Merge "Sepolicy : Add policies for qlogd"

author: Linux Build Service Account <lnxbuild@localhost> 2014-12-10 13:04:02 -0800
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2014-12-10 13:04:02 -0800
commit: 95ce2bcf8ef450a013e6f20659c92aaa7551b1d0 (patch)
tree: 4e806d190c6a91c04b1a58badd000256ea3215e6
parent: 77586e2947fc8c5c3bc1ef222478961518ae14a5 (diff)
parent: 8d099a3ce02c3ebca5d3f93ea3db112892e10662 (diff)
download: android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.tar.gz
android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.tar.bz2
android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.zip
4 files changed, 41 insertions, 13 deletions
diff --git a/common/device.te b/common/device.te
index 2fdd2927..a4ec98cf 100755
--- a/common/device.te
+++ b/common/device.te
@@ -76,6 +76,9 @@ type wcnss_device, dev_type;
 
 type mmc_block_device, dev_type;
 
+# Define QDSS devices
+type qdss_device, dev_type;
+
 #Define Gadget serial device
 type gadget_serial_device, dev_type;
 
diff --git a/common/file.te b/common/file.te
index c7a36d74..b1f92b78 100644
--- a/common/file.te
+++ b/common/file.te
@@ -95,7 +95,7 @@ type sysfs_socinfo, fs_type, sysfs_type;
 type sysfs_usb_uicc, sysfs_type, fs_type;
 
 type qlogd_socket, file_type;
-
+type qlogd_data_file, file_type;
 #Define the files written during the operation of mm-pp-daemon
 type display_config, file_type, data_file_type;
 
diff --git a/common/file_contexts b/common/file_contexts
index 8e558276..6e021120 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -55,6 +55,10 @@
 /dev/hbtp_input                                 u:object_r:hbtp_device:s0
 /dev/jdi-bu21150                                u:object_r:bu21150_device:s0
 /dev/voice_svc                                  u:object_r:voice_device:s0
+/dev/coresight-stm                              u:object_r:qdss_device:s0
+/dev/coresight-tmc-etf                          u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr                          u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr-stream                   u:object_r:qdss_device:s0
 
 ###################################
 # Dev socket nodes
@@ -219,6 +223,7 @@
 /data/misc/location(/.*)?                                           u:object_r:location_data_file:s0
 /data/FTM_AP(/.*)?                                                  u:object_r:mmi_data_file:s0
 /data/misc/hbtp(/.*)?                                               u:object_r:hbtp_log_file:s0
+/data/misc/qlogd(/.*)?                                              u:object_r:qlogd_data_file:s0
 
 ###################################
 # persist files
diff --git a/common/qlogd.te b/common/qlogd.te
index 74e154fe..dd525d9d 100644
--- a/common/qlogd.te
+++ b/common/qlogd.te
@@ -6,31 +6,51 @@ type qlogd_exec, exec_type, file_type;
 init_daemon_domain(qlogd)
 
 # need to access sharemem log device for smem logs
-allow qlogd smem_log_device:chr_file { open read write ioctl };
+allow qlogd smem_log_device:chr_file rw_file_perms;
 
 # need to add more capabilities for qlogd
-allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin };
-allow qlogd self:capability2 syslog;
+allow qlogd self:capability { setuid setgid dac_override dac_read_search
+               sys_admin net_raw net_admin fowner fsetid kill sys_module };
+allow qlogd self:capability2 { block_suspend syslog };
+allow qlogd self:packet_socket { create ioctl bind getopt setopt };
 
 # need to access system_data partitions for configration files
-allow qlogd system_data_file:dir { write add_name };
-allow qlogd system_data_file:file { open read write create };
+allow qlogd qlogd_data_file:dir rw_dir_perms;
+allow qlogd qlogd_data_file:file create_file_perms;
 allow qlogd system_file:file execute_no_trans;
 
 # need to create and listen socket
-allow qlogd socket_device:sock_file { create setattr };
-allow qlogd qlogd_socket:sock_file { create read write setattr };
+allow qlogd qlogd_socket:sock_file create_file_perms;
 
 # need to start shell execute files
 allow qlogd shell_exec:file { execute read open execute_no_trans };
 
 # need to create and write files in fuse partition
-allow qlogd fuse:dir { search read write add_name create open };
-allow qlogd fuse:file { create read write append open getattr };
+allow qlogd fuse:dir create_dir_perms;
+allow qlogd fuse:file create_file_perms;
 
-#need to capture kmsg
+# need to capture kmsg
 allow qlogd kernel:system syslog_mod;
 
+# need for qdss log
+userdebug_or_eng(`
+  allow qlogd debugfs:file read;
+  allow qlogd sysfs:file write;
+  allow qlogd qdss_device:chr_file { open read };
+')
+
 # need for capture adb logs
-allow qlogd logdr_socket:sock_file write;
-allow qlogd logd:unix_stream_socket connectto;
+unix_socket_connect(qlogd, logdr, logd)
+
+# need for subsystem ramdump
+allow qlogd device:dir r_dir_perms;
+allow qlogd ramdump_device:chr_file { setattr rw_file_perms };
+
+# need for qxdm log
+allow qlogd diag_exec:file rx_file_perms;
+allow qlogd sysfs_wake_lock:file ra_file_perms;
+
+# need for tcpdump
+userdebug_or_eng(`
+  allow qlogd kernel:system module_request;
+')
author	Linux Build Service Account <lnxbuild@localhost>	2014-12-10 13:04:02 -0800
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2014-12-10 13:04:02 -0800
commit	95ce2bcf8ef450a013e6f20659c92aaa7551b1d0 (patch)
tree	4e806d190c6a91c04b1a58badd000256ea3215e6
parent	77586e2947fc8c5c3bc1ef222478961518ae14a5 (diff)
parent	8d099a3ce02c3ebca5d3f93ea3db112892e10662 (diff)
download	android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.tar.gz android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.tar.bz2 android_device_qcom_sepolicy-95ce2bcf8ef450a013e6f20659c92aaa7551b1d0.zip