diff options
author | Ricardo Cerqueira <ricardo@cyngn.com> | 2014-12-29 16:25:58 +0000 |
---|---|---|
committer | Ricardo Cerqueira <ricardo@cyngn.com> | 2014-12-29 16:25:58 +0000 |
commit | c76fa3504d2596a9a8f82a8145b7e0e521cc927f (patch) | |
tree | e06c1295504a6c1dfef22245884ba09eab751cbf | |
parent | 0066d40fd35e6a351a621ccad38ec0a6ad640543 (diff) | |
parent | 414d97d5c10456a3f3888371a20718864d6b514c (diff) | |
download | android_device_qcom_sepolicy-c76fa3504d2596a9a8f82a8145b7e0e521cc927f.tar.gz android_device_qcom_sepolicy-c76fa3504d2596a9a8f82a8145b7e0e521cc927f.tar.bz2 android_device_qcom_sepolicy-c76fa3504d2596a9a8f82a8145b7e0e521cc927f.zip |
Merge remote-tracking branch 'caf/LA.BF.2.1_rb1.6' into cm-12.0
Conflicts:
Android.mk
common/file_contexts
common/ims.te
common/mm-pp-daemon.te
common/netmgrd.te
common/radio.te
common/service.te
common/service_contexts
common/system_app.te
common/system_server.te
common/thermal-engine.te
common/untrusted_app.te
common/wpa.te
msm8960/Android.mk
msm8960/file.te
msm8960/file_contexts
Change-Id: I8308142c06d36380d422fd2256cceae2227fd04f
41 files changed, 365 insertions, 77 deletions
diff --git a/common/atfwd.te b/common/atfwd.te index b4f5cecb..f3d84a80 100644 --- a/common/atfwd.te +++ b/common/atfwd.te @@ -12,3 +12,6 @@ binder_use(atfwd); binder_call(atfwd, system_app); binder_call(atfwd, servicemanager); r_dir_file(atfwd, sysfs_ssr); + +allow atfwd self:udp_socket create; +unix_socket_connect(atfwd, property, init); diff --git a/common/bluetooth.te b/common/bluetooth.te index 76045285..9d806203 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -15,8 +15,3 @@ allow bluetooth input_device:chr_file { open read write ioctl }; allow bluetooth persist_file:dir search; allow bluetooth persist_file:file rw_file_perms; -allow bluetooth wpa:unix_stream_socket connectto; - -#For ANT tty communication and to set wc_transport prop -allow system_server bluetooth_prop:property_service set; -allow system_server serial_device:chr_file rw_file_perms; diff --git a/common/device.te b/common/device.te index 6823ecb6..081b8adc 100755 --- a/common/device.te +++ b/common/device.te @@ -76,5 +76,18 @@ type wcnss_device, dev_type; type mmc_block_device, dev_type; +# Define QDSS devices +type qdss_device, dev_type; + #Define Gadget serial device type gadget_serial_device, dev_type; + +#Added for hbtp +type bu21150_device, dev_type; +type hbtp_device, dev_type; + +#added for voice device +type voice_device, dev_type; + +#Define system health monitor devices +type system_health_monitor_device, dev_type; diff --git a/common/dhcp.te b/common/dhcp.te new file mode 100644 index 00000000..8a16a0c1 --- /dev/null +++ b/common/dhcp.te @@ -0,0 +1 @@ +unix_socket_connect(dhcp, cnd, cnd) diff --git a/common/file.te b/common/file.te index ba741410..b1f92b78 100644 --- a/common/file.te +++ b/common/file.te @@ -48,6 +48,7 @@ type sysfs_msmuart_file, sysfs_type, fs_type; # Storage RFS file types type rfs_data_file, file_type; type rfs_system_file, file_type; +type rfs_shared_hlos_file, file_type; #mm-pp-daemon file type for sysfs access type sysfs_leds, fs_type, sysfs_type; @@ -94,10 +95,20 @@ type sysfs_socinfo, fs_type, sysfs_type; type sysfs_usb_uicc, sysfs_type, fs_type; type qlogd_socket, file_type; - +type qlogd_data_file, file_type; #Define the files written during the operation of mm-pp-daemon type display_config, file_type, data_file_type; # IPA file types type ipacm_socket, file_type; type ipacm_data_file, file_type; + +#Define the files written during the operation of mmi +type mmi_data_file, file_type, data_file_type; + +#needed by vold +type proc_dirty_ratio, fs_type; + +# hbtp config file +type hbtp_cfg_file, file_type; +type hbtp_log_file, file_type; diff --git a/common/file_contexts b/common/file_contexts index bedd6e4b..7a8af790 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -42,8 +42,8 @@ /dev/esoc.* u:object_r:esoc_device:s0 /dev/ks_hsic_bridge u:object_r:ksbridgehsic_device:s0 /dev/efs_hsic_bridge u:object_r:efsbridgehsic_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/misc u:object_r:misc_partition:s0 -/dev/block/platform/msm_sdcc.1/by-name/bootselect u:object_r:bootselect_device:s0 +/dev/block/bootdevice/by-name/misc u:object_r:misc_partition:s0 +/dev/block/bootdevice/by-name/bootselect u:object_r:bootselect_device:s0 /dev/ipa u:object_r:ipa_dev:s0 /dev/wwan_ioctl u:object_r:ipa_dev:s0 /dev/ipaNatTable u:object_r:ipa_dev:s0 @@ -52,6 +52,14 @@ /dev/dpl_ctrl u:object_r:rmnet_device:s0 /dev/wcnss_ctrl u:object_r:wcnss_device:s0 /dev/wcnss_wlan u:object_r:wcnss_device:s0 +/dev/hbtp_input u:object_r:hbtp_device:s0 +/dev/jdi-bu21150 u:object_r:bu21150_device:s0 +/dev/voice_svc u:object_r:voice_device:s0 +/dev/coresight-stm u:object_r:qdss_device:s0 +/dev/coresight-tmc-etf u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr-stream u:object_r:qdss_device:s0 +/dev/system_health_monitor u:object_r:system_health_monitor_device:s0 ################################### # Dev socket nodes @@ -98,13 +106,14 @@ /system/bin/drmdiagapp u:object_r:diag_exec:s0 /system/bin/irsc_util u:object_r:irsc_util_exec:s0 /system/bin/mm-pp-daemon u:object_r:mm-pp-daemon_exec:s0 +/system/bin/mmi u:object_r:mmi_exec:s0 /system/bin/mpdecision u:object_r:mpdecision_exec:s0 /system/bin/perfd u:object_r:perfd_exec:s0 /system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0 /system/bin/imsdatadaemon u:object_r:ims_exec:s0 /system/bin/imsqmidaemon u:object_r:ims_exec:s0 /system/bin/ims_rtp_daemon u:object_r:ims_exec:s0 -/system/bin/imscmservice u:object_r:ims_exec:s0 +/system/bin/imscmservice u:object_r:imscm_exec:s0 /system/bin/netmgrd u:object_r:netmgrd_exec:s0 /system/bin/qmuxd u:object_r:qmuxd_exec:s0 /system/bin/port-bridge u:object_r:port-bridge_exec:s0 @@ -117,6 +126,8 @@ /system/rfs.* u:object_r:rfs_system_file:s0 /system/bin/time_daemon u:object_r:time_daemon_exec:s0 /system/bin/rmt_storage u:object_r:rmt_storage_exec:s0 +/system/bin/rfs_access u:object_r:rfs_access_exec:s0 +/system/bin/tftp_server u:object_r:rfs_access_exec:s0 /system/bin/hvdcp u:object_r:hvdcp_exec:s0 /system/bin/qseecomd u:object_r:tee_exec:s0 /system/bin/hostapd_cli u:object_r:hostapd_exec:s0 @@ -150,6 +161,7 @@ /system/vendor/bin/slim_ap_daemon u:object_r:location_exec:s0 /system/vendor/bin/qti u:object_r:qti_exec:s0 /system/bin/wcnss_service u:object_r:wcnss_service_exec:s0 +/system/vendor/bin/hbtp_daemon u:object_r:hbtp_exec:s0 ################################### # sysfs files @@ -198,6 +210,7 @@ /data/diag_log(/.*)? u:object_r:diag_data_file:s0 /data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0 /data/rfs.* u:object_r:rfs_data_file:s0 +/data/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0 /data/camera(/.*)? u:object_r:camera_socket:s0 /data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 /data/time(/.*)? u:object_r:time_data_file:s0 @@ -209,6 +222,9 @@ /data/dpm(/.*)? u:object_r:dpmd_data_file:s0 /data/misc/qsee(/.*)? u:object_r:data_qsee_file:s0 /data/misc/location(/.*)? u:object_r:location_data_file:s0 +/data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0 +/data/misc/hbtp(/.*)? u:object_r:hbtp_log_file:s0 +/data/misc/qlogd(/.*)? u:object_r:qlogd_data_file:s0 ################################### # persist files @@ -223,3 +239,8 @@ # oem files # /oem(/.*)? u:object_r:system_file:s0 + +################################### +# etc files +# +/etc/firmware/hbtp/* u:object_r:hbtp_cfg_file:s0 diff --git a/common/genfs_contexts b/common/genfs_contexts index 201bd78c..f92adbdb 100644..100755 --- a/common/genfs_contexts +++ b/common/genfs_contexts @@ -1 +1,2 @@ genfscon proc /asound/card0/state u:object_r:proc_audiod:s0 +genfscon proc /proc/sys/vm/dirty_ratio u:object_r:proc_dirty_ratio:s0 diff --git a/common/hbtp.te b/common/hbtp.te new file mode 100644 index 00000000..2d7db0e2 --- /dev/null +++ b/common/hbtp.te @@ -0,0 +1,19 @@ +# Policies for hbtp (host based touch processing) +type hbtp, domain; +type hbtp_exec, exec_type, file_type; + +init_daemon_domain(hbtp) + +# Allow access for /dev/hbtp_input and /dev/jdi-bu21150 +allow hbtp hbtp_device:chr_file rw_file_perms; +allow hbtp bu21150_device:chr_file rw_file_perms; + +allow hbtp hbtp_cfg_file:dir rw_dir_perms; +allow hbtp hbtp_cfg_file:file create_file_perms; + +allow hbtp hbtp_log_file:dir rw_dir_perms; +allow hbtp hbtp_log_file:file create_file_perms; + +allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind }; + +binder_use(hbtp); diff --git a/common/ims.te b/common/ims.te index 1a35abe2..5a104780 100644 --- a/common/ims.te +++ b/common/ims.te @@ -4,13 +4,54 @@ type ims_exec, exec_type, file_type; # Started by init init_daemon_domain(ims) +net_domain(ims) -allow radio ims_socket:sock_file { open read write }; -allow ims ims_socket:sock_file { open read write }; -allow ims property_socket:sock_file write; -allow ims servicemanager:binder call; +# Talk to qmuxd +qmux_socket(ims) + +# To make VT call binder_use(ims) + +# Bring up IMSPDM +allow ims kernel:system module_request; + +allow ims self:socket create_socket_perms; +allow ims self:capability { net_admin net_raw }; + +# Use generic netlink socket +allow ims self:netlink_socket create_socket_perms; + +# To run NDC command +allow ims shell_exec:file rx_file_perms; +allow ims system_file:file rx_file_perms; + +# IMS route installation +allow ims wcnss_service_exec:file rx_file_perms; + +# Talk to netd via netd_socket +unix_socket_connect(ims, netd, netd) + +# Talk to qumuxd via ims_socket +unix_socket_connect(ims, ims, qmuxd) + +# Talk to init via property_socket unix_socket_connect(ims, property, init) -allow ims self:socket { read bind create write ioctl }; -allow ims system_prop:property_service set; + +#Add connectionmanager service allow ims imscm_service:service_manager add; + +# Set property to start imsdata_daemon and ims_rtp_daemon +allow ims qcom_ims_prop:property_service set; + +# permissions needed for IMS to connect and interact with WPA supplicant +allow ims wpa:unix_dgram_socket sendto; +allow ims wpa_exec:file rx_file_perms; +allow ims wpa_socket:dir w_dir_perms; +allow ims wpa_socket:sock_file { write create unlink setattr }; +allow ims wifi_data_file:dir r_dir_perms; + +# permissions for communication with CNE in LBO use case +unix_socket_connect(ims, cnd, cnd) + +#Communication with voice_svc device for audio on APP +allow ims voice_device:chr_file rw_file_perms; diff --git a/common/imscm.te b/common/imscm.te new file mode 100644 index 00000000..22a514dd --- /dev/null +++ b/common/imscm.te @@ -0,0 +1,25 @@ +#integrated sensor process +type imscm, domain; +type imscm_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(imscm) +net_domain(imscm) + +# To make VT call +binder_use(imscm) + +#Add connectionmanager service +allow imscm imscm_service:service_manager add; + +#allow imscm ims_socket:sock_file write; +#allow imscm ims:unix_stream_socket connectto; +unix_socket_connect(imscm, ims, ims) +allow imscm self:capability net_raw; +#allow imscm untrusted_app:binder call; + +# imscm needs to communicate with test app +# using binder call +userdebug_or_eng(` + binder_call(imscm, untrusted_app) +') diff --git a/common/kernel.te b/common/kernel.te new file mode 100755 index 00000000..2a9a0831 --- /dev/null +++ b/common/kernel.te @@ -0,0 +1 @@ +allow kernel block_device:blk_file r_file_perms; diff --git a/common/mediaserver.te b/common/mediaserver.te index 350e4540..68a1bbd9 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -5,6 +5,7 @@ allow mediaserver camera_device:chr_file rw_file_perms; unix_socket_send(mediaserver, camera, mm-qcamerad) allow mediaserver tee_device:chr_file rw_file_perms; +allow mediaserver qdsp_device:chr_file r_file_perms; allow mediaserver self:socket create_socket_perms; @@ -19,7 +20,7 @@ userdebug_or_eng(` allow mediaserver sysfs_esoc:dir r_dir_perms; allow mediaserver sysfs_esoc:lnk_file read; - +allow mediaserver system_app_data_file:file rw_file_perms; # access to perflock allow mediaserver mpctl_socket:dir r_dir_perms; unix_socket_send(mediaserver, mpctl, mpdecision) diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index d612421d..9b227473 100644 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -8,12 +8,20 @@ init_daemon_domain(mm-pp-daemon) allow mm-pp-daemon graphics_device:chr_file rw_file_perms; allow mm-pp-daemon graphics_device:dir search; -# Allow reading calibration data from persist -allow mm-pp-daemon persist_file:file r_file_perms; -allow mm-pp-daemon persist_file:dir search; +# Allow reading/writing to persist +# The color config file is dynamically created +allow mm-pp-daemon persist_file:dir rw_dir_perms; +allow mm-pp-daemon persist_file:file create_file_perms; + +# Allow reading/writing data config files +allow mm-pp-daemon display_config:dir create_dir_perms; +allow mm-pp-daemon display_config:file create_file_perms; + +# Allow read to sensor device and read/write to sensor socket +allow mm-pp-daemon sensors_device:chr_file r_file_perms; +allow mm-pp-daemon sensors_socket:sock_file rw_file_perms; +allow mm-pp-daemon sensors:unix_stream_socket connectto; -# Allow pp daemon to save settings to /data -allow mm-pp-daemon display_config:file rw_file_perms; allow mm-pp-daemon system_prop:property_service set; #Calibration can only be done on userdebug or eng builds #Enable on user builds too. This is causing mayhem for gfx @@ -33,12 +41,14 @@ allow mm-pp-daemon system_prop:property_service set; allow mm-pp-daemon shell_exec:file rx_file_perms; allow mm-pp-daemon system_file:file execute_no_trans; allow mm-pp-daemon zygote_exec:file rx_file_perms; + allow mm-pp-daemon self:process ptrace; - # Allow writing to persist - allow mm-pp-daemon persist_file:file rw_file_perms; +# Allow mm-pp-daemon to change the brightness of the target during display +# calibration +allow mm-pp-daemon sysfs:file rw_file_perms; - # Allow mm-pp-daemon to change the brightness of the target during display - # calibration - allow mm-pp-daemon sysfs:file rw_file_perms; - unix_socket_connect(mm-pp-daemon, property, init) #') + +# Allow socket calls in pp-daemon +unix_socket_connect(mm-pp-daemon, property, init) +unix_socket_connect(mm-pp-daemon, pps, init) diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index 72a30577..8619e58a 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -37,3 +37,6 @@ allow mm-qcamerad system_data_file:file create_file_perms; #Remove GL fine reference allow mm-qcamerad shell_data_file:dir search; + +# IMS use camera daemon to make VT call +allow mm-qcamerad port:tcp_socket name_bind; diff --git a/common/mmi.te b/common/mmi.te new file mode 100644 index 00000000..1f58af17 --- /dev/null +++ b/common/mmi.te @@ -0,0 +1,31 @@ +#integrated process +type mmi, domain; +type mmi_exec, exec_type, file_type; + +#started by init +init_daemon_domain(mmi) + +#self capability +allow mmi self:capability { sys_nice dac_override }; +allow mmi self:capability2 block_suspend; + +#For various devices +allow mmi graphics_device:chr_file rw_file_perms; +allow mmi input_device:chr_file r_file_perms; +allow mmi input_device:dir r_file_perms; +allow mmi nfc_device:chr_file rw_file_perms; +allow mmi shell_exec:file rx_file_perms; +allow mmi sysfs_wake_lock:file rw_file_perms; + +#FTM_AP folder permissions +allow mmi mmi_data_file:dir rw_dir_perms; +allow mmi mmi_data_file:file rw_file_perms; + +#socket +unix_socket_connect(mmi, property, init) + +#allow mmi set system prop +allow mmi powerctl_prop:property_service set; + +#allow mmi operation on MISC partition +allow mmi misc_partition:blk_file w_file_perms; diff --git a/common/mpdecision.te b/common/mpdecision.te index f315b957..6b020d2d 100644 --- a/common/mpdecision.te +++ b/common/mpdecision.te @@ -17,12 +17,11 @@ allow mpdecision self:socket create_socket_perms; allow mpdecision device_latency:chr_file w_file_perms; allow mpdecision sysfs_rqstats:dir search; -allow mpdecision socket_device:dir w_file_perms; allow mpdecision sysfs_thermal:dir search; #policies for mpctl #mpctl socket -allow mpdecision self:capability { net_admin chown dac_override fsetid }; +allow mpdecision self:capability { net_admin chown dac_override fsetid sys_nice }; allow mpdecision mpctl_socket:dir rw_dir_perms; allow mpdecision mpctl_socket:sock_file { create_file_perms unlink }; diff --git a/common/netd.te b/common/netd.te index a5e70fa9..124178ad 100644 --- a/common/netd.te +++ b/common/netd.te @@ -1,6 +1,8 @@ #Policies for IPv6 tethering allow netd netd:capability { setgid setuid }; allow netd netd:packet_socket { create bind setopt read ioctl }; +allow netd wfd_app:fd use; +allow netd wfd_app:tcp_socket { read write setopt getopt }; dontaudit netd self:capability sys_module; diff --git a/common/netmgrd.te b/common/netmgrd.te index a5f5a77f..51d39a2d 100644 --- a/common/netmgrd.te +++ b/common/netmgrd.te @@ -61,4 +61,6 @@ allow netmgrd sysfs_esoc:lnk_file read; r_dir_file(netmgrd, sysfs_ssr); -allow netmgrd wcnss_service_exec:file rx_file_perms; +allow netmgrd { wcnss_service_exec wpa_exec }:file rx_file_perms; + +allow netmgrd sysfs:file write; diff --git a/common/property.te b/common/property.te index 1e54640c..ea480c76 100644 --- a/common/property.te +++ b/common/property.te @@ -1,2 +1,3 @@ # property for uicc_daemon type uicc_prop, property_type; +type qcom_ims_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index fd1f7161..1c4c7a46 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -1,2 +1,3 @@ wc_transport. u:object_r:bluetooth_prop:s0 usb_uicc. u:object_r:uicc_prop:s0 +sys.ims. u:object_r:qcom_ims_prop:s0 diff --git a/common/qcomsysd.te b/common/qcomsysd.te index 483b97bc..f9c29166 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -11,6 +11,7 @@ allow qcomsysd smem_log_device:chr_file { open read write ioctl }; allow qcomsysd diag_device:chr_file { open read write ioctl }; #Needed to read/write cookies to the misc partition +allow qcomsysd block_device:dir { search }; allow qcomsysd misc_partition:blk_file { open read getattr write }; #Needed to access the bootselect partition @@ -19,3 +20,5 @@ allow qcomsysd bootselect_device:blk_file { open read getattr write }; #Needed to get image info from socinfo allow qcomsysd sysfs_socinfo:dir { open search read }; allow qcomsysd sysfs_socinfo:file { open read write }; + +allow qcomsysd self:capability { dac_override }; diff --git a/common/qlogd.te b/common/qlogd.te index 74e154fe..dd525d9d 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -6,31 +6,51 @@ type qlogd_exec, exec_type, file_type; init_daemon_domain(qlogd) # need to access sharemem log device for smem logs -allow qlogd smem_log_device:chr_file { open read write ioctl }; +allow qlogd smem_log_device:chr_file rw_file_perms; # need to add more capabilities for qlogd -allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin }; -allow qlogd self:capability2 syslog; +allow qlogd self:capability { setuid setgid dac_override dac_read_search + sys_admin net_raw net_admin fowner fsetid kill sys_module }; +allow qlogd self:capability2 { block_suspend syslog }; +allow qlogd self:packet_socket { create ioctl bind getopt setopt }; # need to access system_data partitions for configration files -allow qlogd system_data_file:dir { write add_name }; -allow qlogd system_data_file:file { open read write create }; +allow qlogd qlogd_data_file:dir rw_dir_perms; +allow qlogd qlogd_data_file:file create_file_perms; allow qlogd system_file:file execute_no_trans; # need to create and listen socket -allow qlogd socket_device:sock_file { create setattr }; -allow qlogd qlogd_socket:sock_file { create read write setattr }; +allow qlogd qlogd_socket:sock_file create_file_perms; # need to start shell execute files allow qlogd shell_exec:file { execute read open execute_no_trans }; # need to create and write files in fuse partition -allow qlogd fuse:dir { search read write add_name create open }; -allow qlogd fuse:file { create read write append open getattr }; +allow qlogd fuse:dir create_dir_perms; +allow qlogd fuse:file create_file_perms; -#need to capture kmsg +# need to capture kmsg allow qlogd kernel:system syslog_mod; +# need for qdss log +userdebug_or_eng(` + allow qlogd debugfs:file read; + allow qlogd sysfs:file write; + allow qlogd qdss_device:chr_file { open read }; +') + # need for capture adb logs -allow qlogd logdr_socket:sock_file write; -allow qlogd logd:unix_stream_socket connectto; +unix_socket_connect(qlogd, logdr, logd) + +# need for subsystem ramdump +allow qlogd device:dir r_dir_perms; +allow qlogd ramdump_device:chr_file { setattr rw_file_perms }; + +# need for qxdm log +allow qlogd diag_exec:file rx_file_perms; +allow qlogd sysfs_wake_lock:file ra_file_perms; + +# need for tcpdump +userdebug_or_eng(` + allow qlogd kernel:system module_request; +') diff --git a/common/radio.te b/common/radio.te index c117da17..2b854f5a 100644 --- a/common/radio.te +++ b/common/radio.te @@ -8,3 +8,6 @@ allow radio shell_data_file:dir search; #Need permission to execute dpmd talk to radio layer unix_socket_connect(radio, dpmd, dpmd) + +# IMS needs permission to use unix domain socket +allow radio ims:unix_stream_socket connectto; diff --git a/common/rfs_access.te b/common/rfs_access.te index 129ffa3b..e4dc3a55 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -5,36 +5,44 @@ init_daemon_domain(rfs_access) #The files created by rfs_access process in the /data folder will have type rfs_data_file type_transition rfs_access system_data_file:{ dir file } rfs_data_file; +type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs"; #To read the uio char device -allow rfs_access uio_device:chr_file { read write open }; +allow rfs_access uio_device:chr_file rw_file_perms; -#For QMI sockets -allow rfs_access self:socket { create_socket_perms }; +#For QMI sockets and IPCR Sockets +allow rfs_access self:socket create_socket_perms; +allow rfs_access smem_log_device:chr_file rw_file_perms; #For Wakelocks allow rfs_access self:capability2 block_suspend; -allow rfs_access sysfs_wake_lock:file { open write append }; +allow rfs_access sysfs_wake_lock:file w_file_perms; -#To create the /data/rfs -allow rfs_access system_data_file:dir { write add_name }; +#To create the folders in /data +allow rfs_access system_data_file:dir create_dir_perms; #For system folder entries -allow rfs_access rfs_system_file:dir search; -allow rfs_access rfs_system_file:lnk_file read; +allow rfs_access rfs_system_file:dir r_dir_perms; +allow rfs_access rfs_system_file:lnk_file r_file_perms; #For data folder entries -allow rfs_access rfs_data_file:dir { write search create add_name }; -allow rfs_access rfs_data_file:file { open read write create append getattr }; +allow rfs_access rfs_data_file:dir create_dir_perms; +allow rfs_access rfs_data_file:file create_file_perms; + +allow rfs_access rfs_shared_hlos_file:dir create_dir_perms; +allow rfs_access rfs_shared_hlos_file:file create_file_perms; #For ramdump entries in /data/tombstones. -allow rfs_access tombstone_data_file:dir { write search create add_name }; -allow rfs_access tombstone_data_file:file { open read write create append getattr }; +allow rfs_access tombstone_data_file:dir create_dir_perms; +allow rfs_access tombstone_data_file:file create_file_perms; #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes). -allow rfs_access firmware_file:dir { search }; -allow rfs_access firmware_file:file { open read getattr }; +allow rfs_access firmware_file:dir r_dir_perms; +allow rfs_access firmware_file:file r_file_perms; + +#For dropping permisions from root and wakelock +allow rfs_access self:capability { setuid setgid setpcap net_raw }; #Prevent other domains from accessing RFS data files. -neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name }; -neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr }; +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir create_dir_perms; +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file create_file_perms; diff --git a/common/rmt_storage.te b/common/rmt_storage.te index 04a96ef1..19aea1d0 100644 --- a/common/rmt_storage.te +++ b/common/rmt_storage.te @@ -3,14 +3,16 @@ type rmt_storage, domain; type rmt_storage_exec, exec_type, file_type; init_daemon_domain(rmt_storage) -allow rmt_storage modem_efs_partition_device:blk_file { read write open }; -allow rmt_storage block_device:dir search; -allow rmt_storage cgroup:dir { create add_name }; -allow rmt_storage smem_log_device:chr_file { read write ioctl open }; -allow rmt_storage self:capability { setuid setgid sys_admin dac_override }; +allow rmt_storage modem_efs_partition_device:blk_file rw_file_perms; +allow rmt_storage block_device:dir r_dir_perms; +allow rmt_storage cgroup:dir create_dir_perms; +allow rmt_storage smem_log_device:chr_file rw_file_perms; + +# sys_admin is needed for ioprio_set +allow rmt_storage self:capability { setuid setgid sys_admin dac_override net_raw setpcap }; + allow rmt_storage self:capability2 block_suspend; -allow rmt_storage self:socket { create_socket_perms }; -allow rmt_storage sysfs_wake_lock:file { open write append }; -allow rmt_storage uio_device:chr_file { read write open }; -allow rmt_storage mmc_block_device:blk_file r_file_perms; -allow rmt_storage self:capability { net_raw setpcap }; +allow rmt_storage self:socket create_socket_perms; +allow rmt_storage sysfs_wake_lock:file w_file_perms; +allow rmt_storage uio_device:chr_file rw_file_perms; +allow rmt_storage mmc_block_device:blk_file r_file_perms;
\ No newline at end of file diff --git a/common/sensors.te b/common/sensors.te index 27a5836e..0e9c8478 100644 --- a/common/sensors.te +++ b/common/sensors.te @@ -14,7 +14,7 @@ allow sensors self:capability chown; dontaudit sensors self:capability fsetid; # Access /data/misc/sensors/debug and /data/system/sensors/settings -allow sensors self:capability { dac_override dac_read_search }; +allow sensors self:capability { dac_override dac_read_search net_bind_service }; # Sensors socket allow sensors sensors_socket:sock_file create_file_perms; @@ -35,6 +35,9 @@ allow sensors persist_file:dir r_dir_perms; allow sensors sensors_persist_file:dir create_dir_perms; allow sensors sensors_persist_file:file create_file_perms; +# Access to execmem +allow sensors self:process execmem; + # Wake lock access wakelock_use(sensors) diff --git a/common/service.te b/common/service.te index ec90dda1..e6625706 100644 --- a/common/service.te +++ b/common/service.te @@ -6,3 +6,4 @@ type wbc_service, service_manager_type; type dun_service, service_manager_type; type digitalpen_service, service_manager_type; type imscm_service, service_manager_type; +type color_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index b29e165e..eccd3fdb 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -7,3 +7,4 @@ wbc_service u:object_r:wbc_service:s0 dun u:object_r:dun_service:s0 DigitalPen u:object_r:digitalpen_service:s0 qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 +com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 9c984ace..854ff8c7 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -2,10 +2,7 @@ allow surfaceflinger sysfs_graphics:file rw_file_perms; allow surfaceflinger shell_data_file:dir search; # Allows pp-daemon to refresh the screen in calibration mode -userdebug_or_eng(` - allow surfaceflinger mm-pp-daemon:dir search; - allow surfaceflinger mm-pp-daemon:file r_file_perms; -') +r_dir_file(surfaceflinger, mm-pp-daemon) binder_call(surfaceflinger, location) binder_call(surfaceflinger, tee) diff --git a/common/system_app.te b/common/system_app.te index 38404108..1942a773 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -25,9 +25,13 @@ userdebug_or_eng(` ') allow system_app cnd_data_file:dir w_dir_perms; allow system_app cnd_data_file:file create_file_perms; +allow system_app bluetooth:unix_stream_socket ioctl; + +# access to tee domain +allow system_app tee:unix_dgram_socket sendto; # access to time_daemon allow system_app time_daemon:unix_stream_socket connectto; -# access to tee domain -allow system_app tee:unix_dgram_socket sendto; +# access to color service SDK +allow system_app color_service:service_manager add; diff --git a/common/system_server.te b/common/system_server.te index 352f5f6f..4f9e89cf 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -38,8 +38,15 @@ allow system_server location_data_file:sock_file rw_file_perms; #For wifistatemachine allow system_server kernel:key search; allow system_server wbc_service:service_manager add; - allow system_server digitalpen_service:service_manager add; +#For ssr +allow system_server ssr_device:chr_file { read open }; + allow system_server fuse:dir search; allow system_server persist_file:dir search; + +#For ANT tty communication and to set wc_transport prop +allow system_server bluetooth_prop:property_service set; +allow system_server serial_device:chr_file rw_file_perms; +allow system_server smd_device:chr_file rw_file_perms; diff --git a/common/thermal-engine.te b/common/thermal-engine.te index 3d34e65c..ff35984b 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -19,6 +19,7 @@ allow thermal-engine thermal_socket:sock_file { create setattr open read write u allow thermal-engine sysfs_thermal:dir r_dir_perms; allow thermal-engine sysfs_thermal:file rw_file_perms; allow thermal-engine sysfs_thermal:lnk_file read; +allow thermal-engine sysfs:file write; #This is required for qmi access qmux_socket(thermal-engine); allow thermal-engine sysfs_mpdecision:file rw_file_perms; diff --git a/common/untrusted_app.te b/common/untrusted_app.te index 17857e6c..07910098 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -4,3 +4,9 @@ unix_socket_send(untrusted_app, mpctl, perfd) unix_socket_connect(untrusted_app, mpctl, perfd) unix_socket_send(untrusted_app, mpctl, mpdecision) unix_socket_connect(untrusted_app, mpctl, mpdecision) + +# test apps needs to communicate with imscm +# using binder call +userdebug_or_eng(` + binder_call(untrusted_app, imscm) +') diff --git a/common/vold.te b/common/vold.te index d639d6f5..71b32cd0 100644..100755 --- a/common/vold.te +++ b/common/vold.te @@ -6,3 +6,4 @@ allow vold proc_sysrq:file rw_file_perms; allow vold self:capability sys_boot; allow vold cache_file:dir { write add_name }; allow vold cache_file:file { write create open }; +allow vold proc_dirty_ratio:file rw_file_perms; diff --git a/common/wfd_app.te b/common/wfd_app.te new file mode 100644 index 00000000..f9b17339 --- /dev/null +++ b/common/wfd_app.te @@ -0,0 +1,23 @@ +allow wfd_app init:unix_stream_socket connectto; +allow wfd_app node:tcp_socket node_bind; +allow wfd_app port:tcp_socket { name_bind name_connect }; +allow wfd_app self:tcp_socket { bind create setopt listen write read getopt connect accept getattr }; +allow wfd_app dalvikcache_data_file:file { write setattr }; +allow wfd_app graphics_device:chr_file rw_file_perms; +allow wfd_app graphics_device:dir r_dir_perms; +allow wfd_app node:udp_socket node_bind; +allow wfd_app port:udp_socket name_bind; +allow wfd_app self:udp_socket { bind create getattr write setopt ioctl read getopt }; +allow wfd_app video_device:dir r_dir_perms; +allow wfd_app video_device:chr_file rw_file_perms; +allow wfd_app audio_device:dir r_dir_perms; +allow wfd_app audio_device:chr_file rw_file_perms; +allow wfd_app fwmarkd_socket:sock_file write; +allow wfd_app netd:unix_stream_socket connectto; +allow wfd_app firmware_file:dir r_dir_perms; +allow wfd_app firmware_file:file r_file_perms; +allow wfd_app tee_device:chr_file rw_file_perms; +allow wfd_app media_rw_data_file:dir rw_dir_perms; +allow wfd_app media_rw_data_file:file create_file_perms; +allow wfd_app system_app_data_file:dir create_dir_perms; +allow wfd_app uhid_device:chr_file rw_file_perms; diff --git a/common/wpa.te b/common/wpa.te index d5f775b8..15a01643 100644 --- a/common/wpa.te +++ b/common/wpa.te @@ -7,3 +7,6 @@ allow wpa proc_net:file write; # allow wpa_supplicant to send back wifi information to cnd allow wpa cnd:unix_dgram_socket sendto; + +# permission for wpa socket which IMS use to communicate +allow wpa ims:unix_dgram_socket sendto; diff --git a/sepolicy.mk b/sepolicy.mk index 50697f2d..21acf16b 100644 --- a/sepolicy.mk +++ b/sepolicy.mk @@ -59,6 +59,7 @@ BOARD_SEPOLICY_UNION += \ mcStarter.te \ keystore.te \ ims.te \ + imscm.te \ healthd.te \ charger_monitor.te \ surfaceflinger.te \ @@ -83,7 +84,14 @@ BOARD_SEPOLICY_UNION += \ seapp_contexts \ logd.te \ installd.te \ - wcnss_service.te + wcnss_service.te \ + mmi.te \ + dhcp.te \ + wfd_app.te \ + mediaserver_test.te \ + hbtp.te \ + kernel.te \ + vold.te -include device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)/Android.mk diff --git a/test/file.te b/test/file.te new file mode 100644 index 00000000..4b8b67d6 --- /dev/null +++ b/test/file.te @@ -0,0 +1,3 @@ +#Define the files written during the operation of mm-pp-daemon +type display_test_media_file, file_type, data_file_type; + diff --git a/test/file_contexts b/test/file_contexts index 95f96496..f41cc3c0 100644 --- a/test/file_contexts +++ b/test/file_contexts @@ -57,3 +57,6 @@ /system/bin/test-fake-ap u:object_r:location_exec:s0 /system/bin/loc_api_app u:object_r:location_exec:s0 /system/bin/test_loc_api_client u:object_r:location_exec:s0 + +#Context for mediaserver +/data/display-tests/media(/.*)? u:object_r:display_test_media_file:s0 diff --git a/test/mediaserver_test.te b/test/mediaserver_test.te new file mode 100644 index 00000000..338e67ba --- /dev/null +++ b/test/mediaserver_test.te @@ -0,0 +1,5 @@ +#Access to media files for testing +userdebug_or_eng(` + allow mediaserver display_test_media_file:dir r_dir_perms; + allow mediaserver display_test_media_file:file r_file_perms; +') diff --git a/test/qmi_test_service.te b/test/qmi_test_service.te index ed97c2ec..55066bbe 100644 --- a/test/qmi_test_service.te +++ b/test/qmi_test_service.te @@ -5,6 +5,8 @@ userdebug_or_eng(` type qmi_test_service, domain; domain_auto_trans(shell, qmi_test_service_exec, qmi_test_service) domain_auto_trans(adbd, qmi_test_service_exec, qmi_test_service) + #enable access to loader in 64 bit system + allow qmi_test_service shell:fd use; #test is launched from pseudo terminal so output goes there allow qmi_test_service devpts:chr_file {read write getattr ioctl}; #to access smem log @@ -20,4 +22,7 @@ userdebug_or_eng(` allow qmi_test_service qmi_test_service:capability {dac_override dac_read_search setgid setuid fsetid}; #QCCI calls qmuxd API. The API will internally require this qmux_socket(qmi_test_service); + #enable accessing the system health monitor to check the system health, + #if a request times out + allow qmi_test_service system_health_monitor_device:chr_file rw_file_perms; ') |