Sepolicy : Add policies for qlogd

Qlogd need to collect rpm log, qdss log, tcpdump, subsystem restart dump, add more policies for this. Change-Id: Ieb9384fc22cbf0cf9fad5b36c17cd9bc84121306
author: jinwu <jinwu@codeaurora.org> 2014-11-25 16:35:47 +0800
committer: jinwu <jinwu@codeaurora.org> 2014-12-05 20:01:30 +0800
commit: 8d099a3ce02c3ebca5d3f93ea3db112892e10662 (patch)
tree: 6b087d4bc2a9badde22554f57fdcb5310aff66a0
parent: fbc4f83670ee249790928891461fd85b48a7d7fc (diff)
download: android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.tar.gz
android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.tar.bz2
android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.zip
4 files changed, 41 insertions, 13 deletions
diff --git a/common/device.te b/common/device.te
index 2fdd2927..a4ec98cf 100755
--- a/common/device.te
+++ b/common/device.te
@@ -76,6 +76,9 @@ type wcnss_device, dev_type;
 
 type mmc_block_device, dev_type;
 
+# Define QDSS devices
+type qdss_device, dev_type;
+
 #Define Gadget serial device
 type gadget_serial_device, dev_type;
 
diff --git a/common/file.te b/common/file.te
index 2c62bc55..c0cf3a77 100755
--- a/common/file.te
+++ b/common/file.te
@@ -94,7 +94,7 @@ type sysfs_socinfo, fs_type, sysfs_type;
 type sysfs_usb_uicc, sysfs_type, fs_type;
 
 type qlogd_socket, file_type;
-
+type qlogd_data_file, file_type;
 #Define the files written during the operation of mm-pp-daemon
 type display_config, file_type, data_file_type;
 
diff --git a/common/file_contexts b/common/file_contexts
index ac3b7303..91cfdbda 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -55,6 +55,10 @@
 /dev/hbtp_input                                 u:object_r:hbtp_device:s0
 /dev/jdi-bu21150                                u:object_r:bu21150_device:s0
 /dev/voice_svc                                  u:object_r:voice_device:s0
+/dev/coresight-stm                              u:object_r:qdss_device:s0
+/dev/coresight-tmc-etf                          u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr                          u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr-stream                   u:object_r:qdss_device:s0
 
 ###################################
 # Dev socket nodes
@@ -217,6 +221,7 @@
 /data/misc/location(/.*)?                                           u:object_r:location_data_file:s0
 /data/FTM_AP(/.*)?                                                  u:object_r:mmi_data_file:s0
 /data/misc/hbtp(/.*)?                                               u:object_r:hbtp_log_file:s0
+/data/misc/qlogd(/.*)?                                              u:object_r:qlogd_data_file:s0
 
 ###################################
 # persist files
diff --git a/common/qlogd.te b/common/qlogd.te
index 74e154fe..dd525d9d 100644
--- a/common/qlogd.te
+++ b/common/qlogd.te
@@ -6,31 +6,51 @@ type qlogd_exec, exec_type, file_type;
 init_daemon_domain(qlogd)
 
 # need to access sharemem log device for smem logs
-allow qlogd smem_log_device:chr_file { open read write ioctl };
+allow qlogd smem_log_device:chr_file rw_file_perms;
 
 # need to add more capabilities for qlogd
-allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin };
-allow qlogd self:capability2 syslog;
+allow qlogd self:capability { setuid setgid dac_override dac_read_search
+               sys_admin net_raw net_admin fowner fsetid kill sys_module };
+allow qlogd self:capability2 { block_suspend syslog };
+allow qlogd self:packet_socket { create ioctl bind getopt setopt };
 
 # need to access system_data partitions for configration files
-allow qlogd system_data_file:dir { write add_name };
-allow qlogd system_data_file:file { open read write create };
+allow qlogd qlogd_data_file:dir rw_dir_perms;
+allow qlogd qlogd_data_file:file create_file_perms;
 allow qlogd system_file:file execute_no_trans;
 
 # need to create and listen socket
-allow qlogd socket_device:sock_file { create setattr };
-allow qlogd qlogd_socket:sock_file { create read write setattr };
+allow qlogd qlogd_socket:sock_file create_file_perms;
 
 # need to start shell execute files
 allow qlogd shell_exec:file { execute read open execute_no_trans };
 
 # need to create and write files in fuse partition
-allow qlogd fuse:dir { search read write add_name create open };
-allow qlogd fuse:file { create read write append open getattr };
+allow qlogd fuse:dir create_dir_perms;
+allow qlogd fuse:file create_file_perms;
 
-#need to capture kmsg
+# need to capture kmsg
 allow qlogd kernel:system syslog_mod;
 
+# need for qdss log
+userdebug_or_eng(`
+  allow qlogd debugfs:file read;
+  allow qlogd sysfs:file write;
+  allow qlogd qdss_device:chr_file { open read };
+')
+
 # need for capture adb logs
-allow qlogd logdr_socket:sock_file write;
-allow qlogd logd:unix_stream_socket connectto;
+unix_socket_connect(qlogd, logdr, logd)
+
+# need for subsystem ramdump
+allow qlogd device:dir r_dir_perms;
+allow qlogd ramdump_device:chr_file { setattr rw_file_perms };
+
+# need for qxdm log
+allow qlogd diag_exec:file rx_file_perms;
+allow qlogd sysfs_wake_lock:file ra_file_perms;
+
+# need for tcpdump
+userdebug_or_eng(`
+  allow qlogd kernel:system module_request;
+')
author	jinwu <jinwu@codeaurora.org>	2014-11-25 16:35:47 +0800
committer	jinwu <jinwu@codeaurora.org>	2014-12-05 20:01:30 +0800
commit	8d099a3ce02c3ebca5d3f93ea3db112892e10662 (patch)
tree	6b087d4bc2a9badde22554f57fdcb5310aff66a0
parent	fbc4f83670ee249790928891461fd85b48a7d7fc (diff)
download	android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.tar.gz android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.tar.bz2 android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.zip