diff options
| author | Steve Kondik <steve@cyngn.com> | 2016-05-19 21:45:22 -0700 |
|---|---|---|
| committer | Steve Kondik <steve@cyngn.com> | 2016-05-19 22:34:18 -0700 |
| commit | b2acdb1cf6f2a9ef15267f4fb6b6f33ae110a8f3 (patch) | |
| tree | 17f82e805da51fed595fc458e108e02c5f362945 | |
| parent | 4a7160147a688dc71cef729399636163a33a1b8e (diff) | |
| parent | 9169d6236d30ba3b99e9d9671b7a8b0d74f3809c (diff) | |
| download | android_device_qcom_sepolicy-b2acdb1cf6f2a9ef15267f4fb6b6f33ae110a8f3.tar.gz android_device_qcom_sepolicy-b2acdb1cf6f2a9ef15267f4fb6b6f33ae110a8f3.tar.bz2 android_device_qcom_sepolicy-b2acdb1cf6f2a9ef15267f4fb6b6f33ae110a8f3.zip | |
Merge branch 'LA.BF64.1.2.2_rb4.37' of git://codeaurora.org/device/qcom/sepolicy into cm-13.0
Change-Id: I5a83ce81d51a0bf769ac5742a30fe92a2d383da9
| -rw-r--r-- | common/bootanim.te | 30 | ||||
| -rw-r--r-- | common/file.te | 1 | ||||
| -rw-r--r-- | common/file_contexts | 4 | ||||
| -rw-r--r-- | common/healthd.te | 2 | ||||
| -rw-r--r-- | common/hostapd.te | 2 | ||||
| -rw-r--r-- | common/mediaserver.te | 3 | ||||
| -rw-r--r-- | common/mm-qcamerad.te | 2 | ||||
| -rw-r--r-- | common/net.te | 9 | ||||
| -rw-r--r-- | common/netd.te | 10 | ||||
| -rw-r--r-- | common/perfd.te | 12 | ||||
| -rw-r--r-- | common/qfp-daemon.te | 4 | ||||
| -rw-r--r-- | common/qsee_svc_app.te | 4 | ||||
| -rw-r--r-- | common/qseecomd.te | 2 | ||||
| -rw-r--r-- | common/qseeproxy.te | 6 | ||||
| -rw-r--r-- | common/system_app.te | 3 | ||||
| -rw-r--r-- | test/fidotest.te | 3 | ||||
| -rw-r--r-- | test/qseeproxysample.te | 3 |
17 files changed, 89 insertions, 11 deletions
diff --git a/common/bootanim.te b/common/bootanim.te new file mode 100644 index 00000000..9a6355a4 --- /dev/null +++ b/common/bootanim.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow bootanim to binder mediaserver +binder_call(bootanim, mediaserver); +allow bootanim mediaserver_service:service_manager find; diff --git a/common/file.te b/common/file.te index 4c1469b7..8474d598 100644 --- a/common/file.te +++ b/common/file.te @@ -143,6 +143,7 @@ type persist_usf_file, file_type; #qfp-daemon type qfp-daemon_data_file, file_type, data_file_type; +type persist_qc_senseid_file, file_type; # dts notifier files type dts_data_file, file_type, data_file_type; diff --git a/common/file_contexts b/common/file_contexts index 1f01146e..fe31cc18 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -96,6 +96,7 @@ /dev/socket/ims_datad u:object_r:ims_socket:s0 /dev/socket/ims_rtpd u:object_r:ims_socket:s0 /dev/socket/perfd(/.*)? u:object_r:mpctl_socket:s0 +/dev/socket/perfd u:object_r:mpctl_socket:s0 /dev/socket/qlogd u:object_r:qlogd_socket:s0 /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 /dev/socket/dpmd u:object_r:dpmd_socket:s0 @@ -136,6 +137,7 @@ /system/bin/mmi u:object_r:mmi_exec:s0 /system/bin/mpdecision u:object_r:mpdecision_exec:s0 /system/vendor/bin/perfd u:object_r:perfd_exec:s0 +/data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0 /system/bin/iop u:object_r:dumpstate_exec:s0 /system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0 /system/bin/imsdatadaemon u:object_r:ims_exec:s0 @@ -281,7 +283,6 @@ /data/time(/.*)? u:object_r:time_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/system/perfd(/.*)? u:object_r:mpctl_data_file:s0 -/data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0 /data/misc/iop(/.*)? u:object_r:iop_data_file:s0 /data/misc/iop/iop u:object_r:iop_socket:s0 /data/misc/display(/.*)? u:object_r:display_misc_file:s0 @@ -315,6 +316,7 @@ /persist/data(/.*)? u:object_r:persist_drm_file:s0 /persist/data/tz(/.*)? u:object_r:persist_drm_file:s0 /persist/data/sfs(/.*)? u:object_r:persist_drm_file:s0 +/persist/qc_senseid(/.*)? u:object_r:persist_qc_senseid_file:s0 /persist/usf(/.*)? u:object_r:persist_usf_file:s0 /persist/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0 /persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/common/healthd.te b/common/healthd.te index 3212afa4..7c1b19a1 100644 --- a/common/healthd.te +++ b/common/healthd.te @@ -2,4 +2,6 @@ r_dir_file(healthd, sysfs_battery_supply) r_dir_file(healthd, sysfs_usb_supply) r_dir_file(healthd, sysfs_thermal); allow healthd alarm_device:chr_file rw_file_perms; + +#allow healthd read rtc device file allow healthd rtc_device:chr_file r_file_perms; diff --git a/common/hostapd.te b/common/hostapd.te index a6272509..f23418bf 100644 --- a/common/hostapd.te +++ b/common/hostapd.te @@ -43,3 +43,5 @@ allow hostapd cnd:fifo_file r_file_perms; allow hostapd smem_log_device:chr_file rw_file_perms; allow hostapd fstman:unix_dgram_socket sendto; unix_socket_send(hostapd, wpa, netd) +allow hostapd netd:unix_dgram_socket sendto; +allow hostapd wpa_socket:sock_file write; diff --git a/common/mediaserver.te b/common/mediaserver.te index 442edc4a..6eae758b 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -68,6 +68,9 @@ r_dir_file(mediaserver, adsprpcd_file); #Allow mediaserver to connect to unix sockets for staproxy service allow mediaserver system_app:unix_stream_socket { connectto read write setopt }; +# allow mediaserver to communicate with bootanim +binder_call(mediaserver, bootanim); + #Allow mediaserver to access service manager STAProxyService #Allow mediaserver to access service manager wfdservice allow mediaserver { STAProxyService wfdservice_service }:service_manager find; diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index e7d2737d..7bc5dfe6 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -60,6 +60,8 @@ allow mm-qcamerad graphics_device:dir r_dir_perms; type_transition mm-qcamerad system_data_file:file camera_data_file "fdAlbum"; allow mm-qcamerad camera_data_file:file create_file_perms; +allow mm-qcamerad graphics_device:dir r_dir_perms; + #Allow access to /dev/graphics/fb* for screen capture allow mm-qcamerad graphics_device:chr_file rw_file_perms; unix_socket_connect(mm-qcamerad, property, init) diff --git a/common/net.te b/common/net.te index e5e3df03..fc39608c 100644 --- a/common/net.te +++ b/common/net.te @@ -4,3 +4,12 @@ unix_socket_connect(netdomain, cnd, cnd) # allow netdomain access to dpmd unix_socket_connect(netdomain, dpmwrapper, dpmd) +allow netd self:capability fsetid; +allow netd hostapd:unix_dgram_socket sendto; + +# Allow netd to chmod dir /data/misc/dhcp +allow netd dhcp_data_file:dir create_dir_perms; + +type_transition netd wifi_data_file:dir wpa_socket "sockets"; +allow netd wpa_socket:dir create_dir_perms; +allow netd wpa_socket:sock_file create_file_perms; diff --git a/common/netd.te b/common/netd.te index 9e067dd7..680d499a 100644 --- a/common/netd.te +++ b/common/netd.te @@ -19,13 +19,3 @@ allow netd ipacm_data_file:file r_file_perms; # needed for netd to start FST Manager via system property allow netd netd_prop:property_service set; allow netd qtitetherservices_service:service_manager find; - -allow netd self:capability fsetid; -allow netd hostapd:unix_dgram_socket sendto; - -# Allow netd to chmod dir /data/misc/dhcp -allow netd dhcp_data_file:dir create_dir_perms; - -type_transition netd wifi_data_file:dir wpa_socket "sockets"; -allow netd wpa_socket:dir create_dir_perms; -allow netd wpa_socket:sock_file create_file_perms; diff --git a/common/perfd.te b/common/perfd.te index f5bda91f..0cec6b7c 100644 --- a/common/perfd.te +++ b/common/perfd.te @@ -16,6 +16,7 @@ allow perfd self:{ netlink_kobject_uevent_socket socket} create_socket_perms; # mpctl socket allow perfd mpctl_socket:dir rw_dir_perms; allow perfd mpctl_socket:sock_file create_file_perms; +allow perfd mpctl_socket:sock_file rw_file_perms; # default_values file allow perfd mpctl_data_file:dir rw_dir_perms; @@ -39,3 +40,14 @@ unix_socket_connect(perfd, thermal, thermal-engine); # Access device nodes inside /dev/cpuctl allow perfd cpuctl_device:chr_file rw_file_perms; + +# Allow perfd to send signull +allow perfd { + system_server + system_app + wfdservice + mediaserver + thermal-engine + surfaceflinger + appdomain +}:process signull; diff --git a/common/qfp-daemon.te b/common/qfp-daemon.te index 5d2d7a4b..b154c54d 100644 --- a/common/qfp-daemon.te +++ b/common/qfp-daemon.te @@ -55,6 +55,10 @@ allow qfp-daemon qbt1000_device:chr_file rw_file_perms; # R dir perms for firmware dir r_dir_file(qfp-daemon, firmware_file) +# R dir perms for persist qc_senseid dir +r_dir_file(qfp-daemon, persist_file) +r_dir_file(qfp-daemon, persist_qc_senseid_file) + # Allow qfp daemon access to system server binder_call(qfp-daemon, system_server); diff --git a/common/qsee_svc_app.te b/common/qsee_svc_app.te index fd57768c..4ff94df6 100644 --- a/common/qsee_svc_app.te +++ b/common/qsee_svc_app.te @@ -35,3 +35,7 @@ binder_call(qsee_svc_app, qseeproxy) # file permission allow qsee_svc_app qsee_svc_app_data_file:dir create_dir_perms; allow qsee_svc_app qsee_svc_app_data_file:file create_file_perms; + +# allow service manager find +allow qsee_svc_app { app_api_service system_api_service + fidodaemon_service qseeproxy_service }:service_manager find; diff --git a/common/qseecomd.te b/common/qseecomd.te index f97849d6..0c077ea1 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -70,6 +70,8 @@ allow tee system_prop:property_service set; #allow access to qfp-daemon allow tee qfp-daemon_data_file:dir create_dir_perms; allow tee qfp-daemon_data_file:file create_file_perms; +allow tee persist_qc_senseid_file:dir create_dir_perms; +allow tee persist_qc_senseid_file:file create_file_perms; #allow access to fingerprintd data file allow tee fingerprintd_data_file:dir create_dir_perms; diff --git a/common/qseeproxy.te b/common/qseeproxy.te index 826f25cb..f3385bf3 100644 --- a/common/qseeproxy.te +++ b/common/qseeproxy.te @@ -59,3 +59,9 @@ allow qseeproxy firmware_file:file r_file_perms; #Allow access to session files allow qseeproxy data_qsee_file:dir create_dir_perms; allow qseeproxy data_qsee_file:file create_file_perms ; + +#Allow access to system_app domain +allow qseeproxy system_app:unix_dgram_socket sendto; + +#Allow access to sysfs files +allow qseeproxy sysfs:file w_file_perms; diff --git a/common/system_app.te b/common/system_app.te index 8673d1e8..f8eef956 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -109,3 +109,6 @@ r_dir_file(system_app, audio_pp_data_file); # allow access to system app for radio files allow system_app radio_data_file:dir rw_dir_perms; allow system_app radio_data_file:file create_file_perms; + +# access to qseeproxy domain +allow system_app qseeproxy:unix_dgram_socket sendto; diff --git a/test/fidotest.te b/test/fidotest.te index e601d6dc..ed6226da 100644 --- a/test/fidotest.te +++ b/test/fidotest.te @@ -26,4 +26,7 @@ userdebug_or_eng(` # Allow access to firmware allow fidotest firmware_file:dir r_dir_perms; allow fidotest firmware_file:file r_file_perms; + + # Allow service manager to find + allow qsee_svc_app fidotest_service:service_manager find; ') diff --git a/test/qseeproxysample.te b/test/qseeproxysample.te index 6b59bd14..9bddd750 100644 --- a/test/qseeproxysample.te +++ b/test/qseeproxysample.te @@ -54,4 +54,7 @@ userdebug_or_eng(` # Allow access to firmware allow qseeproxysample firmware_file:dir r_dir_perms; allow qseeproxysample firmware_file:file r_file_perms; + + #Allow service manager to find + allow qsee_svc_app qseeproxysample_service:service_manager find; ') |