sepolicy: add rule for dpm

add rule for DPM data file for db file and removed duplicate rules Change-Id: Ieed4f0b1cf19df06c04528245a0c6b799518542a
author: Bhavya Sokke Mallikarjunappa <bsokke@codeaurora.org> 2014-11-03 13:33:33 -0800
committer: Bhavya Sokke Mallikarjunappa <bsokke@codeaurora.org> 2014-11-17 14:03:47 -0800
commit: 1224bdcc65abe3e46c7a3a29387c459f8edc40df (patch)
tree: e70db927cc659bab59a9110ffd5ea2b0bde7dcd9
parent: 8415407021b77fb9266090d4209cdfd41c80449b (diff)
download: android_device_qcom_sepolicy-1224bdcc65abe3e46c7a3a29387c459f8edc40df.tar.gz
android_device_qcom_sepolicy-1224bdcc65abe3e46c7a3a29387c459f8edc40df.tar.bz2
android_device_qcom_sepolicy-1224bdcc65abe3e46c7a3a29387c459f8edc40df.zip
8 files changed, 28 insertions, 37 deletions
diff --git a/common/app.te b/common/app.te
index 2714ae2d..ac49f975 100644
--- a/common/app.te
+++ b/common/app.te
@@ -1,6 +1,9 @@
 # allow application to access cnd domain and socket
 unix_socket_connect(appdomain, cnd, cnd)
 
+# allow application to access dpmd domain and socket
+unix_socket_connect(appdomain, dpmwrapper, dpmd)
+
 unix_socket_connect(appdomain, qlogd, qlogd)
 #Allow all apps to open and send ioctl to qdsp device
 allow appdomain qdsp_device:chr_file r_file_perms;
diff --git a/common/dpmd.te b/common/dpmd.te
index 683e22e1..a393a89e 100644
--- a/common/dpmd.te
+++ b/common/dpmd.te
@@ -1,44 +1,38 @@
 #dpmd as domain
 type dpmd, domain;
 type dpmd_exec, exec_type, file_type;
-
-#file_type_auto_trans(dpmd, socket_device, dpmd_socket);
+file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
 init_daemon_domain(dpmd)
-type_transition dpmd system_data_file:{ file } dpmd_data_file;
-
+net_domain(dpmd)
 allow dpmd dpmd_exec:file execute_no_trans;
 
-#allow dpmd to access diag service
-userdebug_or_eng(`
-  allow dpmd diag_device:chr_file { read write ioctl open };
-')
-allow dpmd dpmd_data_file:file { read lock getattr open setattr execute };
+#allow dpmd to access dpm_data_file
+allow dpmd dpmd_data_file:file create_file_perms;
+allow dpmd dpmd_data_file:dir create_dir_perms;
 
 #allow dpmd to access qmux radio socket
 qmux_socket(dpmd);
 
 #self capability
-allow dpmd self:capability net_raw;
-allow dpmd self:capability { chown fsetid dac_override };
-allow dpmd self:netlink_route_socket { create read write bind create nlmsg_read };
-allow dpmd sysfs_wake_lock:file { open append };
-allow dpmd self:capability net_admin;
-allow dpmd self:rawip_socket { getopt create setopt };
+allow dpmd sysfs_wake_lock:file rw_file_perms;
 allow dpmd self:socket rw_socket_perms;
 allow dpmd self:netlink_socket rw_socket_perms;
+allow dpmd self:capability { setuid setgid dac_override net_raw chown fsetid net_admin sys_module };
 
-#socket
-allow dpmd self:udp_socket { ioctl create getopt };
-allow dpmd smem_log_device:chr_file { read write ioctl open };
-allow dpmd init:unix_stream_socket connectto;
-
-#llow dpmd to set system property
-allow dpmd property_socket:sock_file write;
+#socket, self
+allow dpmd smem_log_device:chr_file rw_file_perms;
+unix_socket_connect(dpmd, property, init)
 allow dpmd self:capability2 block_suspend;
 allow dpmd system_prop:property_service set;
+allow dpmd ctl_default_prop:property_service set;
 
+#misc.
 allow dpmd shell_exec:file { read execute open execute_no_trans };
 allow dpmd system_file:file execute_no_trans;
 
 #kernel
 allow dpmd kernel:system module_request;
+
+#appdomain
+allow dpmd appdomain:fd use;
+allow dpmd appdomain:tcp_socket { read write getopt };
diff --git a/common/file.te b/common/file.te
index 622f6d8f..1e5e53a4 100644
--- a/common/file.te
+++ b/common/file.te
@@ -13,7 +13,8 @@ type cnd_data_file, file_type;
 
 # Define dpmd data file type
 type dpmd_socket, file_type;
-type dpmd_data_file, data_file_type;
+type dpmwrapper_socket, file_type;
+type dpmd_data_file, file_type, data_file_type;
 
 #Define the timeout for platform specific transports
 type sysfs_hsic_modem_wait, sysfs_type, fs_type;
diff --git a/common/file_contexts b/common/file_contexts
index 02167aa4..74356dfb 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -73,6 +73,7 @@
 /dev/socket/qlogd                               u:object_r:qlogd_socket:s0
 /dev/socket/ipacm_log_file                      u:object_r:ipacm_socket:s0
 /dev/socket/dpmd                                u:object_r:dpmd_socket:s0
+/dev/socket/dpmwrapper                          u:object_r:dpmwrapper_socket:s0
 /dev/socket/pps                                 u:object_r:pps_socket:s0
 /dev/socket/rild2                               u:object_r:rild_socket:s0
 /dev/socket/rild2-debug                         u:object_r:rild_debug_socket:s0
diff --git a/common/init.te b/common/init.te
index c31af56f..baf1f769 100644
--- a/common/init.te
+++ b/common/init.te
@@ -1,8 +1,4 @@
 # Adding allow rule for search on /fuse
 allow init fuse:dir search;
-
-#allow dpmd to read, write on data file
-allow init dpmd_data_file:dir { read open setattr };
-
 allow init self:capability sys_module;
 allow init fuse:dir mounton;
diff --git a/common/radio.te b/common/radio.te
index b7f248ca..c117da17 100644
--- a/common/radio.te
+++ b/common/radio.te
@@ -5,3 +5,6 @@ allow radio ims_socket:sock_file write;
 #Need permission to execute com.qualcomm.qti.telephony/app_dex/xx
 allow radio radio_data_file:file execute;
 allow radio shell_data_file:dir search;
+
+#Need permission to execute dpmd talk to radio layer
+unix_socket_connect(radio, dpmd, dpmd)
diff --git a/common/system_server.te b/common/system_server.te
index 07b302f1..9a1c7db5 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -18,15 +18,13 @@ unix_socket_send(system_server, mpctl, mpdecision)
 unix_socket_connect(system_server, mpctl, mpdecision)
 
 # allow  system/framework applications to update the dpmd configuration files
-#allow system_server dpmd:unix_stream_socket connectto;
 unix_socket_connect(system_server, dpmd, dpmd);
 allow system_server dpmd_socket:sock_file write;
-#allow system_server dpmd_data_file:dir { write read getattr open add_name };
-allow system_server dpmd_data_file:dir rw_dir_perms;
-#allow system_server dpmd_data_file:file { write getattr setattr read lock create open };
-allow system_server dpmd_data_file:file rw_file_perms;
+allow system_server dpmd_data_file:dir create_dir_perms;
 allow system_server dpmservice:service_manager add;
+allow system_server dpmd_data_file:file create_file_perms;
 allow system_server socket_device:sock_file write;
+
 unix_socket_send(system_server, mpctl, perfd)
 unix_socket_connect(system_server, mpctl, perfd)
 
diff --git a/common/untrusted_app.te b/common/untrusted_app.te
index bce77b0e..17857e6c 100644
--- a/common/untrusted_app.te
+++ b/common/untrusted_app.te
@@ -1,8 +1,3 @@
-allow dpmd untrusted_app:fd use;
-allow dpmd untrusted_app:tcp_socket { read write };
-allow untrusted_app dpmd:unix_stream_socket connectto;
-allow untrusted_app dpmd_socket:sock_file write;
-
 # access to perflock
 allow untrusted_app mpctl_socket:dir r_dir_perms;
 unix_socket_send(untrusted_app, mpctl, perfd)
author	Bhavya Sokke Mallikarjunappa <bsokke@codeaurora.org>	2014-11-03 13:33:33 -0800
committer	Bhavya Sokke Mallikarjunappa <bsokke@codeaurora.org>	2014-11-17 14:03:47 -0800
commit	1224bdcc65abe3e46c7a3a29387c459f8edc40df (patch)
tree	e70db927cc659bab59a9110ffd5ea2b0bde7dcd9
parent	8415407021b77fb9266090d4209cdfd41c80449b (diff)
download	android_device_qcom_sepolicy-1224bdcc65abe3e46c7a3a29387c459f8edc40df.tar.gz android_device_qcom_sepolicy-1224bdcc65abe3e46c7a3a29387c459f8edc40df.tar.bz2 android_device_qcom_sepolicy-1224bdcc65abe3e46c7a3a29387c459f8edc40df.zip