diff options
author | Linux Build Service Account <lnxbuild@localhost> | 2016-09-14 20:15:17 -0600 |
---|---|---|
committer | Linux Build Service Account <lnxbuild@localhost> | 2016-09-14 20:15:17 -0600 |
commit | bd14aa20396870842e312ec60199e30793550f23 (patch) | |
tree | 2d382700b555f03a9211403a90319f49760183f7 | |
parent | 359064175a50056e72121989c46275ebcc6b8b28 (diff) | |
parent | 9529c0d8f0de2eaad520c80b44dc82e474b58f41 (diff) | |
download | android_device_qcom_sepolicy-bd14aa20396870842e312ec60199e30793550f23.tar.gz android_device_qcom_sepolicy-bd14aa20396870842e312ec60199e30793550f23.tar.bz2 android_device_qcom_sepolicy-bd14aa20396870842e312ec60199e30793550f23.zip |
Promotion of sepolicy.lnx.2.0-00034.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
1057269 Iefa7474ec1ddcb0efe0689ff065629aa1d99c0b9 sepolicy: Adding permissions for camerasever.
1052935 I7713f18a10508ef297e2742969dc5f9064cf9b50 sepolicy: Restrict diag access available to domains
1064092 I5b2624082479d9f9c346aa6acc0cb2235f2f7a63 sepolicy: allow qseecomd to access qsee_ipc_irq_spss dev
1050321 1063858 I9ddd96bf9882fc73dc83b62af24b74670eb36792 Add policy for persist time folder
1063858 I1a7a379a7ac62bc994b24329e056580f9712cbfc Add search rights to persist file for time_daemon
1056052 Ic2ff9b497d7a0b0dca91b72c328b3eb5cda17cce netmgrd: Enable support for destroying TCP sockets throu
1025803 I5b84094fa4f429095c45c3536e6a193e98786eb2 sepolicy:Add oemfs ruler for carrier switch
1063804 Idcdddd06df9d959e78ee80a36c890c8560c41350 sepolicy: Allow mmi access boot mode prop
1064752 I5d65ffaf92617b3942820c0892a0700737c1a07b sepolicy: Add DRM device node to sepolicy file_contexts
1063341 I7ac989f3f26b3d084454cef3e12a44eef083975c sepolicy: allow spdaemon to access cryptoapp device node
1062722 I7ec47c2654b93e5b96ea93e4930cc3b227ca79d0 Sepolicy: allow ipacm to create netfilter socket
1038954 I41cc8a41b096c1b03f43472d1bce51638fa87976 sepolicy: Add adsrpc permission to camera server.
Change-Id: I76fb1c8ad1b9767638f2aa99cdff4de665d11f77
CRs-Fixed: 1025803, 1063341, 1052935, 1064752, 1063804, 1057269, 1056052, 1038954, 1063858, 1050321, 1064092, 1062722
54 files changed, 562 insertions, 7 deletions
diff --git a/common/audioserver.te b/common/audioserver.te index 990e1a1c..a1b74afb 100644 --- a/common/audioserver.te +++ b/common/audioserver.te @@ -47,3 +47,6 @@ allow audioserver audio_data_file:dir remove_name; # Allow audioserver to access sysfs nodes allow audioserver sysfs:file rw_file_perms; +userdebug_or_eng(` + diag_use(audioserver) +') diff --git a/common/cameraserver.te b/common/cameraserver.te index 8a888601..a0777d79 100644 --- a/common/cameraserver.te +++ b/common/cameraserver.te @@ -52,3 +52,7 @@ allow cameraserver sensors_persist_file:dir r_dir_perms; allow cameraserver sensors_persist_file:file r_file_perms; allow cameraserver graphics_device:dir r_dir_perms; allow cameraserver sensorservice_service:service_manager find; +allow cameraserver system_file:dir r_dir_perms; + +#Allows camera to call ADSP QDSP6 functionality +allow cameraserver qdsp_device:chr_file r_file_perms; diff --git a/common/cnd.te b/common/cnd.te index 44cdb1eb..54be97a1 100644 --- a/common/cnd.te +++ b/common/cnd.te @@ -87,3 +87,8 @@ domain_auto_trans(cnd, hostapd_exec, hostapd) # only allow getopt for appdomain allow appdomain zygote:unix_dgram_socket getopt; dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt; + +#diag +userdebug_or_eng(` + diag_use(cnd) +') diff --git a/common/dataservice_app.te b/common/dataservice_app.te index db123df8..9c48a601 100644 --- a/common/dataservice_app.te +++ b/common/dataservice_app.te @@ -52,3 +52,7 @@ dontaudit dataservice_app domain:dir r_dir_perms; #allow dpmservice to get running time for apps r_dir_file(dataservice_app, appdomain) + +userdebug_or_eng(` + diag_use(dataservice_app) +') diff --git a/common/device.te b/common/device.te index 22e046e4..f1997642 100644 --- a/common/device.te +++ b/common/device.te @@ -98,6 +98,12 @@ type sp_ssr_device, dev_type; # Define sp_keymaster device type sp_keymaster_device, dev_type; +# Define cryptoapp device +type cryptoapp_device, dev_type; + +# Define qsee_ipc_irq_spss device +type qsee_ipc_irq_spss_device, dev_type; + # Define QDSS devices type qdss_device, dev_type; diff --git a/common/domain.te b/common/domain.te index e831bb47..8a747e5c 100644 --- a/common/domain.te +++ b/common/domain.te @@ -1,5 +1,3 @@ -allow { domain -untrusted_app } diag_device:chr_file rw_file_perms; - r_dir_file(domain, sysfs_socinfo); r_dir_file(domain, sysfs_esoc); r_dir_file(domain, sysfs_ssr); diff --git a/common/dpmd.te b/common/dpmd.te index f94953ee..4b92e91b 100644 --- a/common/dpmd.te +++ b/common/dpmd.te @@ -71,3 +71,8 @@ dpmd_socket_perm(netd) #explicitly allow udp socket permissions for appdomain allow dpmd appdomain:udp_socket rw_socket_perms; + +#diag +userdebug_or_eng(` + diag_use(dpmd) +') diff --git a/common/file.te b/common/file.te index 47ec84f4..29d6a721 100644 --- a/common/file.te +++ b/common/file.te @@ -201,3 +201,5 @@ type dynamic_nv_data_file, file_type, data_file_type; type wififtmd_socket, file_type; type persist_alarm_file, file_type; + +type persist_time_file, file_type; diff --git a/common/file_contexts b/common/file_contexts index 88a179ec..d27f2981 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -20,6 +20,8 @@ /dev/sp_kernel u:object_r:skp_device:s0 /dev/sp_ssr u:object_r:sp_ssr_device:s0 /dev/sp_keymaster u:object_r:sp_keymaster_device:s0 +/dev/cryptoapp u:object_r:cryptoapp_device:s0 +/dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0 /dev/seemplog u:object_r:seemplog_device:s0 /dev/radio0 u:object_r:fm_radio_device:s0 /dev/rtc0 u:object_r:rtc_device:s0 @@ -69,6 +71,9 @@ /dev/qbt1000 u:object_r:qbt1000_device:s0 /dev/at_.* u:object_r:at_device:s0 /dev/sg.* u:object_r:sg_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/dri/controlD64 u:object_r:graphics_device:s0 +/dev/dri/renderD128 u:object_r:graphics_device:s0 ################################### # Dev block nodes diff --git a/common/ims.te b/common/ims.te index 2f74bb7c..68a6a5ac 100644 --- a/common/ims.te +++ b/common/ims.te @@ -63,3 +63,8 @@ netmgr_socket(ims); # Inherit and use open files from radio. allow ims radio:fd use; + +#diag +userdebug_or_eng(` + diag_use(ims) +') diff --git a/common/ipacm.te b/common/ipacm.te index 087092f2..000bfa5e 100644 --- a/common/ipacm.te +++ b/common/ipacm.te @@ -12,8 +12,12 @@ net_domain(ipacm) userdebug_or_eng(` # Allow using the logging file between ipacm and ipacm-diag unix_socket_send(ipacm, ipacm, ipacm-diag) + diag_use(ipacm-diag) ') +# Allow capabilities to create netfilter_socket +allow ipacm self:netlink_netfilter_socket create_socket_perms; + # Allow capabilities to perform network operations and interactions with network interfaces allow ipacm ipacm:capability net_admin; diff --git a/common/location.te b/common/location.te index 2dfec3ba..393bae60 100644 --- a/common/location.te +++ b/common/location.te @@ -59,3 +59,8 @@ netmgr_socket(location); #Allow access to properties set_prop(location, location_prop); + +#diag +userdebug_or_eng(` + diag_use(location) +') diff --git a/common/location_app.te b/common/location_app.te index 3fe928a7..799bc4d8 100644 --- a/common/location_app.te +++ b/common/location_app.te @@ -9,6 +9,7 @@ userdebug_or_eng(` net_domain(location_app) allow location_app { adbd su }:unix_stream_socket connectto; allow location_app mediaserver_service:service_manager find; + diag_use(location_app) ') allow location_app surfaceflinger_service:service_manager find; diff --git a/common/mdtp.te b/common/mdtp.te index 0d1e8511..c0f49e48 100644 --- a/common/mdtp.te +++ b/common/mdtp.te @@ -37,6 +37,7 @@ userdebug_or_eng(` #Needed for kill(pid, 0) existance test allow mdtpdaemon su:process signull; allow mdtpdaemon self:capability kill; + diag_use(mdtpdaemon) ') #Allow for transition from init domain to mdtpdaemon diff --git a/common/mmi.te b/common/mmi.te index 1a7dc286..05a00828 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -113,3 +113,10 @@ unix_socket_connect(mmi, cnd, cnd); unix_socket_connect(mmi, dpmwrapper, dpmd); unix_socket_connect(mmi, netmgrd, netmgrd); net_domain(mmi); + +#allow mmi access boot mode switch +allow mmi boot_mode_prop:property_service set; +#diag +userdebug_or_eng(` + diag_use(mmi) +') diff --git a/common/netmgrd.te b/common/netmgrd.te index 052b464e..ff913442 100644 --- a/common/netmgrd.te +++ b/common/netmgrd.te @@ -6,6 +6,7 @@ init_daemon_domain(netmgrd) userdebug_or_eng(` domain_auto_trans(shell, netmgrd_exec, netmgrd) domain_auto_trans(adbd, netmgrd_exec, netmgrd) + diag_use(netmgrd) ') #Allow files to be written during the operation of netmgrd @@ -33,6 +34,7 @@ allow netmgrd netmgrd:socket { create ioctl }; allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write }; unix_socket_connect(netmgrd, property, init) allow netmgrd self:netlink_generic_socket create_socket_perms; +allow netmgrd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write }; unix_socket_connect(netmgrd, cnd, cnd); diff --git a/common/port-bridge.te b/common/port-bridge.te index 8a74d497..83c993cd 100644 --- a/common/port-bridge.te +++ b/common/port-bridge.te @@ -5,6 +5,7 @@ init_daemon_domain(port-bridge) userdebug_or_eng(` domain_auto_trans(shell, port-bridge_exec, netmgrd) domain_auto_trans(adbd, port-bridge_exec, netmgrd) + diag_use(port-bridge) ') # Allow operations on different types of sockets diff --git a/common/property.te b/common/property.te index 0ccfff9b..90a55cfd 100644..100755 --- a/common/property.te +++ b/common/property.te @@ -41,6 +41,7 @@ type ipacm-diag_prop, property_type; type sensors_prop, property_type; type msm_irqbalance_prop, property_type; type camera_prop, property_type, core_property_type; +type spcomlib_prop, property_type; type sdm_idle_time_prop, property_type, core_property_type; type sf_lcd_density_prop, property_type, core_property_type; type opengles_prop, property_type, core_property_type; @@ -90,3 +91,5 @@ type alarm_instance_prop, property_type, core_property_type; type hwui_prop, property_type, core_property_type; type graphics_vulkan_prop, property_type, core_property_type; +#boot mode property +type boot_mode_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index e50507a5..ea5bbda5 100644..100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -48,6 +48,7 @@ ctl.sensors u:object_r:sensors_prop:s0 ctl.msm_irqbalance u:object_r:msm_irqbalance_prop:s0 camera. u:object_r:camera_prop:s0 persist.camera. u:object_r:camera_prop:s0 +spcomlib. u:object_r:spcomlib_prop:s0 sdm.idle_time u:object_r:sdm_idle_time_prop:s0 ro.sf.lcd_density u:object_r:sf_lcd_density_prop:s0 ro.opengles.version u:object_r:opengles_prop:s0 @@ -81,3 +82,5 @@ ro.alarm_instance u:object_r:alarm_instance_prop:s0 #HWUI Property ro.hwui.texture_cache_size u:object_r:hwui_prop:s0 persist.graphics.vulkan.disable u:object_r:graphics_vulkan_prop:s0 +#boot mode property +sys.boot_mode u:object_r:boot_mode_prop:s0 diff --git a/common/qcomsysd.te b/common/qcomsysd.te index 9215305d..2dbd2cbc 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -21,3 +21,10 @@ allow qcomsysd sysfs_socinfo:file w_file_perms; allow qcomsysd self:capability { dac_override sys_boot }; use_per_mgr(qcomsysd); +#allow qcomsysd access boot mode switch +allow qcomsysd boot_mode_prop:property_service set; + +#diag +userdebug_or_eng(` + diag_use(qcomsysd) +') diff --git a/common/qfp-daemon.te b/common/qfp-daemon.te index ccd60240..f7ddb32f 100644 --- a/common/qfp-daemon.te +++ b/common/qfp-daemon.te @@ -66,3 +66,8 @@ allow qfp-daemon sensors:unix_stream_socket connectto; # Allow listing input devices and sending input events allow qfp-daemon input_device:chr_file rw_file_perms; allow qfp-daemon input_device:dir r_dir_perms; + +#diag +userdebug_or_eng(` + diag_use(qfp-daemon) +') diff --git a/common/qlogd.te b/common/qlogd.te index ed51cddd..4740e58b 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -50,6 +50,7 @@ userdebug_or_eng(` allow qlogd sysfs:file w_file_perms; r_dir_file(qlogd, storage_file) r_dir_file(qlogd, mnt_user_file) + diag_use(qlogd) ') # need for capture adb logs diff --git a/common/qseecomd.te b/common/qseecomd.te index 6f21134b..a2118202 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -71,6 +71,9 @@ allow tee system_prop:property_service set; allow tee qfp-daemon_data_file:dir create_dir_perms; allow tee qfp-daemon_data_file:file create_file_perms; +# Allow access to qsee_ipc_irq_spss device +allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms; + #allow access to fingerprintd data file allow tee fingerprintd_data_file:dir create_dir_perms; allow tee fingerprintd_data_file:file create_file_perms; diff --git a/common/qti-logkit.te b/common/qti-logkit.te index db03c406..b1f9d552 100644 --- a/common/qti-logkit.te +++ b/common/qti-logkit.te @@ -64,6 +64,7 @@ userdebug_or_eng(` # tcpdump allow qti_logkit self:packet_socket create_socket_perms; allow qti_logkit self:capability net_raw; + diag_use(qti_logkit) ') binder_use(qti_logkit) diff --git a/common/qti.te b/common/qti.te index 5b4827e4..921f083e 100644 --- a/common/qti.te +++ b/common/qti.te @@ -28,3 +28,8 @@ allow qti self:{ } create_socket_perms; allow qti { shell_exec system_file }:file rx_file_perms; + +#diag +userdebug_or_eng(` + diag_use(qti) +') diff --git a/common/radio.te b/common/radio.te index 4010500c..fcec958d 100644 --- a/common/radio.te +++ b/common/radio.te @@ -15,3 +15,7 @@ allow radio uce_service:service_manager { add find }; allow radio self:socket create_socket_perms; allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find; +#diag +userdebug_or_eng(` + diag_use(radio) +') diff --git a/common/rild.te b/common/rild.te index 62668a21..6d1fe057 100644 --- a/common/rild.te +++ b/common/rild.te @@ -30,3 +30,8 @@ allow rild { mediaserver_service audioserver_service }:service_manager find; # Rule for RILD to talk to peripheral manager use_per_mgr(rild); + +#diag +userdebug_or_eng(` + diag_use(rild) +') diff --git a/common/sensors.te b/common/sensors.te index 9e3cbdb4..3039434b 100644 --- a/common/sensors.te +++ b/common/sensors.te @@ -58,6 +58,7 @@ allow sensors device_latency:chr_file w_file_perms; # Access to tests from userdebug/eng builds userdebug_or_eng(` domain_auto_trans(shell, sensors_exec, sensors) + diag_use(sensors) ') binder_use(sensors) diff --git a/common/spdaemon.te b/common/spdaemon.te index 1a2d6840..0a78b9c8 100644 --- a/common/spdaemon.te +++ b/common/spdaemon.te @@ -27,6 +27,7 @@ # spdaemon service type spdaemon, domain; + type spdaemon_exec, exec_type, file_type; init_daemon_domain(spdaemon) @@ -43,6 +44,9 @@ allow spdaemon sp_ssr_device:chr_file rw_file_perms; # Allow access to sp_keymaster device allow spdaemon sp_keymaster_device:chr_file rw_file_perms; +# Allow access to cryptoapp device +allow spdaemon cryptoapp_device:chr_file rw_file_perms; + # Allow access to ion device allow spdaemon ion_device:chr_file rw_file_perms; @@ -56,5 +60,12 @@ allow spdaemon spss_data_file:file r_file_perms; # Allow check SPSS Apps images stat() allow spdaemon spss_data_file:file getattr; -# Allow set system prop -allow spdaemon system_prop:property_service set; +# Allow get system info +r_dir_file(spdaemon, sysfs) + +# Allow SPSS-PIL via Peripheral Manager +binder_use(spdaemon) +use_per_mgr(spdaemon) + +# Allow set/get prop to set/check if app is loaded +set_prop(spdaemon, spcomlib_prop) diff --git a/common/ssr_diag.te b/common/ssr_diag.te index 956d0b01..f04ab537 100755 --- a/common/ssr_diag.te +++ b/common/ssr_diag.te @@ -4,4 +4,5 @@ init_daemon_domain(ssr_diag); userdebug_or_eng(` allow ssr_diag sysfs:file w_file_perms; + diag_use(ssr_diag) ') diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 9baa3a04..0a8ae6de 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -37,3 +37,7 @@ binder_call(surfaceflinger, mmi) #Allow access to cameraserver service allow surfaceflinger cameraserver_service:service_manager find; +#diag +userdebug_or_eng(` + diag_use(surfaceflinger) +') diff --git a/common/system_app.te b/common/system_app.te index fdfa00b3..255e5664 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -63,6 +63,7 @@ userdebug_or_eng(` # Access to tombstone segfaults allow system_app tombstone_data_file:dir r_dir_perms; allow system_app tombstone_data_file:file r_file_perms; + diag_use(system_app) ') allow system_app cnd_data_file:dir w_dir_perms; diff --git a/common/system_server.te b/common/system_server.te index 2d6c41be..0081be89 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -157,3 +157,6 @@ allow system_server system_file:system module_load; allow system_server persist_alarm_file:dir rw_dir_perms; allow system_server persist_alarm_file:file { rw_file_perms create }; +userdebug_or_eng(` + diag_use(system_server) +') diff --git a/common/te_macros b/common/te_macros index e232bb5a..4fd7b62b 100644 --- a/common/te_macros +++ b/common/te_macros @@ -53,3 +53,9 @@ allow dpmd $1:file r_file_perms; allow dpmd $1:fd use; allow dpmd $1:tcp_socket rw_socket_perms; ') +##################################### +# diag_use(clientdomain) +# allow clientdomain to read/write to diag +define(`diag_use', ` +allow $1 diag_device:chr_file rw_file_perms; +') diff --git a/common/thermal-engine.te b/common/thermal-engine.te index ac9db22e..b347958f 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -48,3 +48,7 @@ unix_socket_connect(thermal-engine, mpctl, mpdecision) #This is to allow access to uio device allow thermal-engine uio_device:chr_file rw_file_perms; + +userdebug_or_eng(` + diag_use(thermal-engine) +') diff --git a/common/time_daemon.te b/common/time_daemon.te index 5f64ec5f..20d9dbf5 100644 --- a/common/time_daemon.te +++ b/common/time_daemon.te @@ -16,4 +16,13 @@ allow time_daemon time_data_file:dir w_dir_perms; allow time_daemon self:socket create_socket_perms; allow time_daemon self:capability { setuid setgid sys_time }; +allow time_daemon persist_time_file:file create_file_perms; +allow time_daemon persist_time_file:dir w_dir_perms; + +allow time_daemon persist_file:dir search; + r_dir_file(time_daemon, sysfs_esoc); + +userdebug_or_eng(` + diag_use(time_daemon) +') diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te index 9e811456..7d84a76e 100644 --- a/common/wcnss_filter.te +++ b/common/wcnss_filter.te @@ -49,3 +49,8 @@ r_dir_file(wcnss_filter, bt_firmware_file) # Data file accesses. allow wcnss_filter bluetooth_data_file:dir create_dir_perms; allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms; + +#diag +userdebug_or_eng(` + diag_use(wcnss_filter) +') diff --git a/common/wcnss_service.te b/common/wcnss_service.te index 0ceec433..05b31d40 100644 --- a/common/wcnss_service.te +++ b/common/wcnss_service.te @@ -48,7 +48,8 @@ allow wcnss_service dynamic_nv_data_file:dir r_dir_perms; # This is needed for ptt_socket app to write logs file collected to sdcard r_dir_file(wcnss_service, storage_file) r_dir_file(wcnss_service, mnt_user_file) +diag_use(wcnss_service) ') binder_use(wcnss_service) -use_per_mgr(wcnss_service)
\ No newline at end of file +use_per_mgr(wcnss_service) diff --git a/msm8937/idmap.te b/msm8937/idmap.te new file mode 100644 index 00000000..84b11e8f --- /dev/null +++ b/msm8937/idmap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow idmap oemfs:file r_file_perms; +allow idmap oemfs:dir r_dir_perms; diff --git a/msm8937/platform_app.te b/msm8937/platform_app.te new file mode 100644 index 00000000..919f16f5 --- /dev/null +++ b/msm8937/platform_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msm8937/priv_app.te b/msm8937/priv_app.te new file mode 100644 index 00000000..203ed549 --- /dev/null +++ b/msm8937/priv_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msm8937/system_app.te b/msm8937/system_app.te new file mode 100644 index 00000000..10c8adac --- /dev/null +++ b/msm8937/system_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow system_app oemfs:lnk_file { read getattr }; diff --git a/msm8937/untrusted_app.te b/msm8937/untrusted_app.te new file mode 100644 index 00000000..e8b029e1 --- /dev/null +++ b/msm8937/untrusted_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; diff --git a/msm8953/idmap.te b/msm8953/idmap.te new file mode 100644 index 00000000..84b11e8f --- /dev/null +++ b/msm8953/idmap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow idmap oemfs:file r_file_perms; +allow idmap oemfs:dir r_dir_perms; diff --git a/msm8953/platform_app.te b/msm8953/platform_app.te new file mode 100644 index 00000000..919f16f5 --- /dev/null +++ b/msm8953/platform_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msm8953/priv_app.te b/msm8953/priv_app.te new file mode 100644 index 00000000..203ed549 --- /dev/null +++ b/msm8953/priv_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msm8953/system_app.te b/msm8953/system_app.te new file mode 100644 index 00000000..10c8adac --- /dev/null +++ b/msm8953/system_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow system_app oemfs:lnk_file { read getattr }; diff --git a/msm8953/untrusted_app.te b/msm8953/untrusted_app.te new file mode 100644 index 00000000..e8b029e1 --- /dev/null +++ b/msm8953/untrusted_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/idmap.te b/msmcobalt/idmap.te new file mode 100644 index 00000000..84b11e8f --- /dev/null +++ b/msmcobalt/idmap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow idmap oemfs:file r_file_perms; +allow idmap oemfs:dir r_dir_perms; diff --git a/msmcobalt/platform_app.te b/msmcobalt/platform_app.te new file mode 100644 index 00000000..919f16f5 --- /dev/null +++ b/msmcobalt/platform_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/priv_app.te b/msmcobalt/priv_app.te new file mode 100644 index 00000000..203ed549 --- /dev/null +++ b/msmcobalt/priv_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/system_app.te b/msmcobalt/system_app.te index a5dac529..d11659b6 100644 --- a/msmcobalt/system_app.te +++ b/msmcobalt/system_app.te @@ -25,4 +25,6 @@ # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -binder_call(system_app, qvop)
\ No newline at end of file +binder_call(system_app, qvop) +#for oemfs +allow system_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/untrusted_app.te b/msmcobalt/untrusted_app.te new file mode 100644 index 00000000..e8b029e1 --- /dev/null +++ b/msmcobalt/untrusted_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; diff --git a/test/qti-testscripts.te b/test/qti-testscripts.te index 380af29f..4d3eadfd 100644 --- a/test/qti-testscripts.te +++ b/test/qti-testscripts.te @@ -78,5 +78,5 @@ userdebug_or_eng(` binder_call({ domain -init -netd }, qti-testscripts) allow domain qti-testscripts:fifo_file { write getattr }; allow domain qti-testscripts:process sigchld; - + diag_use(radio) ') |