfc_device:chr_file rw_file_perms; diff --git a/common/property.te b/common/property.te index c3032b10..726d54b5 100755 --- a/common/property.te +++ b/common/property.te @@ -72,6 +72,8 @@ type sys_usb_configfs_prop, property_type; type sys_usb_tethering_prop, property_type; type coresight_prop, property_type, core_property_type; +type persist_dpm_prop, property_type, core_property_type; + type ctl_hbtp_prop, property_type; type alarm_boot_prop, property_type, core_property_type; @@ -92,6 +94,14 @@ type alarm_instance_prop, property_type, core_property_type; #HWUI property type hwui_prop, property_type, core_property_type; +#Bservice property +type bservice_prop, property_type, core_property_type; + +#Delayed Service Reschedule property +type reschedule_service_prop, property_type, core_property_type; + type graphics_vulkan_prop, property_type, core_property_type; #boot mode property type boot_mode_prop, property_type; +#properties for nfc +type nfc_nq_prop, property_type, core_property_type; diff --git a/common/property_contexts b/common/property_contexts index bbaf87b4..8520a256 100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -68,6 +68,7 @@ qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0 ro.dbg.coresight.cfg_file u:object_r:coresight_prop:s0 ctl.hbtp u:object_r:ctl_hbtp_prop:s0 sys.audio.init u:object_r:audio_prop:s0 +persist.dpm.feature u:object_r:persist_dpm_prop:s0 ro.alarm_boot u:object_r:alarm_boot_prop:s0 debug.sf.nobootanimation u:object_r:boot_animation_prop:s0 debug.gralloc. u:object_r:debug_gralloc_prop:s0 @@ -83,8 +84,14 @@ ro.alarm_handled u:object_r:alarm_handled_prop:s0 ro.alarm_instance u:object_r:alarm_instance_prop:s0 #HWUI Property ro.hwui.texture_cache_size u:object_r:hwui_prop:s0 +#Bservice Property +ro.sys.fw.bservice_ u:object_r:bservice_prop:s0 +#Delayed Service Restart Property +ro.am.reschedule_service u:object_r:reschedule_service_prop:s0 persist.graphics.vulkan.disable u:object_r:graphics_vulkan_prop:s0 #boot mode property sys.boot_mode u:object_r:boot_mode_prop:s0 # GPU ro.gpu.available_frequencies u:object_r:freq_prop:s0 +# NFC +sys.nfc.nq. u:object_r:nfc_nq_prop:s0 diff --git a/common/qcomsysd.te b/common/qcomsysd.te index c1257cb8..d9edea1f 100644..100755 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -21,9 +21,10 @@ allow qcomsysd sysfs_socinfo:file w_file_perms; allow qcomsysd self:capability { dac_override sys_boot }; use_per_mgr(qcomsysd); #allow qcomsysd access boot mode switch -allow qcomsysd boot_mode_prop:property_service set; +set_prop(qcomsysd, boot_mode_prop); #diag userdebug_or_eng(` diag_use(qcomsysd) + allow qcomsysd sysfs:file w_file_perms; ') diff --git a/common/qseecomd.te b/common/qseecomd.te index a2118202..8e2f8955 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -47,6 +47,9 @@ allow tee time_daemon:unix_stream_socket connectto; allow tee graphics_device:dir r_dir_perms; allow tee graphics_device:chr_file r_file_perms; +#allow tee access for secure touch to work +allow tee sysfs_securetouch:file rw_file_perms; + allow tee surfaceflinger_service : service_manager find; binder_call(tee, surfaceflinger) diff --git a/common/recovery.te b/common/recovery.te index 210c4050..c5b2c0ec 100644 --- a/common/recovery.te +++ b/common/recovery.te @@ -17,4 +17,10 @@ recovery_only(` allow recovery sg_device:chr_file rw_file_perms; allow recovery self:capability sys_rawio; allow recovery sg_device:chr_file ioctl; + # Enable adb on configfs devices + allow recovery configfs:file rw_file_perms; + allow recovery configfs:dir rw_dir_perms; + set_prop(recovery, ffs_prop); + get_prop(recovery, sys_usb_controller_prop); + get_prop(recovery, boot_mode_prop); ') diff --git a/common/rfs_access.te b/common/rfs_access.te index 318fffc1..629f9e46 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -54,7 +54,6 @@ allow rfs_access self:capability { setgid setpcap net_bind_service - net_raw }; # RFS UID and GIDs were changed and moved from old values to new ones OEM range. diff --git a/common/rmt_storage.te b/common/rmt_storage.te index f043becc..56f6f928 100644 --- a/common/rmt_storage.te +++ b/common/rmt_storage.te @@ -17,9 +17,7 @@ allow rmt_storage self:capability { setuid setgid sys_admin - dac_override net_bind_service - net_raw setpcap }; diff --git a/common/system_server.te b/common/system_server.te index f77d8a71..d95864c3 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -87,6 +87,8 @@ allow system_server { graphics_device audio_device tee_device + #allow access to power control ANT chip + bt_device }:chr_file rw_file_perms; #For firmware diff --git a/common/thermal-engine.te b/common/thermal-engine.te index 33a0efed..734ef4a1 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -55,3 +55,6 @@ type_transition thermal-engine socket_device:sock_file thermal_socket; userdebug_or_eng(` diag_use(thermal-engine) ') + +# To get GPU frequencies +allow thermal-engine sysfs_kgsl:file r_file_perms; diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te index 7d84a76e..41045f60 100644 --- a/common/wcnss_filter.te +++ b/common/wcnss_filter.te @@ -50,6 +50,10 @@ r_dir_file(wcnss_filter, bt_firmware_file) allow wcnss_filter bluetooth_data_file:dir create_dir_perms; allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms; +allow wcnss_filter persist_bluetooth_file:dir r_dir_perms; +allow wcnss_filter persist_bluetooth_file:file r_file_perms; +allow wcnss_filter persist_file:dir r_dir_perms; + #diag userdebug_or_eng(` diag_use(wcnss_filter) diff --git a/common/wcnss_service.te b/common/wcnss_service.te index 3d9b44c1..2fc7b46c 100644 --- a/common/wcnss_service.te +++ b/common/wcnss_service.te @@ -41,9 +41,9 @@ allow wcnss_service fuse:dir create_dir_perms; allow wcnss_service fuse:file create_file_perms; allow wcnss_service vfat:dir create_dir_perms; allow wcnss_service vfat:file create_file_perms; + +# needed for wlan dynamic nv feature allow wcnss_service persist_file:file { rw_file_perms setattr }; -allow wcnss_service dynamic_nv_data_file:file r_file_perms; -allow wcnss_service dynamic_nv_data_file:dir r_dir_perms; # This is needed for ptt_socket app to write logs file collected to sdcard r_dir_file(wcnss_service, storage_file) diff --git a/common/wfdservice.te b/common/wfdservice.te index 276e2e15..1514e055 100644 --- a/common/wfdservice.te +++ b/common/wfdservice.te @@ -39,6 +39,9 @@ allow wfdservice audio_device:dir r_dir_perms; #Allow access to /dev/graphics/fb* for screen capture allow wfdservice graphics_device:chr_file rw_file_perms; +#Allow access to encoder for YUV statistics +allow wfdservice gpu_device:chr_file rw_file_perms; + #Allow communication with init over property server unix_socket_connect(wfdservice, property, init); diff --git a/msm8909/untrusted_app.te b/msm8909/untrusted_app.te index e8b029e1..ce926137 100644 --- a/msm8909/untrusted_app.te +++ b/msm8909/untrusted_app.te @@ -28,3 +28,5 @@ # for oemfs allow untrusted_app oemfs:lnk_file { read getattr }; +#for regionalization data file +allow untrusted_app regionalization_data_file:file r_file_perms; diff --git a/msm8909/zygote.te b/msm8909/zygote.te index 105a3279..07beff4c 100644 --- a/msm8909/zygote.te +++ b/msm8909/zygote.te @@ -29,3 +29,4 @@ allow zygote persist_file:dir r_dir_perms; allow zygote regionalization_file:dir r_dir_perms; allow zygote regionalization_file:file r_file_perms; +r_dir_file(zygote,oemfs); diff --git a/msm8937/untrusted_app.te b/msm8937/untrusted_app.te index e8b029e1..ce926137 100644 --- a/msm8937/untrusted_app.te +++ b/msm8937/untrusted_app.te @@ -28,3 +28,5 @@ # for oemfs allow untrusted_app oemfs:lnk_file { read getattr }; +#for regionalization data file +allow untrusted_app regionalization_data_file:file r_file_perms; diff --git a/msm8952/mediaserver.te b/msm8952/mediaserver.te index 5bd54323..f642e817 100644 --- a/msm8952/mediaserver.te +++ b/msm8952/mediaserver.te @@ -30,3 +30,4 @@ allow mediaserver media_msm8956hw_prop:file r_file_perms; allow mediaserver media_settings_xml_prop:file r_file_perms; allow mediaserver seempd:unix_dgram_socket sendto; allow mediaserver seempdw_socket:sock_file write; +allow mediaserver media_msm8956_version_prop:file r_file_perms; diff --git a/msm8952/system_server.te b/msm8952/system_server.te index 54c7faa6..38442a24 100644 --- a/msm8952/system_server.te +++ b/msm8952/system_server.te @@ -25,6 +25,11 @@ # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# Allow access to /proc/PID +allow system_server appdomain:dir r_dir_perms; +allow system_server appdomain:file rw_file_perms; + + # For Regionalization service allow system_server regionalization_service:service_manager { add find }; allow system_server regionalization_file:file rw_file_perms; diff --git a/msm8953/untrusted_app.te b/msm8953/untrusted_app.te index e8b029e1..ce926137 100644 --- a/msm8953/untrusted_app.te +++ b/msm8953/untrusted_app.te @@ -28,3 +28,5 @@ # for oemfs allow untrusted_app oemfs:lnk_file { read getattr }; +#for regionalization data file +allow untrusted_app regionalization_data_file:file r_file_perms; diff --git a/msm8992/file_contexts b/msm8992/file_contexts index 841a6c61..00fbce29 100644 --- a/msm8992/file_contexts +++ b/msm8992/file_contexts @@ -37,7 +37,7 @@ /dev/block/platform/soc\.0/f9824900\.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc\.0/f9824900\.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc\.0/f9824900\.sdhci/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc\.0/f9824900\.sdhci/by-name/logdump u:object_r:logdump_partition:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 diff --git a/msm8994/file_contexts b/msm8994/file_contexts index 2957d5de..436b659c 100644 --- a/msm8994/file_contexts +++ b/msm8994/file_contexts @@ -57,5 +57,5 @@ /dev/block/platform/soc\.0/f9824900\.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc\.0/f9824900\.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc\.0/f9824900\.sdhci/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc\.0/f9824900\.sdhci/by-name/logdump u:object_r:logdump_partition:s0 diff --git a/msm8998/app.te b/msm8998/app.te new file mode 100644 index 00000000..9893883f --- /dev/null +++ b/msm8998/app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Allow all apps to connect to VR service +allow appdomain qvrd:fd use; +unix_socket_connect(appdomain, qvrd, qvrd) diff --git a/msmcobalt/bootanim.te b/msm8998/bootanim.te index 51701259..51701259 100644 --- a/msmcobalt/bootanim.te +++ b/msm8998/bootanim.te diff --git a/msmcobalt/device.te b/msm8998/device.te index 66dd4e50..66dd4e50 100644 --- a/msmcobalt/device.te +++ b/msm8998/device.te diff --git a/msmcobalt/file.te b/msm8998/file.te index 7679b9d9..b6d287ab 100644 --- a/msmcobalt/file.te +++ b/msm8998/file.te @@ -29,4 +29,8 @@ type sysfs_emmc_dload, sysfs_type, fs_type; # Data type for QVOP -type qvop_data_file, file_type, data_file_type;
\ No newline at end of file +type qvop_data_file, file_type, data_file_type; + +# Data type for qvrd +type qvrd_data_file, file_type, data_file_type; +type qvrd_socket, file_type, mlstrustedobject; diff --git a/msmcobalt/file_contexts b/msm8998/file_contexts index f842623a..05fc2c62 100644 --- a/msmcobalt/file_contexts +++ b/msm8998/file_contexts @@ -42,21 +42,42 @@ /dev/block/platform/soc/1da4000\.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0 /dev/block/platform/soc/1da4000\.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc/1da4000\.ufshc/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/soc/1da4000\.ufshc/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc/1da4000\.ufshc/by-name/mdtp u:object_r:mdtp_device:s0 +/dev/block/platform/soc/1da4000\.ufshc/by-name/dip u:object_r:dip_device:s0 #rawdump partition /dev/block/platform/soc/1da4000\.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0 /sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 ################################### +# Dev socket nodes +# +/dev/socket/qvrservice u:object_r:qvrd_socket:s0 + +################################### # System files # /system/bin/qvop-daemon u:object_r:qvop_exec:s0 +/system/vendor/bin/qvrservice u:object_r:qvrd_exec:s0 + ################################### # data files # /data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 +/data/misc/qvr(/.*)? u:object_r:qvrd_data_file:s0 ################################## # non-hlos mount points /firmware u:object_r:firmware_file:s0 /bt_firmware u:object_r:bt_firmware_file:s0 + +################################## +# FBE +/system/bin/init.qcom.qseecomd.sh u:object_r:init-qcom-fbe-sh_exec:s0 + +################################### +# sysfs files +# +/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0 +/sys/devices/virtual/graphics/fb([0-3])+/lineptr_value u:object_r:sysfs_graphics:s0 diff --git a/msmcobalt/idmap.te b/msm8998/idmap.te index 84b11e8f..84b11e8f 100644 --- a/msmcobalt/idmap.te +++ b/msm8998/idmap.te diff --git a/msm8998/init-qcom-fbe-sh.te b/msm8998/init-qcom-fbe-sh.te new file mode 100644 index 00000000..2eba9da1 --- /dev/null +++ b/msm8998/init-qcom-fbe-sh.te @@ -0,0 +1,36 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qcom-fbe-sh, domain; +type init-qcom-fbe-sh_exec, exec_type, file_type; + +init_daemon_domain(init-qcom-fbe-sh) + +allow init-qcom-fbe-sh shell_exec:file rx_file_perms; + +# execute toybox/toolbox +allow init-qcom-fbe-sh toolbox_exec:file rx_file_perms; diff --git a/msmcobalt/init_shell.te b/msm8998/init_shell.te index 5f2ea564..ef747698 100644 --- a/msmcobalt/init_shell.te +++ b/msm8998/init_shell.te @@ -28,3 +28,6 @@ # For regionalization allow qti_init_shell regionalization_file:dir r_dir_perms; allow qti_init_shell regionalization_file:file create_file_perms; + +# For VR +allow qti_init_shell ctl_qvrd_prop:property_service set; diff --git a/msm8998/mm-qcamerad.te b/msm8998/mm-qcamerad.te new file mode 100644 index 00000000..5e3ff470 --- /dev/null +++ b/msm8998/mm-qcamerad.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Allow camera to work normally in VR mode +binder_call(mm-qcamerad, qvrd) diff --git a/msmcobalt/platform_app.te b/msm8998/platform_app.te index 919f16f5..919f16f5 100644 --- a/msmcobalt/platform_app.te +++ b/msm8998/platform_app.te diff --git a/msmcobalt/priv_app.te b/msm8998/priv_app.te index 203ed549..203ed549 100644 --- a/msmcobalt/priv_app.te +++ b/msm8998/priv_app.te diff --git a/msmcobalt/untrusted_app.te b/msm8998/property.te index e8b029e1..e317966c 100644 --- a/msmcobalt/untrusted_app.te +++ b/msm8998/property.te @@ -25,6 +25,5 @@ # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# for oemfs -allow untrusted_app oemfs:lnk_file { read getattr }; +#properties for qvrd +type ctl_qvrd_prop, property_type; diff --git a/msm8998/property_contexts b/msm8998/property_contexts new file mode 100644 index 00000000..9548ba89 --- /dev/null +++ b/msm8998/property_contexts @@ -0,0 +1,28 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +ctl.qvrd u:object_r:ctl_qvrd_prop:s0 diff --git a/msmcobalt/qseecomd.te b/msm8998/qseecomd.te index 0e940c59..0e940c59 100644 --- a/msmcobalt/qseecomd.te +++ b/msm8998/qseecomd.te diff --git a/msmcobalt/qti-logkit.te b/msm8998/qti-logkit.te index 725cf476..725cf476 100644 --- a/msmcobalt/qti-logkit.te +++ b/msm8998/qti-logkit.te diff --git a/msmcobalt/qvop.te b/msm8998/qvop.te index ce69fa4d..ce69fa4d 100644 --- a/msmcobalt/qvop.te +++ b/msm8998/qvop.te diff --git a/msm8998/qvrd.te b/msm8998/qvrd.te new file mode 100644 index 00000000..778ae61e --- /dev/null +++ b/msm8998/qvrd.te @@ -0,0 +1,99 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type qvrd, domain, mlstrustedsubject; +type qvrd_exec, exec_type, file_type; + +init_daemon_domain(qvrd) + +# +# General +# + +# Allow interracting with qvrd directory +allow qvrd qvrd_data_file:dir create_dir_perms; +allow qvrd qvrd_data_file:file create_file_perms; + +# Allow access to our socket +allow qvrd qvrd_socket:sock_file rw_file_perms; + +# +# Sensors +# + +# Allow access to ADSP & SLPI +allow qvrd { ion_device qdsp_device dsp_device }:chr_file r_file_perms; + +# Allow access to adsprpcd +r_dir_file(qvrd, adsprpcd_file); +allow qvrd system_file:dir read; + +# +# Display +# + +# Allow access to /sys/devices/virtual/graphics/fb* for lineptr interrupts +allow qvrd sysfs_graphics:file rw_file_perms; + +# Allow access to /dev/graphics/fb0 for configuring vsync interrupts +allow qvrd graphics_device:dir r_dir_perms; +allow qvrd graphics_device:chr_file rw_file_perms; + +# +# Scheduler +# + +allow qvrd self:capability { sys_nice }; +userdebug_or_eng(` + allow qvrd su:process setsched; +') +allow qvrd appdomain:process setsched; + +# +# Camera +# + +# Allow access to camera HAL +allow qvrd { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms; +allow qvrd camera_data_file:dir rw_dir_perms; +allow qvrd camera_data_file:sock_file w_file_perms; +allow qvrd mm-qcamerad:unix_dgram_socket sendto; +binder_use(qvrd) +binder_call(qvrd, surfaceflinger); +allow qvrd surfaceflinger_service:service_manager find; +allow qvrd sysfs:file r_file_perms; + +# Allow access to /dev/video/* devices +allow qvrd video_device:dir r_dir_perms; + +unix_socket_connect(qvrd, mpctl, perfd) + +# Allow access to sensor1 API +allow qvrd self:socket create_socket_perms; +allow qvrd persist_file:dir r_dir_perms; +allow qvrd sensors_persist_file:dir r_dir_perms; +allow qvrd sensors_persist_file:file r_file_perms; diff --git a/msmcobalt/recovery.te b/msm8998/recovery.te index ef6eb7b0..ef6eb7b0 100644 --- a/msmcobalt/recovery.te +++ b/msm8998/recovery.te diff --git a/msmcobalt/ridl.te b/msm8998/ridl.te index 0147c26c..0147c26c 100644 --- a/msmcobalt/ridl.te +++ b/msm8998/ridl.te diff --git a/msmcobalt/service.te b/msm8998/service.te index ad41b5fa..ad41b5fa 100644 --- a/msmcobalt/service.te +++ b/msm8998/service.te diff --git a/msmcobalt/service_contexts b/msm8998/service_contexts index 20ab6358..20ab6358 100644 --- a/msmcobalt/service_contexts +++ b/msm8998/service_contexts diff --git a/msmcobalt/surfaceflinger.te b/msm8998/surfaceflinger.te index ff6ea3d3..ff6ea3d3 100644 --- a/msmcobalt/surfaceflinger.te +++ b/msm8998/surfaceflinger.te diff --git a/msmcobalt/system_app.te b/msm8998/system_app.te index d11659b6..d11659b6 100644 --- a/msmcobalt/system_app.te +++ b/msm8998/system_app.te diff --git a/msmcobalt/system_server.te b/msm8998/system_server.te index 54c7faa6..54c7faa6 100644 --- a/msmcobalt/system_server.te +++ b/msm8998/system_server.te diff --git a/msm8998/untrusted_app.te b/msm8998/untrusted_app.te new file mode 100644 index 00000000..ce926137 --- /dev/null +++ b/msm8998/untrusted_app.te @@ -0,0 +1,32 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; +#for regionalization data file +allow untrusted_app regionalization_data_file:file r_file_perms; diff --git a/msmcobalt/zygote.te b/msm8998/zygote.te index c8d772e4..c8d772e4 100644 --- a/msmcobalt/zygote.te +++ b/msm8998/zygote.te |