diff options
author | jinwu <jinwu@codeaurora.org> | 2014-11-25 16:35:47 +0800 |
---|---|---|
committer | jinwu <jinwu@codeaurora.org> | 2014-12-05 20:01:30 +0800 |
commit | 8d099a3ce02c3ebca5d3f93ea3db112892e10662 (patch) | |
tree | 6b087d4bc2a9badde22554f57fdcb5310aff66a0 | |
parent | fbc4f83670ee249790928891461fd85b48a7d7fc (diff) | |
download | android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.tar.gz android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.tar.bz2 android_device_qcom_sepolicy-8d099a3ce02c3ebca5d3f93ea3db112892e10662.zip |
Sepolicy : Add policies for qlogd
Qlogd need to collect rpm log, qdss log, tcpdump, subsystem
restart dump, add more policies for this.
Change-Id: Ieb9384fc22cbf0cf9fad5b36c17cd9bc84121306
-rwxr-xr-x | common/device.te | 3 | ||||
-rwxr-xr-x | common/file.te | 2 | ||||
-rwxr-xr-x | common/file_contexts | 5 | ||||
-rw-r--r-- | common/qlogd.te | 44 |
4 files changed, 41 insertions, 13 deletions
diff --git a/common/device.te b/common/device.te index 2fdd2927..a4ec98cf 100755 --- a/common/device.te +++ b/common/device.te @@ -76,6 +76,9 @@ type wcnss_device, dev_type; type mmc_block_device, dev_type; +# Define QDSS devices +type qdss_device, dev_type; + #Define Gadget serial device type gadget_serial_device, dev_type; diff --git a/common/file.te b/common/file.te index 2c62bc55..c0cf3a77 100755 --- a/common/file.te +++ b/common/file.te @@ -94,7 +94,7 @@ type sysfs_socinfo, fs_type, sysfs_type; type sysfs_usb_uicc, sysfs_type, fs_type; type qlogd_socket, file_type; - +type qlogd_data_file, file_type; #Define the files written during the operation of mm-pp-daemon type display_config, file_type, data_file_type; diff --git a/common/file_contexts b/common/file_contexts index ac3b7303..91cfdbda 100755 --- a/common/file_contexts +++ b/common/file_contexts @@ -55,6 +55,10 @@ /dev/hbtp_input u:object_r:hbtp_device:s0 /dev/jdi-bu21150 u:object_r:bu21150_device:s0 /dev/voice_svc u:object_r:voice_device:s0 +/dev/coresight-stm u:object_r:qdss_device:s0 +/dev/coresight-tmc-etf u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr-stream u:object_r:qdss_device:s0 ################################### # Dev socket nodes @@ -217,6 +221,7 @@ /data/misc/location(/.*)? u:object_r:location_data_file:s0 /data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0 /data/misc/hbtp(/.*)? u:object_r:hbtp_log_file:s0 +/data/misc/qlogd(/.*)? u:object_r:qlogd_data_file:s0 ################################### # persist files diff --git a/common/qlogd.te b/common/qlogd.te index 74e154fe..dd525d9d 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -6,31 +6,51 @@ type qlogd_exec, exec_type, file_type; init_daemon_domain(qlogd) # need to access sharemem log device for smem logs -allow qlogd smem_log_device:chr_file { open read write ioctl }; +allow qlogd smem_log_device:chr_file rw_file_perms; # need to add more capabilities for qlogd -allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin }; -allow qlogd self:capability2 syslog; +allow qlogd self:capability { setuid setgid dac_override dac_read_search + sys_admin net_raw net_admin fowner fsetid kill sys_module }; +allow qlogd self:capability2 { block_suspend syslog }; +allow qlogd self:packet_socket { create ioctl bind getopt setopt }; # need to access system_data partitions for configration files -allow qlogd system_data_file:dir { write add_name }; -allow qlogd system_data_file:file { open read write create }; +allow qlogd qlogd_data_file:dir rw_dir_perms; +allow qlogd qlogd_data_file:file create_file_perms; allow qlogd system_file:file execute_no_trans; # need to create and listen socket -allow qlogd socket_device:sock_file { create setattr }; -allow qlogd qlogd_socket:sock_file { create read write setattr }; +allow qlogd qlogd_socket:sock_file create_file_perms; # need to start shell execute files allow qlogd shell_exec:file { execute read open execute_no_trans }; # need to create and write files in fuse partition -allow qlogd fuse:dir { search read write add_name create open }; -allow qlogd fuse:file { create read write append open getattr }; +allow qlogd fuse:dir create_dir_perms; +allow qlogd fuse:file create_file_perms; -#need to capture kmsg +# need to capture kmsg allow qlogd kernel:system syslog_mod; +# need for qdss log +userdebug_or_eng(` + allow qlogd debugfs:file read; + allow qlogd sysfs:file write; + allow qlogd qdss_device:chr_file { open read }; +') + # need for capture adb logs -allow qlogd logdr_socket:sock_file write; -allow qlogd logd:unix_stream_socket connectto; +unix_socket_connect(qlogd, logdr, logd) + +# need for subsystem ramdump +allow qlogd device:dir r_dir_perms; +allow qlogd ramdump_device:chr_file { setattr rw_file_perms }; + +# need for qxdm log +allow qlogd diag_exec:file rx_file_perms; +allow qlogd sysfs_wake_lock:file ra_file_perms; + +# need for tcpdump +userdebug_or_eng(` + allow qlogd kernel:system module_request; +') |