diff options
author | Zohaib Alam <zalam@codeaurora.org> | 2014-11-13 09:12:02 -0500 |
---|---|---|
committer | Nirmal Abraham <nabrah@codeaurora.org> | 2014-12-01 18:18:00 +0530 |
commit | 48441f44725e560b9f3a77b8370fe36cd8ca0038 (patch) | |
tree | 2ef06ec746c95bffbb3db6ed76d6174009c2adf8 | |
parent | eadf6853ccb5e9e44c39d56276640faab67d9e89 (diff) | |
download | android_device_qcom_sepolicy-48441f44725e560b9f3a77b8370fe36cd8ca0038.tar.gz android_device_qcom_sepolicy-48441f44725e560b9f3a77b8370fe36cd8ca0038.tar.bz2 android_device_qcom_sepolicy-48441f44725e560b9f3a77b8370fe36cd8ca0038.zip |
Seandroid: Add policies to enable all QDCM functionalities
Address all SELinux denial messages related to QDCM tool
functionality and the color service SDK application.
Add policies to allow:
1- /persist/ read & write for display confid
2- /data/misc/display/ read & write
3- Allow access to colorservice for display sdk from android app.
4- Enable pp-daemon functionalities for the non user-debug and
eng builds, since OEMs actively use QDCM tool, and they require
full functionality.
Change-Id: I43545eaf8e63f0e43f40197cd01cddc8c6a5351a
-rwxr-xr-x | common/mm-pp-daemon.te | 30 | ||||
-rw-r--r-- | common/service.te | 1 | ||||
-rw-r--r-- | common/service_contexts | 1 | ||||
-rw-r--r-- | common/surfaceflinger.te | 5 | ||||
-rw-r--r-- | common/system_app.te | 3 |
5 files changed, 23 insertions, 17 deletions
diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index 5a623349..6c9ad161 100755 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -8,14 +8,17 @@ init_daemon_domain(mm-pp-daemon) allow mm-pp-daemon graphics_device:chr_file rw_file_perms; allow mm-pp-daemon graphics_device:dir search; -# Allow reading calibration data from persist -allow mm-pp-daemon persist_file:file r_file_perms; -allow mm-pp-daemon persist_file:dir search; +# Allow reading/writing to persist +# The color config file is dynamically created +allow mm-pp-daemon persist_file:dir rw_dir_perms; +allow mm-pp-daemon persist_file:file create_file_perms; + +# Allow reading/writing data config files +allow mm-pp-daemon display_config:dir create_dir_perms; +allow mm-pp-daemon display_config:file create_file_perms; -# Allow pp daemon to save settings to /data -allow mm-pp-daemon display_config:file rw_file_perms; allow mm-pp-daemon system_prop:property_service set; -#Calibration can only be done on userdebug or eng builds + userdebug_or_eng(` # Display calibration service opens /dev/diag in order to communicate with the # target device @@ -32,12 +35,13 @@ userdebug_or_eng(` allow mm-pp-daemon shell_exec:file rx_file_perms; allow mm-pp-daemon system_file:file execute_no_trans; allow mm-pp-daemon zygote_exec:file rx_file_perms; + allow mm-pp-daemon self:process ptrace; +') - # Allow writing to persist - allow mm-pp-daemon persist_file:file rw_file_perms; +# Allow mm-pp-daemon to change the brightness of the target during display +# calibration +allow mm-pp-daemon sysfs:file rw_file_perms; - # Allow mm-pp-daemon to change the brightness of the target during display - # calibration - allow mm-pp-daemon sysfs:file rw_file_perms; - unix_socket_connect(mm-pp-daemon, property, init) -') +# Allow socket calls in pp-daemon +unix_socket_connect(mm-pp-daemon, property, init) +unix_socket_connect(mm-pp-daemon, pps, init) diff --git a/common/service.te b/common/service.te index ec90dda1..e6625706 100644 --- a/common/service.te +++ b/common/service.te @@ -6,3 +6,4 @@ type wbc_service, service_manager_type; type dun_service, service_manager_type; type digitalpen_service, service_manager_type; type imscm_service, service_manager_type; +type color_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index b29e165e..eccd3fdb 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -7,3 +7,4 @@ wbc_service u:object_r:wbc_service:s0 dun u:object_r:dun_service:s0 DigitalPen u:object_r:digitalpen_service:s0 qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 +com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 9c984ace..854ff8c7 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -2,10 +2,7 @@ allow surfaceflinger sysfs_graphics:file rw_file_perms; allow surfaceflinger shell_data_file:dir search; # Allows pp-daemon to refresh the screen in calibration mode -userdebug_or_eng(` - allow surfaceflinger mm-pp-daemon:dir search; - allow surfaceflinger mm-pp-daemon:file r_file_perms; -') +r_dir_file(surfaceflinger, mm-pp-daemon) binder_call(surfaceflinger, location) binder_call(surfaceflinger, tee) diff --git a/common/system_app.te b/common/system_app.te index 3cb20080..02fb6038 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -29,3 +29,6 @@ allow system_app tee:unix_dgram_socket sendto; # access to time_daemon allow system_app time_daemon:unix_stream_socket connectto; + +# access to color service SDK +allow system_app color_service:service_manager add; |