diff options
| author | David Ng <dave@codeaurora.org> | 2016-03-07 15:35:02 -0800 |
|---|---|---|
| committer | David Ng <dave@codeaurora.org> | 2016-03-07 15:35:02 -0800 |
| commit | 14a42d6534fd86dee1d6783364b3421cfd26d3c6 (patch) | |
| tree | 0ee60bc4cdf71d4ad64214cd10a7bf9bd39c8680 | |
| parent | 153c988094a0f815d20aad18f1da712786d66353 (diff) | |
| download | android_device_qcom_sepolicy-14a42d6534fd86dee1d6783364b3421cfd26d3c6.tar.gz android_device_qcom_sepolicy-14a42d6534fd86dee1d6783364b3421cfd26d3c6.tar.bz2 android_device_qcom_sepolicy-14a42d6534fd86dee1d6783364b3421cfd26d3c6.zip | |
Align SELinux policies to new release restrictions
Update multiple policies for new Android release.
Change-Id: I7f486c210a14efcebcb83b5d750c4abd07c178e3
| -rw-r--r-- | common/app.te | 4 | ||||
| -rw-r--r-- | common/bluetooth.te | 2 | ||||
| -rw-r--r-- | common/diag.te | 2 | ||||
| -rw-r--r-- | common/file_contexts | 6 | ||||
| -rw-r--r-- | common/mediaserver.te | 3 | ||||
| -rw-r--r-- | common/mm-qcamerad.te | 10 | ||||
| -rwxr-xr-x | common/mmi.te | 1 | ||||
| -rw-r--r-- | common/netd.te | 2 | ||||
| -rw-r--r-- | common/nfc.te | 2 | ||||
| -rw-r--r-- | common/qlogd.te | 3 | ||||
| -rw-r--r-- | common/qseecomd.te | 4 | ||||
| -rw-r--r-- | common/ridl.te | 2 | ||||
| -rw-r--r-- | common/system_app.te | 2 | ||||
| -rwxr-xr-x | msm8960/file_contexts | 2 | ||||
| -rw-r--r-- | test/qti-testscripts.te | 6 |
15 files changed, 25 insertions, 26 deletions
diff --git a/common/app.te b/common/app.te index 9f809aa5..0593280c 100644 --- a/common/app.te +++ b/common/app.te @@ -20,8 +20,8 @@ unix_socket_send(appdomain, mpctl, mpdecision) unix_socket_connect(appdomain, mpctl, mpdecision) # Allow access to qti_logkit -allow appdomain qti_logkit_pub_data_file:dir create_dir_perms; -allow appdomain qti_logkit_pub_data_file:file create_file_perms; +allow { appdomain -untrusted_app } qti_logkit_pub_data_file:dir create_dir_perms; +allow { appdomain -untrusted_app } qti_logkit_pub_data_file:file create_file_perms; allow appdomain qti_logkit_pub_socket:dir r_dir_perms; unix_socket_connect(appdomain, qti_logkit_pub, qti_logkit) allow appdomain qti_logkit_pub_socket:sock_file r_file_perms; diff --git a/common/bluetooth.te b/common/bluetooth.te index 5da23a0d..28fbd655 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -28,7 +28,7 @@ allow bluetooth media_rw_data_file:file create_file_perms; #allow proc_sysrq access for crash dump userdebug_or_eng(` allow bluetooth proc_sysrq:file w_file_perms; - allow bluetooth debugfs:file r_file_perms; + #allow bluetooth debugfs:file r_file_perms; ') allow bluetooth { diff --git a/common/diag.te b/common/diag.te index 5ef5aafc..3a9e25f2 100644 --- a/common/diag.te +++ b/common/diag.te @@ -18,7 +18,7 @@ userdebug_or_eng(` allow diag { cgroup - sdcard_internal + fuse persist_drm_file }:dir create_dir_perms; diff --git a/common/file_contexts b/common/file_contexts index aed75975..4543e217 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -25,9 +25,9 @@ /dev/ttyHS[0-9]* u:object_r:serial_device:s0 /dev/ttyGS0 u:object_r:gadget_serial_device:s0 /dev/usb_ext_chg u:object_r:hvdcp_device:s0 -/dev/media([0-9])+ u:object_r:camera_device:s0 -/dev/jpeg[0-9]* u:object_r:camera_device:s0 -/dev/v4l-subdev.* u:object_r:camera_device:s0 +/dev/media([0-9])+ u:object_r:video_device:s0 +/dev/jpeg[0-9]* u:object_r:video_device:s0 +/dev/v4l-subdev.* u:object_r:video_device:s0 /dev/vm_bms u:object_r:vm_bms_device:s0 /dev/battery_data u:object_r:battery_data_device:s0 /dev/block/mmcblk1 u:object_r:sd_device:s0 diff --git a/common/mediaserver.te b/common/mediaserver.te index 6d3508a0..1af2dec3 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -1,7 +1,6 @@ # allow mediaserver to communicate with cnd unix_socket_connect(mediaserver, cnd, cnd) -allow mediaserver camera_device:chr_file rw_file_perms; unix_socket_send(mediaserver, camera, mm-qcamerad) allow mediaserver tee_device:chr_file rw_file_perms; @@ -18,7 +17,7 @@ userdebug_or_eng(` allow mediaserver camera_data_file:dir rw_dir_perms; allow mediaserver camera_data_file:file create_file_perms; # Access to audio - allow mediaserver debugfs:file rw_file_perms; + #allow mediaserver debugfs:file rw_file_perms; ') r_dir_file(mediaserver, sysfs_esoc) diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index 4be1fa47..65b3d99e 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -4,8 +4,8 @@ init_daemon_domain(mm-qcamerad) #added to support EZTune for camera userdebug_or_eng(` - allow mm-qcamerad debugfs:dir r_dir_perms; - allow mm-qcamerad debugfs:file read; + #allow mm-qcamerad debugfs:dir r_dir_perms; + #allow mm-qcamerad debugfs:file read; allow mm-qcamerad camera_data_file:file create_file_perms; allow mm-qcamerad self:tcp_socket create_stream_socket_perms; allow mm-qcamerad node:tcp_socket node_bind; @@ -33,8 +33,8 @@ binder_use(mm-qcamerad); allow mm-qcamerad self:process execmem; # Interact with other media devices -allow mm-qcamerad camera_device:dir r_dir_perms; -allow mm-qcamerad { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms; +allow mm-qcamerad video_device:dir r_dir_perms; +allow mm-qcamerad { gpu_device video_device sensors_device }:chr_file rw_file_perms; allow mm-qcamerad { surfaceflinger mediaserver }:fd use; @@ -58,4 +58,4 @@ allow mm-qcamerad graphics_device:chr_file rw_file_perms; unix_socket_connect(mm-qcamerad, property, init) #Allow camera work normally in FFBM -binder_call(mm-qcamerad, mmi); +binder_call(mm-qcamerad, mmi); diff --git a/common/mmi.te b/common/mmi.te index c4436327..78069b31 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -78,7 +78,6 @@ allow mmi block_device:blk_file getattr; allow mmi block_device:dir r_dir_perms; #camera -allow mmi camera_device:chr_file rw_file_perms; allow mmi video_device:chr_file rw_file_perms; allow mmi camera_data_file:sock_file write; allow mmi camera_data_file:dir r_dir_perms; diff --git a/common/netd.te b/common/netd.te index 9e067dd7..77886373 100644 --- a/common/netd.te +++ b/common/netd.te @@ -10,7 +10,7 @@ allow netd wfdservice:fd use; allow netd wfdservice:tcp_socket rw_socket_perms; binder_use(netd); -binder_call(netd, qtitetherservice_app); +#binder_call(netd, qtitetherservice_app); # allow to read /data/misc/ipa/tether_stats file allow netd ipacm_data_file:dir r_dir_perms; diff --git a/common/nfc.te b/common/nfc.te index 872a63a0..f1393962 100644 --- a/common/nfc.te +++ b/common/nfc.te @@ -1,3 +1,3 @@ qmux_socket(nfc); -allow nfc nfc_data_file:file x_file_perms; +#allow nfc nfc_data_file:file x_file_perms; allow nfc self:socket create_socket_perms; diff --git a/common/qlogd.te b/common/qlogd.te index e7402e4b..4bb939ca 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -45,7 +45,8 @@ allow qlogd kernel:system syslog_mod; # need for qdss log and odl from UI userdebug_or_eng(` - allow qlogd { debugfs qdss_device }:file r_file_perms; + #allow qlogd { debugfs qdss_device }:file r_file_perms; + allow qlogd { qdss_device }:file r_file_perms; allow qlogd sysfs:file w_file_perms; r_dir_file(qlogd, storage_file) r_dir_file(qlogd, mnt_user_file) diff --git a/common/qseecomd.te b/common/qseecomd.te index 2140c583..6f21134b 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -60,8 +60,8 @@ allow tee system_prop:property_service set; userdebug_or_eng(` allow tee su:unix_dgram_socket sendto; - allow tee shell_data_file:file rw_file_perms; - allow tee shell_data_file:dir search; + #allow tee shell_data_file:file rw_file_perms; + #allow tee shell_data_file:dir search; ') # allow qseecom access to set system property diff --git a/common/ridl.te b/common/ridl.te index ea425351..d30f4235 100644 --- a/common/ridl.te +++ b/common/ridl.te @@ -41,7 +41,7 @@ net_domain(RIDL) allow RIDL RIDL_data_file:dir create_dir_perms; allow RIDL RIDL_data_file:file create_file_perms; allow RIDL RIDL_data_file:lnk_file { create read unlink }; -allow RIDL debugfs:file read; +#allow RIDL debugfs:file read; # ver_info.txt r_dir_file(RIDL, firmware_file) diff --git a/common/system_app.te b/common/system_app.te index 6f0624c7..af07e9d9 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -28,7 +28,7 @@ unix_socket_connect(system_app, mpctl, perfd) unix_socket_connect(system_app, pps, mm-pp-daemon) userdebug_or_eng(` - allow system_app debugfs:file r_file_perms; + #allow system_app debugfs:file r_file_perms; allow system_app su:unix_dgram_socket sendto; allow system_app persist_file:dir r_dir_perms; allow system_app sensors_persist_file:dir r_dir_perms; diff --git a/msm8960/file_contexts b/msm8960/file_contexts index 877f6bbc..d5a3727e 100755 --- a/msm8960/file_contexts +++ b/msm8960/file_contexts @@ -1,7 +1,7 @@ ################################### # Dev nodes # -/dev/msm_camera(/.*)? u:object_r:camera_device:s0 +/dev/msm_camera(/.*)? u:object_r:video_device:s0 /dev/msm_rotator u:object_r:graphics_device:s0 /dev/mdp_arb u:object_r:graphics_device:s0 /dev/mdm u:object_r:mdm_device:s0 diff --git a/test/qti-testscripts.te b/test/qti-testscripts.te index d271f512..0ce770d5 100644 --- a/test/qti-testscripts.te +++ b/test/qti-testscripts.te @@ -72,10 +72,10 @@ userdebug_or_eng(` r_dir_file(qti-testscripts, domain) allow adbd qti-testscripts:process dyntransition; - allow domain qti-testscripts:unix_stream_socket connectto; + allow { domain -mediaextractor -mediacodec } qti-testscripts:unix_stream_socket connectto; allow domain qti-testscripts:fd use; - allow domain qti-testscripts:unix_stream_socket { getattr getopt read write shutdown }; - binder_call({ domain -init }, qti-testscripts) + allow { domain -mediaextractor -mediacodec } qti-testscripts:unix_stream_socket { getattr getopt read write shutdown }; + binder_call({ domain -init -netd }, qti-testscripts) allow domain qti-testscripts:fifo_file { write getattr }; allow domain qti-testscripts:process sigchld; |