diff options
author | Linux Build Service Account <lnxbuild@localhost> | 2014-12-10 13:04:02 -0800 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2014-12-10 13:04:02 -0800 |
commit | 95ce2bcf8ef450a013e6f20659c92aaa7551b1d0 (patch) | |
tree | 4e806d190c6a91c04b1a58badd000256ea3215e6 | |
parent | 77586e2947fc8c5c3bc1ef222478961518ae14a5 (diff) | |
parent | 8d099a3ce02c3ebca5d3f93ea3db112892e10662 (diff) | |
download | android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.tar.gz android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.tar.bz2 android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.zip |
Merge "Sepolicy : Add policies for qlogd"
-rwxr-xr-x | common/device.te | 3 | ||||
-rw-r--r-- | common/file.te | 2 | ||||
-rw-r--r-- | common/file_contexts | 5 | ||||
-rw-r--r-- | common/qlogd.te | 44 |
4 files changed, 41 insertions, 13 deletions
diff --git a/common/device.te b/common/device.te index 2fdd2927..a4ec98cf 100755 --- a/common/device.te +++ b/common/device.te @@ -76,6 +76,9 @@ type wcnss_device, dev_type; type mmc_block_device, dev_type; +# Define QDSS devices +type qdss_device, dev_type; + #Define Gadget serial device type gadget_serial_device, dev_type; diff --git a/common/file.te b/common/file.te index c7a36d74..b1f92b78 100644 --- a/common/file.te +++ b/common/file.te @@ -95,7 +95,7 @@ type sysfs_socinfo, fs_type, sysfs_type; type sysfs_usb_uicc, sysfs_type, fs_type; type qlogd_socket, file_type; - +type qlogd_data_file, file_type; #Define the files written during the operation of mm-pp-daemon type display_config, file_type, data_file_type; diff --git a/common/file_contexts b/common/file_contexts index 8e558276..6e021120 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -55,6 +55,10 @@ /dev/hbtp_input u:object_r:hbtp_device:s0 /dev/jdi-bu21150 u:object_r:bu21150_device:s0 /dev/voice_svc u:object_r:voice_device:s0 +/dev/coresight-stm u:object_r:qdss_device:s0 +/dev/coresight-tmc-etf u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr-stream u:object_r:qdss_device:s0 ################################### # Dev socket nodes @@ -219,6 +223,7 @@ /data/misc/location(/.*)? u:object_r:location_data_file:s0 /data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0 /data/misc/hbtp(/.*)? u:object_r:hbtp_log_file:s0 +/data/misc/qlogd(/.*)? u:object_r:qlogd_data_file:s0 ################################### # persist files diff --git a/common/qlogd.te b/common/qlogd.te index 74e154fe..dd525d9d 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -6,31 +6,51 @@ type qlogd_exec, exec_type, file_type; init_daemon_domain(qlogd) # need to access sharemem log device for smem logs -allow qlogd smem_log_device:chr_file { open read write ioctl }; +allow qlogd smem_log_device:chr_file rw_file_perms; # need to add more capabilities for qlogd -allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin }; -allow qlogd self:capability2 syslog; +allow qlogd self:capability { setuid setgid dac_override dac_read_search + sys_admin net_raw net_admin fowner fsetid kill sys_module }; +allow qlogd self:capability2 { block_suspend syslog }; +allow qlogd self:packet_socket { create ioctl bind getopt setopt }; # need to access system_data partitions for configration files -allow qlogd system_data_file:dir { write add_name }; -allow qlogd system_data_file:file { open read write create }; +allow qlogd qlogd_data_file:dir rw_dir_perms; +allow qlogd qlogd_data_file:file create_file_perms; allow qlogd system_file:file execute_no_trans; # need to create and listen socket -allow qlogd socket_device:sock_file { create setattr }; -allow qlogd qlogd_socket:sock_file { create read write setattr }; +allow qlogd qlogd_socket:sock_file create_file_perms; # need to start shell execute files allow qlogd shell_exec:file { execute read open execute_no_trans }; # need to create and write files in fuse partition -allow qlogd fuse:dir { search read write add_name create open }; -allow qlogd fuse:file { create read write append open getattr }; +allow qlogd fuse:dir create_dir_perms; +allow qlogd fuse:file create_file_perms; -#need to capture kmsg +# need to capture kmsg allow qlogd kernel:system syslog_mod; +# need for qdss log +userdebug_or_eng(` + allow qlogd debugfs:file read; + allow qlogd sysfs:file write; + allow qlogd qdss_device:chr_file { open read }; +') + # need for capture adb logs -allow qlogd logdr_socket:sock_file write; -allow qlogd logd:unix_stream_socket connectto; +unix_socket_connect(qlogd, logdr, logd) + +# need for subsystem ramdump +allow qlogd device:dir r_dir_perms; +allow qlogd ramdump_device:chr_file { setattr rw_file_perms }; + +# need for qxdm log +allow qlogd diag_exec:file rx_file_perms; +allow qlogd sysfs_wake_lock:file ra_file_perms; + +# need for tcpdump +userdebug_or_eng(` + allow qlogd kernel:system module_request; +') |