Promotion of sepolicy.lnx.2.0-00042.

CRs Change ID Subject -------------------------------------------------------------------------------------------------------------- 1075722 I9154b3726a182385744786b95a3d67488fd6e8e7 Add GOTA sepolicy access for RIDL/RIDL 2.0 1069632 Idad0f1a6bc2b193f69cbc128c08eb20576897bd8 USB: dontaudit init to write to sysfs directory 1079419 Iff58f7faab7ccf67b77f0360ad0b855826ad56fd Bluetooth: Add permission for filter. 1078078 Ibd3198cc38e0446e1862b178f8d4c5ae8f8dc0c9 Add SELinux support for factory reset protection 1068322 I0bd61196ea7acf00582e58980aaeb3cf5128aa7a sepolicy: allow writing firmware files in recovery mode. 1078078 I721f2d7deb4dbe89a8c3fb5ed8e9413cd58ce428 Add SELinux support for factory reset protection 1072628 I919827b1b4adcb2aaec9dc10eabae243fe003392 sepolicy: per_mgr: Allow services to find peripheral_man 1077354 I10388ef8cf5855d12a7053bbffffdb70a3ba162b sepolicy : Allow mm-pp-daemon access to diag 1073957 I9f68b416706b1c16d70cf73de6d4af03afbb455d Sepolicy: Allow mediaserver to access media_msm8956_vers Change-Id: I8d9051938c73ab0591371473a9d4ac08631e0360 CRs-Fixed: 1078078, 1075722, 1069632, 1068322, 1077354, 1073957, 1079419, 1072628
author: Linux Build Service Account <lnxbuild@localhost> 2016-10-26 01:19:48 -0600
committer: Linux Build Service Account <lnxbuild@localhost> 2016-10-26 01:19:48 -0600
commit: f7b6f6221de3da96e0be9e734a15b9c7997dcc64 (patch)
tree: 10626c07e3c8be3252cf3272b80a908a5a8661b0
parent: f5cc43be33835bce003ebded7766ff9a6fb49ffc (diff)
parent: 22cbbd8e94223fb1970bc88724682cc48e231942 (diff)
download: android_device_qcom_sepolicy-f7b6f6221de3da96e0be9e734a15b9c7997dcc64.tar.gz
android_device_qcom_sepolicy-f7b6f6221de3da96e0be9e734a15b9c7997dcc64.tar.bz2
android_device_qcom_sepolicy-f7b6f6221de3da96e0be9e734a15b9c7997dcc64.zip
12 files changed, 26 insertions, 3 deletions
diff --git a/common/audioserver.te b/common/audioserver.te
index f55459a0..785da0a2 100644
--- a/common/audioserver.te
+++ b/common/audioserver.te
@@ -54,3 +54,6 @@ allow audioserver sysfs:file rw_file_perms;
 userdebug_or_eng(`
   diag_use(audioserver)
 ')
+
+#Rules for audioserver to talk to peripheral manager
+use_per_mgr(audioserver);
diff --git a/common/init.te b/common/init.te
index 6cde24b0..772e5fe4 100644
--- a/common/init.te
+++ b/common/init.te
@@ -31,3 +31,6 @@ allow init configfs:lnk_file create_file_perms;
 #Allow init to mount non-hlos partitions in A/B builds
 allow init firmware_file:dir { mounton };
 allow init bt_firmware_file:dir { mounton };
+
+#dontaudit non configfs usb denials
+dontaudit init sysfs:dir write;
diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te
index 197ddaf4..e4e9343e 100644
--- a/common/mm-pp-daemon.te
+++ b/common/mm-pp-daemon.te
@@ -46,6 +46,9 @@ userdebug_or_eng(`
 
   # This allows pp-daemon to set debug property
   allow mm-pp-daemon debug_prop:property_service set;
+
+  # This allow pp-daemon access to diag
+  diag_use(mm-pp-daemon)
 ')
 
 # Allow mm-pp-daemon to change the brightness of the target during display
diff --git a/common/qti-logkit.te b/common/qti-logkit.te
index b1f9d552..6e5e4288 100644
--- a/common/qti-logkit.te
+++ b/common/qti-logkit.te
@@ -75,3 +75,7 @@ binder_call(qti_logkit, system_server)
 
 # allow logcat access
 read_logd( qti_logkit );
+
+# allow access to recovery directory
+allow qti_logkit cache_recovery_file:dir rw_dir_perms;
+allow qti_logkit cache_recovery_file:file create_file_perms;
diff --git a/common/recovery.te b/common/recovery.te
index c83bc974..210c4050 100644
--- a/common/recovery.te
+++ b/common/recovery.te
@@ -3,7 +3,8 @@ recovery_only(`
     allow recovery sdcard_type:dir r_dir_perms;
     allow recovery sdcard_type:file r_file_perms;
     allow recovery vfat:dir r_dir_perms;
-    allow recovery vfat:file r_file_perms;
+    allow recovery vfat:file create_file_perms;
+    allow recovery vfat:file rw_file_perms;
     allow recovery system_data_file:file r_file_perms;
     allow recovery system_data_file:dir r_dir_perms;
     allow recovery RIDL_data_file:file r_file_perms;
diff --git a/common/ridl.te b/common/ridl.te
index 90f9d366..817c630e 100644
--- a/common/ridl.te
+++ b/common/ridl.te
@@ -71,6 +71,8 @@ binder_call(RIDL, system_server)
 # recovery
 allow RIDL cache_file:dir create_dir_perms;
 allow RIDL cache_file:file create_file_perms;
+allow RIDL cache_recovery_file:dir rw_dir_perms;
+allow RIDL cache_recovery_file:file create_file_perms;
 
 # reboot recovery
 allow RIDL powerctl_prop:property_service set;
diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te
index 7d84a76e..41045f60 100644
--- a/common/wcnss_filter.te
+++ b/common/wcnss_filter.te
@@ -50,6 +50,10 @@ r_dir_file(wcnss_filter, bt_firmware_file)
 allow wcnss_filter bluetooth_data_file:dir create_dir_perms;
 allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms;
 
+allow wcnss_filter persist_bluetooth_file:dir r_dir_perms;
+allow wcnss_filter persist_bluetooth_file:file r_file_perms;
+allow wcnss_filter persist_file:dir r_dir_perms;
+
 #diag
 userdebug_or_eng(`
     diag_use(wcnss_filter)
diff --git a/msm8909/file_contexts b/msm8909/file_contexts
index 424d82b1..642cfb5a 100644
--- a/msm8909/file_contexts
+++ b/msm8909/file_contexts
@@ -35,6 +35,7 @@
 /dev/block/platform/soc.0/7824900.sdhci/by-name/misc                  u:object_r:misc_block_device:s0
 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata              u:object_r:userdata_block_device:s0
 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump               u:object_r:logdump_partition:s0
+/dev/block/platform/soc.0/7824900.sdhci/by-name/config                u:object_r:frp_block_device:s0
 /dev/block/mmcblk0                                                    u:object_r:root_block_device:s0
 /dev/block/mmcblk0rpmb                                                u:object_r:rpmb_device:s0
 
diff --git a/msm8916/file_contexts b/msm8916/file_contexts
index 31788b3b..c59fe8fb 100644
--- a/msm8916/file_contexts
+++ b/msm8916/file_contexts
@@ -36,6 +36,7 @@
 /dev/block/platform/soc.0/7824900.sdhci/by-name/misc                  u:object_r:misc_block_device:s0
 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata              u:object_r:userdata_block_device:s0
 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump               u:object_r:logdump_partition:s0
+/dev/block/platform/soc.0/7824900.sdhci/by-name/config                u:object_r:frp_block_device:s0
 /dev/block/mmcblk0                                                    u:object_r:root_block_device:s0
 /dev/block/mmcblk0rpmb                                                u:object_r:rpmb_device:s0
 /dev/block/platform/soc.0/7824900.sdhci/by-name/boot                  u:object_r:boot_block_device:s0
diff --git a/msm8952/mediaserver.te b/msm8952/mediaserver.te
index 5bd54323..f642e817 100644
--- a/msm8952/mediaserver.te
+++ b/msm8952/mediaserver.te
@@ -30,3 +30,4 @@ allow mediaserver media_msm8956hw_prop:file r_file_perms;
 allow mediaserver media_settings_xml_prop:file r_file_perms;
 allow mediaserver seempd:unix_dgram_socket sendto;
 allow mediaserver seempdw_socket:sock_file write;
+allow mediaserver media_msm8956_version_prop:file r_file_perms;
diff --git a/msm8992/file_contexts b/msm8992/file_contexts
index a765bc11..f4957ddb 100644
--- a/msm8992/file_contexts
+++ b/msm8992/file_contexts
@@ -37,7 +37,7 @@
 /dev/block/platform/soc.0/f9824900.sdhci/by-name/boot                               u:object_r:boot_block_device:s0
 /dev/block/platform/soc.0/f9824900.sdhci/by-name/recovery                           u:object_r:recovery_block_device:s0
 /dev/block/platform/soc.0/f9824900.sdhci/by-name/cache                              u:object_r:cache_block_device:s0
-/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp                                u:object_r:frp_block_device:s0
+/dev/block/platform/soc.0/f9824900.sdhci/by-name/config                             u:object_r:frp_block_device:s0
 /dev/block/platform/soc.0/f9824900.sdhci/by-name/logdump                            u:object_r:logdump_partition:s0
 /dev/block/mmcblk0rpmb                                                              u:object_r:rpmb_device:s0
 /dev/block/mmcblk0                                                                  u:object_r:root_block_device:s0
diff --git a/msm8994/file_contexts b/msm8994/file_contexts
index 5697413a..4c073044 100644
--- a/msm8994/file_contexts
+++ b/msm8994/file_contexts
@@ -57,5 +57,5 @@
 /dev/block/platform/soc.0/f9824900.sdhci/by-name/boot                               u:object_r:boot_block_device:s0
 /dev/block/platform/soc.0/f9824900.sdhci/by-name/recovery                           u:object_r:recovery_block_device:s0
 /dev/block/platform/soc.0/f9824900.sdhci/by-name/cache                              u:object_r:cache_block_device:s0
-/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp                                u:object_r:frp_block_device:s0
+/dev/block/platform/soc.0/f9824900.sdhci/by-name/config                             u:object_r:frp_block_device:s0
 /dev/block/platform/soc.0/f9824900.sdhci/by-name/logdump                            u:object_r:logdump_partition:s0
author	Linux Build Service Account <lnxbuild@localhost>	2016-10-26 01:19:48 -0600
committer	Linux Build Service Account <lnxbuild@localhost>	2016-10-26 01:19:48 -0600
commit	f7b6f6221de3da96e0be9e734a15b9c7997dcc64 (patch)
tree	10626c07e3c8be3252cf3272b80a908a5a8661b0
parent	f5cc43be33835bce003ebded7766ff9a6fb49ffc (diff)
parent	22cbbd8e94223fb1970bc88724682cc48e231942 (diff)
download	android_device_qcom_sepolicy-f7b6f6221de3da96e0be9e734a15b9c7997dcc64.tar.gz android_device_qcom_sepolicy-f7b6f6221de3da96e0be9e734a15b9c7997dcc64.tar.bz2 android_device_qcom_sepolicy-f7b6f6221de3da96e0be9e734a15b9c7997dcc64.zip