diff options
author | Steve Kondik <steve@cyngn.com> | 2016-10-17 22:43:14 -0700 |
---|---|---|
committer | Steve Kondik <steve@cyngn.com> | 2016-10-17 22:43:14 -0700 |
commit | 22ea8db34e2107d636871605b3ee7be03b5d277f (patch) | |
tree | b650bf5ee63edf2f24d73e186cda8ce9dfab21c7 | |
parent | f7a12e8484b3b0e2ff6f897129fd8334b92faea2 (diff) | |
parent | 33634b612a6bede11b0d7d0d0f81328e3352e5d6 (diff) | |
download | android_device_qcom_sepolicy-22ea8db34e2107d636871605b3ee7be03b5d277f.tar.gz android_device_qcom_sepolicy-22ea8db34e2107d636871605b3ee7be03b5d277f.tar.bz2 android_device_qcom_sepolicy-22ea8db34e2107d636871605b3ee7be03b5d277f.zip |
Merge tag 'LA.UM.5.5.r1-00900-8x96.0' of git://codeaurora.org/device/qcom/sepolicy into cm-14.0
"LA.UM.5.5.r1-00900-8x96.0"
Change-Id: I1a53f98a3bfb51c0b087be8ce85d420419fa5aa1
99 files changed, 1741 insertions, 20 deletions
diff --git a/common/audioserver.te b/common/audioserver.te index c428fd75..a1b74afb 100644 --- a/common/audioserver.te +++ b/common/audioserver.te @@ -44,3 +44,9 @@ allow audioserver debugfs:file rw_file_perms; # Allow audioserver to create socket files for audio arbitration allow audioserver audio_data_file:sock_file { create setattr unlink }; allow audioserver audio_data_file:dir remove_name; + +# Allow audioserver to access sysfs nodes +allow audioserver sysfs:file rw_file_perms; +userdebug_or_eng(` + diag_use(audioserver) +') diff --git a/common/cameraserver.te b/common/cameraserver.te index b45b77d8..a0777d79 100644 --- a/common/cameraserver.te +++ b/common/cameraserver.te @@ -43,3 +43,16 @@ allow cameraserver system_server:unix_stream_socket { read write }; #Allow read access to soc/msm-cam/video4linux/video0/name sysfs allow cameraserver sysfs:file r_file_perms; + +allow cameraserver persist_file:dir r_dir_perms; +allow cameraserver camera_prop:property_service set; +unix_socket_connect(cameraserver,property,init); +allow cameraserver self:socket create_socket_perms; +allow cameraserver sensors_persist_file:dir r_dir_perms; +allow cameraserver sensors_persist_file:file r_file_perms; +allow cameraserver graphics_device:dir r_dir_perms; +allow cameraserver sensorservice_service:service_manager find; +allow cameraserver system_file:dir r_dir_perms; + +#Allows camera to call ADSP QDSP6 functionality +allow cameraserver qdsp_device:chr_file r_file_perms; diff --git a/common/cnd.te b/common/cnd.te index 44cdb1eb..54be97a1 100644 --- a/common/cnd.te +++ b/common/cnd.te @@ -87,3 +87,8 @@ domain_auto_trans(cnd, hostapd_exec, hostapd) # only allow getopt for appdomain allow appdomain zygote:unix_dgram_socket getopt; dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt; + +#diag +userdebug_or_eng(` + diag_use(cnd) +') diff --git a/common/dataservice_app.te b/common/dataservice_app.te index db123df8..9c48a601 100644 --- a/common/dataservice_app.te +++ b/common/dataservice_app.te @@ -52,3 +52,7 @@ dontaudit dataservice_app domain:dir r_dir_perms; #allow dpmservice to get running time for apps r_dir_file(dataservice_app, appdomain) + +userdebug_or_eng(` + diag_use(dataservice_app) +') diff --git a/common/device.te b/common/device.te index 443228d7..362be377 100644 --- a/common/device.te +++ b/common/device.te @@ -69,9 +69,6 @@ type efs_boot_dev, dev_type; #MBA debug image partition type mba_debug_dev, dev_type; -#Misc partition -type misc_partition, dev_type; - #logdump partition type logdump_partition, dev_type; @@ -86,6 +83,24 @@ type ipa_dev, dev_type; type wcnss_device, dev_type; +# Define spcom device +type spcom_device, dev_type; + +# Define skp device +type skp_device, dev_type; + +# Define sp_ssr device +type sp_ssr_device, dev_type; + +# Define sp_keymaster device +type sp_keymaster_device, dev_type; + +# Define cryptoapp device +type cryptoapp_device, dev_type; + +# Define qsee_ipc_irq_spss device +type qsee_ipc_irq_spss_device, dev_type; + # Define QDSS devices type qdss_device, dev_type; diff --git a/common/domain.te b/common/domain.te index e831bb47..8a747e5c 100644 --- a/common/domain.te +++ b/common/domain.te @@ -1,5 +1,3 @@ -allow { domain -untrusted_app } diag_device:chr_file rw_file_perms; - r_dir_file(domain, sysfs_socinfo); r_dir_file(domain, sysfs_esoc); r_dir_file(domain, sysfs_ssr); diff --git a/common/dpmd.te b/common/dpmd.te index f94953ee..4b92e91b 100644 --- a/common/dpmd.te +++ b/common/dpmd.te @@ -71,3 +71,8 @@ dpmd_socket_perm(netd) #explicitly allow udp socket permissions for appdomain allow dpmd appdomain:udp_socket rw_socket_perms; + +#diag +userdebug_or_eng(` + diag_use(dpmd) +') diff --git a/common/energyawareness.te b/common/energyawareness.te index cdef9f0f..9a953704 100755 --- a/common/energyawareness.te +++ b/common/energyawareness.te @@ -12,3 +12,10 @@ allow energyawareness self:netlink_kobject_uevent_socket create_socket_perms; allow energyawareness self:capability net_admin; allow energyawareness sysfs:file w_file_perms; + +#debugfs access +userdebug_or_eng(` +typeattribute energyawareness qti_debugfs_domain; +allow energyawareness debugfs:dir r_dir_perms; +allow energyawareness debugfs:file rw_file_perms; +') diff --git a/common/file.te b/common/file.te index 81a36f94..2d31a6d4 100644 --- a/common/file.te +++ b/common/file.te @@ -89,6 +89,9 @@ type gamed_socket, file_type; type iop_socket, file_type; type iop_data_file, file_type, data_file_type; +# SPSS Apps images location +type spss_data_file, file_type, data_file_type; + #mm-qcamera-daemon socket type camera_socket, file_type; @@ -198,3 +201,8 @@ type dynamic_nv_data_file, file_type, data_file_type; type wififtmd_socket, file_type; type persist_alarm_file, file_type; + +type persist_time_file, file_type; + +# kgsl file type for sysfs access +type sysfs_kgsl, sysfs_type, fs_type; diff --git a/common/file_contexts b/common/file_contexts index 781c3f12..5793b770 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -10,12 +10,19 @@ /dev/bhi u:object_r:bhi_device:s0 /dev/msm_.* u:object_r:audio_device:s0 /dev/i2c-6 u:object_r:audio_device:s0 +/dev/wcd-dsp-glink u:object_r:audio_device:s0 /dev/usf1 u:object_r:usf_device:s0 /dev/msm_dsps u:object_r:sensors_device:s0 /dev/msm_thermal_query u:object_r:thermal_device:s0 /dev/nfc-nci u:object_r:nfc_device:s0 /dev/nq-nci u:object_r:nfc_device:s0 /dev/qseecom u:object_r:tee_device:s0 +/dev/spcom u:object_r:spcom_device:s0 +/dev/sp_kernel u:object_r:skp_device:s0 +/dev/sp_ssr u:object_r:sp_ssr_device:s0 +/dev/sp_keymaster u:object_r:sp_keymaster_device:s0 +/dev/cryptoapp u:object_r:cryptoapp_device:s0 +/dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0 /dev/seemplog u:object_r:seemplog_device:s0 /dev/radio0 u:object_r:fm_radio_device:s0 /dev/rtc0 u:object_r:rtc_device:s0 @@ -65,6 +72,9 @@ /dev/qbt1000 u:object_r:qbt1000_device:s0 /dev/at_.* u:object_r:at_device:s0 /dev/sg.* u:object_r:sg_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/dri/controlD64 u:object_r:graphics_device:s0 +/dev/dri/renderD128 u:object_r:graphics_device:s0 ################################### # Dev block nodes @@ -168,6 +178,7 @@ /system/bin/tftp_server u:object_r:rfs_access_exec:s0 /system/bin/hvdcp u:object_r:hvdcp_exec:s0 /system/bin/qseecomd u:object_r:tee_exec:s0 +/system/bin/spdaemon u:object_r:spdaemon_exec:s0 /system/bin/hostapd_cli u:object_r:hostapd_exec:s0 /system/bin/adsprpcd u:object_r:adsprpcd_exec:s0 /system/bin/wpa_cli u:object_r:wcnss_service_exec:s0 @@ -266,9 +277,9 @@ /sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0 /sys/module/msm_thermal/core_control/cpus_offlined u:object_r:sysfs_mpdecision:s0 /sys/devices/f9a55000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 -/sys/devices/virtual/graphics/fb([0-2])+/hpd u:object_r:sysfs_graphics:s0 -/sys/devices/virtual/graphics/fb([0-2])+/res_info u:object_r:sysfs_graphics:s0 -/sys/devices/virtual/graphics/fb([0-2])+/s3d_mode u:object_r:sysfs_graphics:s0 +/sys/devices/virtual/graphics/fb([0-3])+/hpd u:object_r:sysfs_graphics:s0 +/sys/devices/virtual/graphics/fb([0-3])+/res_info u:object_r:sysfs_graphics:s0 +/sys/devices/virtual/graphics/fb([0-3])+/s3d_mode u:object_r:sysfs_graphics:s0 /sys/class/graphics/fb([0-2])+/mdp/caps u:object_r:sysfs_graphics:s0 /sys/class/graphics/fb([0-2])+/ad u:object_r:sysfs_graphics:s0 /sys/bus/platform/drivers/xhci_msm_hsic(/.*)? u:object_r:sysfs_hsic:s0 @@ -307,6 +318,7 @@ /data/misc/ipa(/.*)? u:object_r:ipacm_data_file:s0 /data/dpm(/.*)? u:object_r:dpmd_data_file:s0 /data/misc/qsee(/.*)? u:object_r:data_qsee_file:s0 +/data/misc/spss(/.*)? u:object_r:spss_data_file:s0 /data/misc/location(/.*)? u:object_r:location_data_file:s0 /data/misc/location/mq/location-mq-s u:object_r:location_socket:s0 /data/misc/location/mq/alarm_svc u:object_r:location_socket:s0 @@ -341,6 +353,7 @@ /persist/drm(/.*)? u:object_r:persist_drm_file:s0 /persist/sensors(/.*)? u:object_r:sensors_persist_file:s0 /persist/alarm(/.*)? u:object_r:persist_alarm_file:s0 +/persist/time(/.*)? u:object_r:persist_time_file:s0 /persist/data(/.*)? u:object_r:persist_drm_file:s0 /persist/data/tz(/.*)? u:object_r:persist_drm_file:s0 /persist/data/sfs(/.*)? u:object_r:persist_drm_file:s0 diff --git a/common/hbtp.te b/common/hbtp.te index f8f3377e..25a2a7a9 100644 --- a/common/hbtp.te +++ b/common/hbtp.te @@ -5,7 +5,7 @@ type hbtp_exec, exec_type, file_type; init_daemon_domain(hbtp) # Allow access for /dev/hbtp_input and /dev/jdi-bu21150 -allow hbtp { hbtp_device qdsp_device bu21150_device }:chr_file rw_file_perms; +allow hbtp { hbtp_device qdsp_device dsp_device bu21150_device }:chr_file rw_file_perms; allow hbtp hbtp_log_file:dir rw_dir_perms; allow hbtp hbtp_log_file:file create_file_perms; diff --git a/common/ims.te b/common/ims.te index 2f74bb7c..68a6a5ac 100644 --- a/common/ims.te +++ b/common/ims.te @@ -63,3 +63,8 @@ netmgr_socket(ims); # Inherit and use open files from radio. allow ims radio:fd use; + +#diag +userdebug_or_eng(` + diag_use(ims) +') diff --git a/common/init.te b/common/init.te index 02d804cd..6cde24b0 100644 --- a/common/init.te +++ b/common/init.te @@ -27,3 +27,7 @@ allow init { domain -lmkd }:process noatsecure; allow init configfs:dir r_dir_perms; allow init configfs:file { rw_file_perms link }; allow init configfs:lnk_file create_file_perms; + +#Allow init to mount non-hlos partitions in A/B builds +allow init firmware_file:dir { mounton }; +allow init bt_firmware_file:dir { mounton }; diff --git a/common/init_shell.te b/common/init_shell.te index 6af44dc5..487caf05 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -31,6 +31,8 @@ allow qti_init_shell vm_bms_device:chr_file getattr; # create/open, read/write permission for fm calibration file. allow qti_init_shell fm_data_file: file create_file_perms; +allow qti_init_shell gpu_device:chr_file getattr; + # for insmod of iris ko, this is needed. # dac_read/override is needed for scripts to do chown/mkdir which is # needed by most of the services @@ -74,6 +76,7 @@ allow qti_init_shell { ctl_qmuxd_prop ctl_netmgrd_prop ctl_port-bridge_prop + sdm_idle_time_prop sf_lcd_density_prop opengles_prop mdm_helper_prop @@ -93,6 +96,7 @@ allow qti_init_shell { sys_usb_configfs_prop #Needed for setting hwui properties in post_boot hwui_prop + graphics_vulkan_prop }:property_service set; allow qti_init_shell efs_boot_dev:blk_file r_file_perms; @@ -112,7 +116,8 @@ allow qti_init_shell { r_dir_file(qti_init_shell, sysfs_thermal) allow qti_init_shell sysfs_socinfo:file write; - +allow qti_init_shell sysfs:{ dir file lnk_file } relabelfrom; +allow qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto; # Check if /dev/sensors or /dev/msm_dsps present allow qti_init_shell sensors_data_file:dir r_dir_perms; allow qti_init_shell sensors_device:chr_file r_file_perms; @@ -184,3 +189,6 @@ allow qti_init_shell persist_alarm_file:file r_file_perms; #Allow /sys access to write zram disksize allow qti_init_shell sysfs_zram:dir r_dir_perms; allow qti_init_shell sysfs_zram:file w_file_perms; + +# To get GPU frequencies +allow qti_init_shell sysfs_kgsl:file r_file_perms; diff --git a/common/ipacm.te b/common/ipacm.te index 087092f2..000bfa5e 100644 --- a/common/ipacm.te +++ b/common/ipacm.te @@ -12,8 +12,12 @@ net_domain(ipacm) userdebug_or_eng(` # Allow using the logging file between ipacm and ipacm-diag unix_socket_send(ipacm, ipacm, ipacm-diag) + diag_use(ipacm-diag) ') +# Allow capabilities to create netfilter_socket +allow ipacm self:netlink_netfilter_socket create_socket_perms; + # Allow capabilities to perform network operations and interactions with network interfaces allow ipacm ipacm:capability net_admin; diff --git a/common/location.te b/common/location.te index 2dfec3ba..a72adc11 100644 --- a/common/location.te +++ b/common/location.te @@ -41,7 +41,11 @@ allow location sensors_persist_file:dir r_dir_perms; allow location sensors_persist_file:file r_file_perms; #wifi -allow location wifi_data_file:dir r_dir_perms; +userdebug_or_eng(` +allow location wifi_data_file:dir create_dir_perms; +allow location wifi_data_file:sock_file create_file_perms; +allow location su:unix_dgram_socket sendto; +') unix_socket_send(wpa, location, location) allow location wpa:unix_dgram_socket sendto; allow location wpa_socket:dir rw_dir_perms; @@ -59,3 +63,8 @@ netmgr_socket(location); #Allow access to properties set_prop(location, location_prop); + +#diag +userdebug_or_eng(` + diag_use(location) +') diff --git a/common/location_app.te b/common/location_app.te index 3fe928a7..799bc4d8 100644 --- a/common/location_app.te +++ b/common/location_app.te @@ -9,6 +9,7 @@ userdebug_or_eng(` net_domain(location_app) allow location_app { adbd su }:unix_stream_socket connectto; allow location_app mediaserver_service:service_manager find; + diag_use(location_app) ') allow location_app surfaceflinger_service:service_manager find; diff --git a/common/mdtp.te b/common/mdtp.te index 0d1e8511..c0f49e48 100644 --- a/common/mdtp.te +++ b/common/mdtp.te @@ -37,6 +37,7 @@ userdebug_or_eng(` #Needed for kill(pid, 0) existance test allow mdtpdaemon su:process signull; allow mdtpdaemon self:capability kill; + diag_use(mdtpdaemon) ') #Allow for transition from init domain to mdtpdaemon diff --git a/common/mmi.te b/common/mmi.te index 1a7dc286..92e1ebcd 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -36,15 +36,14 @@ allow mmi persist_file:dir r_dir_perms; allow mmi sensors_persist_file:dir create_dir_perms; allow mmi sensors_persist_file:file create_file_perms; -#allow mmi operation on MISC partition -allow mmi misc_partition:blk_file w_file_perms; - #wifi case allow mmi system_file:file x_file_perms; allow mmi wpa_exec:file rx_file_perms; allow mmi wcnss_service_exec:file rx_file_perms; allow mmi kernel:key search; allow mmi kernel:system module_request; +allow mmi toolbox_exec:file rx_file_perms; +allow mmi system_file:system module_load; #audio case allow mmi audio_device:dir r_dir_perms; @@ -113,3 +112,10 @@ unix_socket_connect(mmi, cnd, cnd); unix_socket_connect(mmi, dpmwrapper, dpmd); unix_socket_connect(mmi, netmgrd, netmgrd); net_domain(mmi); + +#allow mmi access boot mode switch +allow mmi boot_mode_prop:property_service set; +#diag +userdebug_or_eng(` + diag_use(mmi) +') diff --git a/common/netmgrd.te b/common/netmgrd.te index 052b464e..ff913442 100644 --- a/common/netmgrd.te +++ b/common/netmgrd.te @@ -6,6 +6,7 @@ init_daemon_domain(netmgrd) userdebug_or_eng(` domain_auto_trans(shell, netmgrd_exec, netmgrd) domain_auto_trans(adbd, netmgrd_exec, netmgrd) + diag_use(netmgrd) ') #Allow files to be written during the operation of netmgrd @@ -33,6 +34,7 @@ allow netmgrd netmgrd:socket { create ioctl }; allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write }; unix_socket_connect(netmgrd, property, init) allow netmgrd self:netlink_generic_socket create_socket_perms; +allow netmgrd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write }; unix_socket_connect(netmgrd, cnd, cnd); diff --git a/common/perfd.te b/common/perfd.te index 981a9896..fb857290 100644 --- a/common/perfd.te +++ b/common/perfd.te @@ -55,3 +55,6 @@ allow perfd { #Allow perfd to set properties set_prop(perfd, freq_prop) + +#Allow writes to /dev/cpu_dma_latency +allow perfd device_latency:chr_file w_file_perms; diff --git a/common/platform_app.te b/common/platform_app.te index bc558e90..0dd94ddc 100644 --- a/common/platform_app.te +++ b/common/platform_app.te @@ -10,7 +10,7 @@ binder_call(platform_app, secotad) # Allow platform apps to interact with imscm daemon binder_call(platform_app, imscm) - +allow platform_app imscm_service:service_manager find; allow platform_app color_service:service_manager find; # Allow NFC service to be found diff --git a/common/port-bridge.te b/common/port-bridge.te index 8a74d497..83c993cd 100644 --- a/common/port-bridge.te +++ b/common/port-bridge.te @@ -5,6 +5,7 @@ init_daemon_domain(port-bridge) userdebug_or_eng(` domain_auto_trans(shell, port-bridge_exec, netmgrd) domain_auto_trans(adbd, port-bridge_exec, netmgrd) + diag_use(port-bridge) ') # Allow operations on different types of sockets diff --git a/common/property.te b/common/property.te index 6258e3ee..90a55cfd 100644..100755 --- a/common/property.te +++ b/common/property.te @@ -41,6 +41,8 @@ type ipacm-diag_prop, property_type; type sensors_prop, property_type; type msm_irqbalance_prop, property_type; type camera_prop, property_type, core_property_type; +type spcomlib_prop, property_type; +type sdm_idle_time_prop, property_type, core_property_type; type sf_lcd_density_prop, property_type, core_property_type; type opengles_prop, property_type, core_property_type; type mdm_helper_prop, property_type; @@ -87,3 +89,7 @@ type alarm_instance_prop, property_type, core_property_type; #HWUI property type hwui_prop, property_type, core_property_type; + +type graphics_vulkan_prop, property_type, core_property_type; +#boot mode property +type boot_mode_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index 939600d5..bb4720d9 100644..100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -46,8 +46,11 @@ ctl.ipacm-diag u:object_r:ipacm-diag_prop:s0 ctl.qti u:object_r:qti_prop:s0 ctl.sensors u:object_r:sensors_prop:s0 ctl.msm_irqbalance u:object_r:msm_irqbalance_prop:s0 +ctl.msm_irqbal_lb u:object_r:msm_irqbalance_prop:s0 camera. u:object_r:camera_prop:s0 persist.camera. u:object_r:camera_prop:s0 +spcomlib. u:object_r:spcomlib_prop:s0 +sdm.idle_time u:object_r:sdm_idle_time_prop:s0 ro.sf.lcd_density u:object_r:sf_lcd_density_prop:s0 ro.opengles.version u:object_r:opengles_prop:s0 ro.qualcomm.bt.hci_transport u:object_r:bluetooth_prop:s0 @@ -79,3 +82,8 @@ ro.alarm_handled u:object_r:alarm_handled_prop:s0 ro.alarm_instance u:object_r:alarm_instance_prop:s0 #HWUI Property ro.hwui.texture_cache_size u:object_r:hwui_prop:s0 +persist.graphics.vulkan.disable u:object_r:graphics_vulkan_prop:s0 +#boot mode property +sys.boot_mode u:object_r:boot_mode_prop:s0 +# GPU +ro.gpu.available_frequencies u:object_r:freq_prop:s0 diff --git a/common/qcomsysd.te b/common/qcomsysd.te index 9215305d..c1257cb8 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -10,7 +10,6 @@ allow qcomsysd smem_log_device:chr_file rw_file_perms; #Needed to read/write cookies to the misc partition allow qcomsysd block_device:dir r_dir_perms; allow qcomsysd { - misc_partition #Needed to access the bootselect partition bootselect_device }:blk_file rw_file_perms; @@ -21,3 +20,10 @@ allow qcomsysd sysfs_socinfo:file w_file_perms; allow qcomsysd self:capability { dac_override sys_boot }; use_per_mgr(qcomsysd); +#allow qcomsysd access boot mode switch +allow qcomsysd boot_mode_prop:property_service set; + +#diag +userdebug_or_eng(` + diag_use(qcomsysd) +') diff --git a/common/qfp-daemon.te b/common/qfp-daemon.te index ccd60240..f7ddb32f 100644 --- a/common/qfp-daemon.te +++ b/common/qfp-daemon.te @@ -66,3 +66,8 @@ allow qfp-daemon sensors:unix_stream_socket connectto; # Allow listing input devices and sending input events allow qfp-daemon input_device:chr_file rw_file_perms; allow qfp-daemon input_device:dir r_dir_perms; + +#diag +userdebug_or_eng(` + diag_use(qfp-daemon) +') diff --git a/common/qlogd.te b/common/qlogd.te index ed51cddd..4740e58b 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -50,6 +50,7 @@ userdebug_or_eng(` allow qlogd sysfs:file w_file_perms; r_dir_file(qlogd, storage_file) r_dir_file(qlogd, mnt_user_file) + diag_use(qlogd) ') # need for capture adb logs diff --git a/common/qseecomd.te b/common/qseecomd.te index 6f21134b..a2118202 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -71,6 +71,9 @@ allow tee system_prop:property_service set; allow tee qfp-daemon_data_file:dir create_dir_perms; allow tee qfp-daemon_data_file:file create_file_perms; +# Allow access to qsee_ipc_irq_spss device +allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms; + #allow access to fingerprintd data file allow tee fingerprintd_data_file:dir create_dir_perms; allow tee fingerprintd_data_file:file create_file_perms; diff --git a/common/qti-logkit.te b/common/qti-logkit.te index db03c406..b1f9d552 100644 --- a/common/qti-logkit.te +++ b/common/qti-logkit.te @@ -64,6 +64,7 @@ userdebug_or_eng(` # tcpdump allow qti_logkit self:packet_socket create_socket_perms; allow qti_logkit self:capability net_raw; + diag_use(qti_logkit) ') binder_use(qti_logkit) diff --git a/common/qti.te b/common/qti.te index 5b4827e4..921f083e 100644 --- a/common/qti.te +++ b/common/qti.te @@ -28,3 +28,8 @@ allow qti self:{ } create_socket_perms; allow qti { shell_exec system_file }:file rx_file_perms; + +#diag +userdebug_or_eng(` + diag_use(qti) +') diff --git a/common/radio.te b/common/radio.te index 433e719a..fcec958d 100644 --- a/common/radio.te +++ b/common/radio.te @@ -12,6 +12,10 @@ allow radio avtimer_device:chr_file r_file_perms; allow radio uce_service:service_manager { add find }; -allow radio cameraserver_service:service_manager find; - allow radio self:socket create_socket_perms; + +allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find; +#diag +userdebug_or_eng(` + diag_use(radio) +') diff --git a/common/rfs_access.te b/common/rfs_access.te index 69c14e65..318fffc1 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -53,6 +53,7 @@ allow rfs_access self:capability { setuid setgid setpcap + net_bind_service net_raw }; @@ -62,6 +63,9 @@ allow rfs_access self:capability { allow rfs_access self:capability { dac_read_search chown dac_override }; +#For access to the kmsg device +allow rfs_access kmsg_device:chr_file w_file_perms; + #Prevent other domains from accessing RFS data files. neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms; neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms; diff --git a/common/rild.te b/common/rild.te index 62668a21..6d1fe057 100644 --- a/common/rild.te +++ b/common/rild.te @@ -30,3 +30,8 @@ allow rild { mediaserver_service audioserver_service }:service_manager find; # Rule for RILD to talk to peripheral manager use_per_mgr(rild); + +#diag +userdebug_or_eng(` + diag_use(rild) +') diff --git a/common/rmt_storage.te b/common/rmt_storage.te index 83feeedb..f043becc 100644 --- a/common/rmt_storage.te +++ b/common/rmt_storage.te @@ -18,6 +18,7 @@ allow rmt_storage self:capability { setgid sys_admin dac_override + net_bind_service net_raw setpcap }; @@ -31,3 +32,13 @@ wakelock_use(rmt_storage) allow rmt_storage self:socket create_socket_perms; allow rmt_storage uio_device:chr_file rw_file_perms; + +#For access to the kmsg device +allow rmt_storage kmsg_device:chr_file w_file_perms; + +#debugfs access +userdebug_or_eng(` +typeattribute rmt_storage qti_debugfs_domain; +allow rmt_storage debugfs:dir r_dir_perms; +allow rmt_storage debugfs:file rw_file_perms; +') diff --git a/common/sensors.te b/common/sensors.te index 9e3cbdb4..3039434b 100644 --- a/common/sensors.te +++ b/common/sensors.te @@ -58,6 +58,7 @@ allow sensors device_latency:chr_file w_file_perms; # Access to tests from userdebug/eng builds userdebug_or_eng(` domain_auto_trans(shell, sensors_exec, sensors) + diag_use(sensors) ') binder_use(sensors) diff --git a/common/spdaemon.te b/common/spdaemon.te new file mode 100644 index 00000000..0a78b9c8 --- /dev/null +++ b/common/spdaemon.te @@ -0,0 +1,71 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# spdaemon service +type spdaemon, domain; + +type spdaemon_exec, exec_type, file_type; + +init_daemon_domain(spdaemon) + +# Allow access to spcom device +allow spdaemon spcom_device:chr_file rw_file_perms; + +# Allow access to skp device +allow spdaemon skp_device:chr_file rw_file_perms; + +# Allow access to sp_ssr device +allow spdaemon sp_ssr_device:chr_file rw_file_perms; + +# Allow access to sp_keymaster device +allow spdaemon sp_keymaster_device:chr_file rw_file_perms; + +# Allow access to cryptoapp device +allow spdaemon cryptoapp_device:chr_file rw_file_perms; + +# Allow access to ion device +allow spdaemon ion_device:chr_file rw_file_perms; + +# Allow to load SPSS firmware images +r_dir_file(spdaemon, firmware_file); + +# Allow to load SPSS Apps images +allow spdaemon spss_data_file:dir r_dir_perms; +allow spdaemon spss_data_file:file r_file_perms; + +# Allow check SPSS Apps images stat() +allow spdaemon spss_data_file:file getattr; + +# Allow get system info +r_dir_file(spdaemon, sysfs) + +# Allow SPSS-PIL via Peripheral Manager +binder_use(spdaemon) +use_per_mgr(spdaemon) + +# Allow set/get prop to set/check if app is loaded +set_prop(spdaemon, spcomlib_prop) diff --git a/common/ssr_diag.te b/common/ssr_diag.te index 956d0b01..f04ab537 100644 --- a/common/ssr_diag.te +++ b/common/ssr_diag.te @@ -4,4 +4,5 @@ init_daemon_domain(ssr_diag); userdebug_or_eng(` allow ssr_diag sysfs:file w_file_perms; + diag_use(ssr_diag) ') diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 9baa3a04..0a8ae6de 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -37,3 +37,7 @@ binder_call(surfaceflinger, mmi) #Allow access to cameraserver service allow surfaceflinger cameraserver_service:service_manager find; +#diag +userdebug_or_eng(` + diag_use(surfaceflinger) +') diff --git a/common/system_app.te b/common/system_app.te index fdfa00b3..01d999af 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -63,6 +63,7 @@ userdebug_or_eng(` # Access to tombstone segfaults allow system_app tombstone_data_file:dir r_dir_perms; allow system_app tombstone_data_file:file r_file_perms; + diag_use(system_app) ') allow system_app cnd_data_file:dir w_dir_perms; @@ -99,6 +100,7 @@ binder_call(system_app, secotad) # allow system_app to interact with imscm daemon binder_call(system_app, imscm) +allow system_app imscm_service:service_manager find; # access to seemp folder allow system_app seemp_file:dir r_dir_perms; diff --git a/common/system_server.te b/common/system_server.te index ca4a6bdf..f77d8a71 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -159,3 +159,6 @@ allow system_server system_file:system module_load; allow system_server persist_alarm_file:dir rw_dir_perms; allow system_server persist_alarm_file:file { rw_file_perms create }; +userdebug_or_eng(` + diag_use(system_server) +') diff --git a/common/te_macros b/common/te_macros index e232bb5a..4fd7b62b 100644 --- a/common/te_macros +++ b/common/te_macros @@ -53,3 +53,9 @@ allow dpmd $1:file r_file_perms; allow dpmd $1:fd use; allow dpmd $1:tcp_socket rw_socket_perms; ') +##################################### +# diag_use(clientdomain) +# allow clientdomain to read/write to diag +define(`diag_use', ` +allow $1 diag_device:chr_file rw_file_perms; +') diff --git a/common/thermal-engine.te b/common/thermal-engine.te index 4f0e1af0..33a0efed 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -51,3 +51,7 @@ allow thermal-engine uio_device:chr_file rw_file_perms; #Label the thermal sockets correctly type_transition thermal-engine socket_device:sock_file thermal_socket; + +userdebug_or_eng(` + diag_use(thermal-engine) +') diff --git a/common/time_daemon.te b/common/time_daemon.te index 5f64ec5f..20d9dbf5 100644 --- a/common/time_daemon.te +++ b/common/time_daemon.te @@ -16,4 +16,13 @@ allow time_daemon time_data_file:dir w_dir_perms; allow time_daemon self:socket create_socket_perms; allow time_daemon self:capability { setuid setgid sys_time }; +allow time_daemon persist_time_file:file create_file_perms; +allow time_daemon persist_time_file:dir w_dir_perms; + +allow time_daemon persist_file:dir search; + r_dir_file(time_daemon, sysfs_esoc); + +userdebug_or_eng(` + diag_use(time_daemon) +') diff --git a/common/untrusted_app.te b/common/untrusted_app.te index a06eb76a..32e1f5db 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -13,6 +13,7 @@ allow untrusted_app sysfs_battery_supply:file r_file_perms; # using binder call userdebug_or_eng(` binder_call(untrusted_app, imscm) + allow untrusted_app imscm_service:service_manager find; ') # for finding wbc_service diff --git a/common/vold.te b/common/vold.te index 08476cf3..48411ebf 100755 --- a/common/vold.te +++ b/common/vold.te @@ -2,6 +2,11 @@ allow vold tee_device:chr_file rw_file_perms; allow vold self:capability sys_boot; allow vold cache_file:dir w_dir_perms; allow vold { fscklogs cache_file }:file create_file_perms; + +# Read and write /cache/recovery/command +allow vold cache_recovery_file:dir rw_dir_perms; +allow vold cache_recovery_file:file create_file_perms; + allow vold { proc_sysrq proc_dirty_ratio }:file rw_file_perms; wakelock_use(vold) allow vold swap_block_device:blk_file r_file_perms; diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te index 9e811456..7d84a76e 100644 --- a/common/wcnss_filter.te +++ b/common/wcnss_filter.te @@ -49,3 +49,8 @@ r_dir_file(wcnss_filter, bt_firmware_file) # Data file accesses. allow wcnss_filter bluetooth_data_file:dir create_dir_perms; allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms; + +#diag +userdebug_or_eng(` + diag_use(wcnss_filter) +') diff --git a/common/wcnss_service.te b/common/wcnss_service.te index 724ee0d5..9f18d044 100644 --- a/common/wcnss_service.te +++ b/common/wcnss_service.te @@ -33,6 +33,9 @@ allow wcnss_service firmware_file:file r_file_perms; allow wcnss_service sysfs:file w_file_perms; allow wcnss_service storage_file:dir search; +# allow access to netd +unix_socket_connect(wcnss_service, netd, netd) + userdebug_or_eng(` allow wcnss_service fuse:dir create_dir_perms; allow wcnss_service fuse:file create_file_perms; @@ -45,4 +48,8 @@ allow wcnss_service dynamic_nv_data_file:dir r_dir_perms; # This is needed for ptt_socket app to write logs file collected to sdcard r_dir_file(wcnss_service, storage_file) r_dir_file(wcnss_service, mnt_user_file) +diag_use(wcnss_service) ') + +binder_use(wcnss_service) +use_per_mgr(wcnss_service) diff --git a/common/zygote.te b/common/zygote.te new file mode 100644 index 00000000..104613f8 --- /dev/null +++ b/common/zygote.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow zygote to access seempdw socket +unix_socket_send(zygote, seempdw, seempd) diff --git a/msm8937/device.te b/msm8937/device.te new file mode 100644 index 00000000..66dd4e50 --- /dev/null +++ b/msm8937/device.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Define rawdump block device +type rawdump_block_device, dev_type; diff --git a/msm8937/file.te b/msm8937/file.te new file mode 100644 index 00000000..10d41462 --- /dev/null +++ b/msm8937/file.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#sysfs emmc dload type +type sysfs_emmc_dload, sysfs_type, fs_type; diff --git a/msm8937/file_contexts b/msm8937/file_contexts index 7afdf05c..30978355 100644 --- a/msm8937/file_contexts +++ b/msm8937/file_contexts @@ -45,3 +45,7 @@ /dev/block/platform/soc/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 /dev/block/platform/soc/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 + +#rawdump partition +/dev/block/platform/soc/7824900.sdhci/by-name/rawdump u:object_r:rawdump_block_device:s0 +/sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 diff --git a/msm8937/idmap.te b/msm8937/idmap.te new file mode 100644 index 00000000..84b11e8f --- /dev/null +++ b/msm8937/idmap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow idmap oemfs:file r_file_perms; +allow idmap oemfs:dir r_dir_perms; diff --git a/msm8937/platform_app.te b/msm8937/platform_app.te new file mode 100644 index 00000000..919f16f5 --- /dev/null +++ b/msm8937/platform_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msm8937/priv_app.te b/msm8937/priv_app.te new file mode 100644 index 00000000..203ed549 --- /dev/null +++ b/msm8937/priv_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msm8937/qti-logkit.te b/msm8937/qti-logkit.te new file mode 100644 index 00000000..725cf476 --- /dev/null +++ b/msm8937/qti-logkit.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow qti_logkit for rawdump partition +allow qti_logkit block_device:dir r_dir_perms; +allow qti_logkit rawdump_block_device:blk_file rw_file_perms; + +# allow qti_logkit for sysfs emmc dload node +allow qti_logkit sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8937/ridl.te b/msm8937/ridl.te new file mode 100644 index 00000000..0147c26c --- /dev/null +++ b/msm8937/ridl.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow RIDL for rawdump partition +allow RIDL block_device:dir r_dir_perms; +allow RIDL rawdump_block_device:blk_file rw_file_perms; + +# allow RIDL for enable sysfs node +allow RIDL sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8937/system_app.te b/msm8937/system_app.te new file mode 100644 index 00000000..10c8adac --- /dev/null +++ b/msm8937/system_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow system_app oemfs:lnk_file { read getattr }; diff --git a/msm8937/untrusted_app.te b/msm8937/untrusted_app.te new file mode 100644 index 00000000..e8b029e1 --- /dev/null +++ b/msm8937/untrusted_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; diff --git a/msm8953/device.te b/msm8953/device.te new file mode 100644 index 00000000..66dd4e50 --- /dev/null +++ b/msm8953/device.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Define rawdump block device +type rawdump_block_device, dev_type; diff --git a/msm8953/file.te b/msm8953/file.te new file mode 100644 index 00000000..10d41462 --- /dev/null +++ b/msm8953/file.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#sysfs emmc dload type +type sysfs_emmc_dload, sysfs_type, fs_type; diff --git a/msm8953/file_contexts b/msm8953/file_contexts index 24464cc9..51bfa05f 100644 --- a/msm8953/file_contexts +++ b/msm8953/file_contexts @@ -44,3 +44,7 @@ /dev/block/platform/soc/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 + +#rawdump partition +/dev/block/platform/soc/7824900.sdhci/by-name/rawdump u:object_r:rawdump_block_device:s0 +/sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 diff --git a/msm8953/idmap.te b/msm8953/idmap.te new file mode 100644 index 00000000..84b11e8f --- /dev/null +++ b/msm8953/idmap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow idmap oemfs:file r_file_perms; +allow idmap oemfs:dir r_dir_perms; diff --git a/msm8953/platform_app.te b/msm8953/platform_app.te new file mode 100644 index 00000000..919f16f5 --- /dev/null +++ b/msm8953/platform_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msm8953/priv_app.te b/msm8953/priv_app.te new file mode 100644 index 00000000..203ed549 --- /dev/null +++ b/msm8953/priv_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msm8953/qti-logkit.te b/msm8953/qti-logkit.te new file mode 100644 index 00000000..725cf476 --- /dev/null +++ b/msm8953/qti-logkit.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow qti_logkit for rawdump partition +allow qti_logkit block_device:dir r_dir_perms; +allow qti_logkit rawdump_block_device:blk_file rw_file_perms; + +# allow qti_logkit for sysfs emmc dload node +allow qti_logkit sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8953/ridl.te b/msm8953/ridl.te new file mode 100644 index 00000000..0147c26c --- /dev/null +++ b/msm8953/ridl.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow RIDL for rawdump partition +allow RIDL block_device:dir r_dir_perms; +allow RIDL rawdump_block_device:blk_file rw_file_perms; + +# allow RIDL for enable sysfs node +allow RIDL sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8953/system_app.te b/msm8953/system_app.te new file mode 100644 index 00000000..10c8adac --- /dev/null +++ b/msm8953/system_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow system_app oemfs:lnk_file { read getattr }; diff --git a/msm8953/untrusted_app.te b/msm8953/untrusted_app.te new file mode 100644 index 00000000..e8b029e1 --- /dev/null +++ b/msm8953/untrusted_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; diff --git a/msm8976/device.te b/msm8976/device.te new file mode 100644 index 00000000..66dd4e50 --- /dev/null +++ b/msm8976/device.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Define rawdump block device +type rawdump_block_device, dev_type; diff --git a/msm8976/file.te b/msm8976/file.te new file mode 100644 index 00000000..10d41462 --- /dev/null +++ b/msm8976/file.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#sysfs emmc dload type +type sysfs_emmc_dload, sysfs_type, fs_type; diff --git a/msm8976/file_contexts b/msm8976/file_contexts new file mode 100644 index 00000000..8a9ea58d --- /dev/null +++ b/msm8976/file_contexts @@ -0,0 +1,30 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#rawdump partition +/dev/block/platform/soc/7824900.sdhci/by-name/rawdump u:object_r:rawdump_block_device:s0 +/sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 diff --git a/msm8976/qti-logkit.te b/msm8976/qti-logkit.te new file mode 100644 index 00000000..725cf476 --- /dev/null +++ b/msm8976/qti-logkit.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow qti_logkit for rawdump partition +allow qti_logkit block_device:dir r_dir_perms; +allow qti_logkit rawdump_block_device:blk_file rw_file_perms; + +# allow qti_logkit for sysfs emmc dload node +allow qti_logkit sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8976/ridl.te b/msm8976/ridl.te new file mode 100644 index 00000000..0147c26c --- /dev/null +++ b/msm8976/ridl.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow RIDL for rawdump partition +allow RIDL block_device:dir r_dir_perms; +allow RIDL rawdump_block_device:blk_file rw_file_perms; + +# allow RIDL for enable sysfs node +allow RIDL sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8996/device.te b/msm8996/device.te new file mode 100644 index 00000000..66dd4e50 --- /dev/null +++ b/msm8996/device.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Define rawdump block device +type rawdump_block_device, dev_type; diff --git a/msm8996/file.te b/msm8996/file.te index ebc72cfe..ed188636 100644 --- a/msm8996/file.te +++ b/msm8996/file.te @@ -34,3 +34,6 @@ type tlocd_data_file, file_type, data_file_type; # Data type for qvrd type qvrd_data_file, file_type, data_file_type; type qvrd_socket, file_type, mlstrustedobject; + +#sysfs emmc dload type +type sysfs_emmc_dload, sysfs_type, fs_type; diff --git a/msm8996/file_contexts b/msm8996/file_contexts index af12a6d3..6c3e83bd 100644 --- a/msm8996/file_contexts +++ b/msm8996/file_contexts @@ -96,9 +96,15 @@ # /sys/devices/virtual/graphics/fb([0-2])+/lineptr_value u:object_r:sysfs_graphics:s0 +/sys/devices/soc/b00000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_available_frequencies u:object_r:sysfs_kgsl:s0 + ################################### # data files # /data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 /data/misc/tloc(/.*)? u:object_r:tlocd_data_file:s0 /data/misc/qvr(/.*)? u:object_r:qvrd_data_file:s0 + +#rawdump partition +/dev/block/platform/soc/7464900.sdhci/by-name/rawdump u:object_r:rawdump_block_device:s0 +/sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 diff --git a/msm8996/qti-logkit.te b/msm8996/qti-logkit.te new file mode 100644 index 00000000..725cf476 --- /dev/null +++ b/msm8996/qti-logkit.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow qti_logkit for rawdump partition +allow qti_logkit block_device:dir r_dir_perms; +allow qti_logkit rawdump_block_device:blk_file rw_file_perms; + +# allow qti_logkit for sysfs emmc dload node +allow qti_logkit sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8996/ridl.te b/msm8996/ridl.te new file mode 100644 index 00000000..0147c26c --- /dev/null +++ b/msm8996/ridl.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow RIDL for rawdump partition +allow RIDL block_device:dir r_dir_perms; +allow RIDL rawdump_block_device:blk_file rw_file_perms; + +# allow RIDL for enable sysfs node +allow RIDL sysfs_emmc_dload:file rw_file_perms; diff --git a/msmcobalt/bootanim.te b/msmcobalt/bootanim.te new file mode 100644 index 00000000..51701259 --- /dev/null +++ b/msmcobalt/bootanim.te @@ -0,0 +1,31 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# For regionalization +allow bootanim persist_file:dir r_dir_perms; +allow bootanim regionalization_file:dir r_dir_perms; +allow bootanim regionalization_file:file r_file_perms; diff --git a/msmcobalt/device.te b/msmcobalt/device.te new file mode 100644 index 00000000..66dd4e50 --- /dev/null +++ b/msmcobalt/device.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Define rawdump block device +type rawdump_block_device, dev_type; diff --git a/msmcobalt/file.te b/msmcobalt/file.te new file mode 100644 index 00000000..7679b9d9 --- /dev/null +++ b/msmcobalt/file.te @@ -0,0 +1,32 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#sysfs emmc dload type +type sysfs_emmc_dload, sysfs_type, fs_type; + +# Data type for QVOP +type qvop_data_file, file_type, data_file_type;
\ No newline at end of file diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index 35f2ffb0..46ad29a2 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -37,8 +37,26 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/ssd u:object_r:ssd_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/misc u:object_r:misc_partition:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/rpm u:object_r:rpmb_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/cache u:object_r:cache_block_device:s0 + +#rawdump partition +/dev/block/platform/soc/1da4000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0 +/sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 + +################################### +# System files +# +/system/bin/qvop-daemon u:object_r:qvop_exec:s0 +################################### +# data files +# +/data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 + +################################## +# non-hlos mount points +/firmware u:object_r:firmware_file:s0 +/bt_firmware u:object_r:bt_firmware_file:s0 diff --git a/msmcobalt/idmap.te b/msmcobalt/idmap.te new file mode 100644 index 00000000..84b11e8f --- /dev/null +++ b/msmcobalt/idmap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow idmap oemfs:file r_file_perms; +allow idmap oemfs:dir r_dir_perms; diff --git a/msmcobalt/init_shell.te b/msmcobalt/init_shell.te new file mode 100644 index 00000000..5f2ea564 --- /dev/null +++ b/msmcobalt/init_shell.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# For regionalization +allow qti_init_shell regionalization_file:dir r_dir_perms; +allow qti_init_shell regionalization_file:file create_file_perms; diff --git a/msmcobalt/platform_app.te b/msmcobalt/platform_app.te new file mode 100644 index 00000000..919f16f5 --- /dev/null +++ b/msmcobalt/platform_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/priv_app.te b/msmcobalt/priv_app.te new file mode 100644 index 00000000..203ed549 --- /dev/null +++ b/msmcobalt/priv_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/qseecomd.te b/msmcobalt/qseecomd.te new file mode 100644 index 00000000..0e940c59 --- /dev/null +++ b/msmcobalt/qseecomd.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Provide access to Q VoicePrint +allow tee qvop_data_file:dir create_dir_perms; +allow tee qvop_data_file:file create_file_perms; diff --git a/msmcobalt/qti-logkit.te b/msmcobalt/qti-logkit.te new file mode 100644 index 00000000..725cf476 --- /dev/null +++ b/msmcobalt/qti-logkit.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow qti_logkit for rawdump partition +allow qti_logkit block_device:dir r_dir_perms; +allow qti_logkit rawdump_block_device:blk_file rw_file_perms; + +# allow qti_logkit for sysfs emmc dload node +allow qti_logkit sysfs_emmc_dload:file rw_file_perms; diff --git a/msmcobalt/qvop.te b/msmcobalt/qvop.te new file mode 100644 index 00000000..ce69fa4d --- /dev/null +++ b/msmcobalt/qvop.te @@ -0,0 +1,46 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type qvop, domain; +type qvop_exec, exec_type, file_type; + +init_daemon_domain(qvop) + +allow qvop qvop_data_file:dir create_dir_perms; +allow qvop qvop_data_file:file create_file_perms; + +binder_call(qvop, system_app) + +# Add IQvopService service +allow qvop iqvop_service:service_manager add; + +binder_use(qvop) + +allow qvop tee_device:chr_file rw_file_perms; +r_dir_file(qvop, firmware_file) + +allow qvop ion_device:chr_file r_file_perms;
\ No newline at end of file diff --git a/msmcobalt/recovery.te b/msmcobalt/recovery.te new file mode 100644 index 00000000..ef6eb7b0 --- /dev/null +++ b/msmcobalt/recovery.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +recovery_only(` + allow recovery shell_exec:file x_file_perms; +') diff --git a/msmcobalt/ridl.te b/msmcobalt/ridl.te new file mode 100644 index 00000000..0147c26c --- /dev/null +++ b/msmcobalt/ridl.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow RIDL for rawdump partition +allow RIDL block_device:dir r_dir_perms; +allow RIDL rawdump_block_device:blk_file rw_file_perms; + +# allow RIDL for enable sysfs node +allow RIDL sysfs_emmc_dload:file rw_file_perms; diff --git a/msmcobalt/service.te b/msmcobalt/service.te new file mode 100644 index 00000000..ad41b5fa --- /dev/null +++ b/msmcobalt/service.te @@ -0,0 +1,31 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# regionalization service +type regionalization_service, system_api_service, service_manager_type; + +type iqvop_service, service_manager_type;
\ No newline at end of file diff --git a/msmcobalt/service_contexts b/msmcobalt/service_contexts new file mode 100644 index 00000000..20ab6358 --- /dev/null +++ b/msmcobalt/service_contexts @@ -0,0 +1,31 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Regionalization service +regionalization u:object_r:regionalization_service:s0 + +android.apps.IQvopService u:object_r:iqvop_service:s0
\ No newline at end of file diff --git a/msmcobalt/system_app.te b/msmcobalt/system_app.te new file mode 100644 index 00000000..d11659b6 --- /dev/null +++ b/msmcobalt/system_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +binder_call(system_app, qvop) +#for oemfs +allow system_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/system_server.te b/msmcobalt/system_server.te new file mode 100644 index 00000000..54c7faa6 --- /dev/null +++ b/msmcobalt/system_server.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# For Regionalization service +allow system_server regionalization_service:service_manager { add find }; +allow system_server regionalization_file:file rw_file_perms; +allow system_server regionalization_file:dir r_dir_perms; +allow system_server resourcecache_data_file:dir create_dir_perms; +allow system_server resourcecache_data_file:file create_file_perms; diff --git a/msmcobalt/untrusted_app.te b/msmcobalt/untrusted_app.te new file mode 100644 index 00000000..e8b029e1 --- /dev/null +++ b/msmcobalt/untrusted_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/zygote.te b/msmcobalt/zygote.te new file mode 100644 index 00000000..c8d772e4 --- /dev/null +++ b/msmcobalt/zygote.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# For regionalization +allow zygote persist_file:dir r_dir_perms; +allow zygote regionalization_file:dir r_dir_perms; +allow zygote regionalization_file:file r_file_perms; +allow zygote oemfs:dir r_dir_perms; +allow zygote oemfs:file r_file_perms; diff --git a/test/qti-testscripts.te b/test/qti-testscripts.te index 380af29f..4d3eadfd 100644 --- a/test/qti-testscripts.te +++ b/test/qti-testscripts.te @@ -78,5 +78,5 @@ userdebug_or_eng(` binder_call({ domain -init -netd }, qti-testscripts) allow domain qti-testscripts:fifo_file { write getattr }; allow domain qti-testscripts:process sigchld; - + diag_use(radio) ') |