diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2015-01-26 21:26:40 -0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2015-01-26 21:26:40 -0800 |
| commit | 7cdac77d445cb2a3b9c0eb8b656313ca5619e2eb (patch) | |
| tree | ca0abc529d3d5cc78ef7dfe870eb27860cce713d | |
| parent | c552d2b020783a928a62eb2477c745b687fd4af0 (diff) | |
| parent | a1432652304530418c043509ebe560df501ff06b (diff) | |
| download | android_device_qcom_sepolicy-7cdac77d445cb2a3b9c0eb8b656313ca5619e2eb.tar.gz android_device_qcom_sepolicy-7cdac77d445cb2a3b9c0eb8b656313ca5619e2eb.tar.bz2 android_device_qcom_sepolicy-7cdac77d445cb2a3b9c0eb8b656313ca5619e2eb.zip | |
Merge "Merge tag 'AU_LINUX_ANDROID_LA.BF.1.1.05.00.02.162.248' into HEAD"
46 files changed, 307 insertions, 29 deletions
diff --git a/Android.mk b/Android.mk index 4571f6d9..fbd5e4dd 100644..100755 --- a/Android.mk +++ b/Android.mk @@ -60,6 +60,7 @@ BOARD_SEPOLICY_UNION := \ mcStarter.te \ keystore.te \ ims.te \ + imscm.te \ healthd.te \ charger_monitor.te \ surfaceflinger.te \ @@ -89,7 +90,10 @@ BOARD_SEPOLICY_UNION := \ dhcp.te \ wfd_app.te \ mediaserver_test.te \ - energyawareness.te + energyawareness.te \ + hbtp.te \ + kernel.te \ + vold.te # Compile sensor pilicy only for SSC targets SSC_TARGET_LIST := apq8084 diff --git a/common/app.te b/common/app.te index f65c034b..8253b74b 100644 --- a/common/app.te +++ b/common/app.te @@ -12,3 +12,8 @@ allow appdomain qdsp_device:chr_file r_file_perms; allow appdomain mpctl_socket:dir r_dir_perms; unix_socket_send(appdomain, mpctl, perfd) unix_socket_connect(appdomain, mpctl, perfd) +# test apps needs to communicate with imscm +# using binder call +userdebug_or_eng(` + binder_call(appdomain, imscm) +') diff --git a/common/atfwd.te b/common/atfwd.te index 4c295b68..f3d84a80 100644 --- a/common/atfwd.te +++ b/common/atfwd.te @@ -14,3 +14,4 @@ binder_call(atfwd, servicemanager); r_dir_file(atfwd, sysfs_ssr); allow atfwd self:udp_socket create; +unix_socket_connect(atfwd, property, init); diff --git a/common/bluetooth.te b/common/bluetooth.te index 50ce7b9e..e49537a6 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -1,3 +1,16 @@ +#Adding all bt related service to bt domains +type sapd, bluetoothdomain; +type sapd_exec, exec_type, file_type; +domain_auto_trans(init, sapd_exec, bluetooth) + +type dun-server, bluetoothdomain; +type dun-server_exec, exec_type, file_type; +domain_auto_trans(init, dun-server_exec, bluetooth) + +type btsnoop, bluetoothdomain; +type btsnoop_exec, exec_type, file_type; +domain_auto_trans(init, btsnoop_exec, bluetooth) + #BT needes read and write on smd device node allow bluetooth smd_device:chr_file rw_file_perms; @@ -19,3 +32,14 @@ allow bluetooth persist_file:file rw_file_perms; #For bluetooth firmware allow bluetooth bt_firmware_file:dir r_dir_perms; allow bluetooth bt_firmware_file:file r_file_perms; + +#dun-server requires interaction with net_domain socket +net_domain(bluetooth); + +#dun-server requires binding with system_app and servicemanager +binder_use(bluetooth); +binder_call(bluetooth, system_app); +binder_call(bluetooth, servicemanager); + +#sapd requires interaction with qmux sockets +qmux_socket(bluetooth); diff --git a/common/device.te b/common/device.te index 4c0aa2c2..16d09fb3 100755 --- a/common/device.te +++ b/common/device.te @@ -76,8 +76,21 @@ type wcnss_device, dev_type; type mmc_block_device, dev_type; +# Define QDSS devices +type qdss_device, dev_type; + #Define Gadget serial device type gadget_serial_device, dev_type; #energy-awareness device type pta_device, dev_type; + +#Added for hbtp +type bu21150_device, dev_type; +type hbtp_device, dev_type; + +#added for voice device +type voice_device, dev_type; + +#Define system health monitor devices +type system_health_monitor_device, dev_type; diff --git a/common/file.te b/common/file.te index 0c86d567..93955181 100644 --- a/common/file.te +++ b/common/file.te @@ -98,7 +98,7 @@ type sysfs_socinfo, fs_type, sysfs_type; type sysfs_usb_uicc, sysfs_type, fs_type; type qlogd_socket, file_type; - +type qlogd_data_file, file_type; #Define the files written during the operation of mm-pp-daemon type display_config, file_type, data_file_type; @@ -111,3 +111,10 @@ type mmi_data_file, file_type, data_file_type; #bluetooth firmware file types type bt_firmware_file, fs_type, contextmount_type; + +#needed by vold +type proc_dirty_ratio, fs_type; + +# hbtp config file +type hbtp_cfg_file, file_type; +type hbtp_log_file, file_type; diff --git a/common/file_contexts b/common/file_contexts index 0d604528..74f7aa74 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -54,6 +54,14 @@ /dev/wcnss_wlan u:object_r:wcnss_device:s0 /dev/pta u:object_r:pta_device:s0 /dev/mdss_rotator u:object_r:graphics_device:s0 +/dev/hbtp_input u:object_r:hbtp_device:s0 +/dev/jdi-bu21150 u:object_r:bu21150_device:s0 +/dev/voice_svc u:object_r:voice_device:s0 +/dev/coresight-stm u:object_r:qdss_device:s0 +/dev/coresight-tmc-etf u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr-stream u:object_r:qdss_device:s0 +/dev/system_health_monitor u:object_r:system_health_monitor_device:s0 ################################### # Dev socket nodes @@ -108,7 +116,7 @@ /system/bin/imsdatadaemon u:object_r:ims_exec:s0 /system/bin/imsqmidaemon u:object_r:ims_exec:s0 /system/bin/ims_rtp_daemon u:object_r:ims_exec:s0 -/system/bin/imscmservice u:object_r:ims_exec:s0 +/system/bin/imscmservice u:object_r:imscm_exec:s0 /system/bin/netmgrd u:object_r:netmgrd_exec:s0 /system/bin/qmuxd u:object_r:qmuxd_exec:s0 /system/bin/port-bridge u:object_r:port-bridge_exec:s0 @@ -158,6 +166,10 @@ /system/bin/energy-awareness u:object_r:energyawareness_exec:s0 /system/vendor/bin/qti u:object_r:qti_exec:s0 /system/bin/wcnss_service u:object_r:wcnss_service_exec:s0 +/system/vendor/bin/hbtp_daemon u:object_r:hbtp_exec:s0 +/system/bin/sapd u:object_r:sapd_exec:s0 +/system/bin/btsnoop u:object_r:btsnoop_exec:s0 +/system/bin/dun-server u:object_r:dun-server_exec:s0 ################################### # sysfs files @@ -211,7 +223,7 @@ /data/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0 /data/camera(/.*)? u:object_r:camera_socket:s0 /data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 -/data/time/* u:object_r:time_data_file:s0 +/data/time(/.*)? u:object_r:time_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/system/perfd(/.*)? u:object_r:mpctl_data_file:s0 /data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0 @@ -221,11 +233,14 @@ /data/misc/qsee(/.*)? u:object_r:data_qsee_file:s0 /data/misc/location(/.*)? u:object_r:location_data_file:s0 /data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0 +/data/misc/hbtp(/.*)? u:object_r:hbtp_log_file:s0 +/data/misc/qlogd(/.*)? u:object_r:qlogd_data_file:s0 ################################### # persist files # /persist(/.*)? u:object_r:persist_file:s0 +/persist/drm(/.*)? u:object_r:persist_drm_file:s0 /persist/sensors(/.*)? u:object_r:sensors_persist_file:s0 /persist/data(/.*)? u:object_r:persist_drm_file:s0 /persist/data/tz(/.*)? u:object_r:persist_drm_file:s0 @@ -235,3 +250,8 @@ # oem files # /oem(/.*)? u:object_r:system_file:s0 + +################################### +# etc files +# +/etc/firmware/hbtp/* u:object_r:hbtp_cfg_file:s0 diff --git a/common/genfs_contexts b/common/genfs_contexts index 201bd78c..f92adbdb 100644..100755 --- a/common/genfs_contexts +++ b/common/genfs_contexts @@ -1 +1,2 @@ genfscon proc /asound/card0/state u:object_r:proc_audiod:s0 +genfscon proc /proc/sys/vm/dirty_ratio u:object_r:proc_dirty_ratio:s0 diff --git a/common/hbtp.te b/common/hbtp.te new file mode 100644 index 00000000..2d7db0e2 --- /dev/null +++ b/common/hbtp.te @@ -0,0 +1,19 @@ +# Policies for hbtp (host based touch processing) +type hbtp, domain; +type hbtp_exec, exec_type, file_type; + +init_daemon_domain(hbtp) + +# Allow access for /dev/hbtp_input and /dev/jdi-bu21150 +allow hbtp hbtp_device:chr_file rw_file_perms; +allow hbtp bu21150_device:chr_file rw_file_perms; + +allow hbtp hbtp_cfg_file:dir rw_dir_perms; +allow hbtp hbtp_cfg_file:file create_file_perms; + +allow hbtp hbtp_log_file:dir rw_dir_perms; +allow hbtp hbtp_log_file:file create_file_perms; + +allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind }; + +binder_use(hbtp); diff --git a/common/ims.te b/common/ims.te index 401ee51d..5a104780 100644 --- a/common/ims.te +++ b/common/ims.te @@ -4,12 +4,54 @@ type ims_exec, exec_type, file_type; # Started by init init_daemon_domain(ims) +net_domain(ims) -allow radio ims_socket:sock_file { open read write }; -allow ims ims_socket:sock_file { open read write }; -allow ims property_socket:sock_file write; -allow ims servicemanager:binder call; +# Talk to qmuxd +qmux_socket(ims) + +# To make VT call binder_use(ims) + +# Bring up IMSPDM +allow ims kernel:system module_request; + +allow ims self:socket create_socket_perms; +allow ims self:capability { net_admin net_raw }; + +# Use generic netlink socket +allow ims self:netlink_socket create_socket_perms; + +# To run NDC command +allow ims shell_exec:file rx_file_perms; +allow ims system_file:file rx_file_perms; + +# IMS route installation +allow ims wcnss_service_exec:file rx_file_perms; + +# Talk to netd via netd_socket +unix_socket_connect(ims, netd, netd) + +# Talk to qumuxd via ims_socket +unix_socket_connect(ims, ims, qmuxd) + +# Talk to init via property_socket unix_socket_connect(ims, property, init) -allow ims self:socket { read bind create write ioctl }; -allow ims system_prop:property_service set; + +#Add connectionmanager service +allow ims imscm_service:service_manager add; + +# Set property to start imsdata_daemon and ims_rtp_daemon +allow ims qcom_ims_prop:property_service set; + +# permissions needed for IMS to connect and interact with WPA supplicant +allow ims wpa:unix_dgram_socket sendto; +allow ims wpa_exec:file rx_file_perms; +allow ims wpa_socket:dir w_dir_perms; +allow ims wpa_socket:sock_file { write create unlink setattr }; +allow ims wifi_data_file:dir r_dir_perms; + +# permissions for communication with CNE in LBO use case +unix_socket_connect(ims, cnd, cnd) + +#Communication with voice_svc device for audio on APP +allow ims voice_device:chr_file rw_file_perms; diff --git a/common/imscm.te b/common/imscm.te new file mode 100644 index 00000000..118a6cdd --- /dev/null +++ b/common/imscm.te @@ -0,0 +1,25 @@ +#integrated sensor process +type imscm, domain; +type imscm_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(imscm) +net_domain(imscm) + +# To make VT call +binder_use(imscm) + +#Add connectionmanager service +allow imscm imscm_service:service_manager add; + +#allow imscm ims_socket:sock_file write; +#allow imscm ims:unix_stream_socket connectto; +unix_socket_connect(imscm, ims, ims) +allow imscm self:capability net_raw; +#allow imscm untrusted_app:binder call; + +# imscm needs to communicate with test app +# using binder call +userdebug_or_eng(` + binder_call(imscm, appdomain) +') diff --git a/common/kernel.te b/common/kernel.te new file mode 100755 index 00000000..2a9a0831 --- /dev/null +++ b/common/kernel.te @@ -0,0 +1 @@ +allow kernel block_device:blk_file r_file_perms; diff --git a/common/location.te b/common/location.te index 7d3a6261..1698fd46 100644 --- a/common/location.te +++ b/common/location.te @@ -11,6 +11,7 @@ type_transition location location_data_file:sock_file location_socket; qmux_socket(location) binder_use(location) +binder_call(location, system_server) allow location location_data_file:dir rw_dir_perms; allow location location_data_file:fifo_file create_file_perms; @@ -23,3 +24,7 @@ allow location sensors:unix_stream_socket connectto; allow location sensors_device:chr_file r_file_perms; allow location sensors_socket:sock_file w_file_perms; allow location self:netlink_socket create_socket_perms; +allow location system_server:unix_stream_socket { read write }; + +dontaudit location domain:dir r_dir_perms; +r_dir_file(location, netmgrd) diff --git a/common/mediaserver.te b/common/mediaserver.te index dbd59da8..49713053 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -30,3 +30,9 @@ unix_socket_connect(mediaserver, mpctl, mpdecision) allow mediaserver mpctl_socket:dir r_dir_perms; unix_socket_send(mediaserver, mpctl, perfd) unix_socket_connect(mediaserver, mpctl, perfd) + +# for thermal sock files +unix_socket_connect(mediaserver, thermal, thermal-engine) + +#allow mediaserver to communicate with timedaemon +allow mediaserver time_daemon:unix_stream_socket connectto; diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index f8edeb54..4903fe1f 100755 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -50,3 +50,5 @@ allow mm-pp-daemon sysfs:file rw_file_perms; # Allow socket calls in pp-daemon unix_socket_connect(mm-pp-daemon, property, init) unix_socket_connect(mm-pp-daemon, pps, init) + +allow mm-pp-daemon init:unix_stream_socket { listen accept }; diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index cc2c421d..80c0b229 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -33,3 +33,6 @@ allow mm-qcamerad system_data_file:file create_file_perms; #Remove GL fine reference allow mm-qcamerad shell_data_file:dir search; + +# IMS use camera daemon to make VT call +allow mm-qcamerad port:tcp_socket name_bind; diff --git a/common/mpdecision.te b/common/mpdecision.te index 94d9cd88..96f44840 100644 --- a/common/mpdecision.te +++ b/common/mpdecision.te @@ -15,12 +15,11 @@ allow mpdecision self:socket create_socket_perms; allow mpdecision device_latency:chr_file w_file_perms; allow mpdecision sysfs_rqstats:dir search; -allow mpdecision socket_device:dir w_file_perms; allow mpdecision sysfs_thermal:dir search; #policies for mpctl #mpctl socket -allow mpdecision self:capability { net_admin chown dac_override fsetid }; +allow mpdecision self:capability { net_admin chown dac_override fsetid sys_nice }; allow mpdecision mpctl_socket:dir rw_dir_perms; allow mpdecision mpctl_socket:sock_file { create_file_perms unlink }; diff --git a/common/property.te b/common/property.te index 1e54640c..ea480c76 100644 --- a/common/property.te +++ b/common/property.te @@ -1,2 +1,3 @@ # property for uicc_daemon type uicc_prop, property_type; +type qcom_ims_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index f33cd9b9..8303915f 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -2,3 +2,4 @@ wc_transport. u:object_r:bluetooth_prop:s0 sys.usb_uicc. u:object_r:uicc_prop:s0 dolby.audio. u:object_r:audio_prop:s0 persist.bluetooth. u:object_r:bluetooth_prop:s0 +sys.ims. u:object_r:qcom_ims_prop:s0 diff --git a/common/qcomsysd.te b/common/qcomsysd.te index 7b786da4..f9c29166 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -20,3 +20,5 @@ allow qcomsysd bootselect_device:blk_file { open read getattr write }; #Needed to get image info from socinfo allow qcomsysd sysfs_socinfo:dir { open search read }; allow qcomsysd sysfs_socinfo:file { open read write }; + +allow qcomsysd self:capability { dac_override }; diff --git a/common/qlogd.te b/common/qlogd.te index 113da3fa..dd525d9d 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -6,20 +6,21 @@ type qlogd_exec, exec_type, file_type; init_daemon_domain(qlogd) # need to access sharemem log device for smem logs -allow qlogd smem_log_device:chr_file { open read write ioctl }; +allow qlogd smem_log_device:chr_file rw_file_perms; # need to add more capabilities for qlogd -allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin }; -allow qlogd self:capability2 syslog; +allow qlogd self:capability { setuid setgid dac_override dac_read_search + sys_admin net_raw net_admin fowner fsetid kill sys_module }; +allow qlogd self:capability2 { block_suspend syslog }; +allow qlogd self:packet_socket { create ioctl bind getopt setopt }; # need to access system_data partitions for configration files -allow qlogd system_data_file:dir { write add_name }; -allow qlogd system_data_file:file { open read write create }; +allow qlogd qlogd_data_file:dir rw_dir_perms; +allow qlogd qlogd_data_file:file create_file_perms; allow qlogd system_file:file execute_no_trans; # need to create and listen socket -allow qlogd socket_device:sock_file { create setattr }; -allow qlogd qlogd_socket:sock_file { create read write setattr }; +allow qlogd qlogd_socket:sock_file create_file_perms; # need to start shell execute files allow qlogd shell_exec:file { execute read open execute_no_trans }; @@ -28,9 +29,28 @@ allow qlogd shell_exec:file { execute read open execute_no_trans }; allow qlogd fuse:dir create_dir_perms; allow qlogd fuse:file create_file_perms; -#need to capture kmsg +# need to capture kmsg allow qlogd kernel:system syslog_mod; +# need for qdss log +userdebug_or_eng(` + allow qlogd debugfs:file read; + allow qlogd sysfs:file write; + allow qlogd qdss_device:chr_file { open read }; +') + # need for capture adb logs -allow qlogd logdr_socket:sock_file write; -allow qlogd logd:unix_stream_socket connectto; +unix_socket_connect(qlogd, logdr, logd) + +# need for subsystem ramdump +allow qlogd device:dir r_dir_perms; +allow qlogd ramdump_device:chr_file { setattr rw_file_perms }; + +# need for qxdm log +allow qlogd diag_exec:file rx_file_perms; +allow qlogd sysfs_wake_lock:file ra_file_perms; + +# need for tcpdump +userdebug_or_eng(` + allow qlogd kernel:system module_request; +') diff --git a/common/radio.te b/common/radio.te index c117da17..2b854f5a 100644 --- a/common/radio.te +++ b/common/radio.te @@ -8,3 +8,6 @@ allow radio shell_data_file:dir search; #Need permission to execute dpmd talk to radio layer unix_socket_connect(radio, dpmd, dpmd) + +# IMS needs permission to use unix domain socket +allow radio ims:unix_stream_socket connectto; diff --git a/common/rild.te b/common/rild.te index 73631c0d..be35748d 100644 --- a/common/rild.te +++ b/common/rild.te @@ -15,9 +15,13 @@ allow rild mediaserver:binder { transfer call }; #allow rild diag_device:chr_file { open read write }; allow rild rild_socket:chr_file { open read write }; +allow rild system_health_monitor_device:chr_file r_file_perms; allow rild sysfs_ssr:dir r_dir_perms; allow rild sysfs_ssr:lnk_file read; allow rild system_data_file:dir w_dir_perms; allow rild system_data_file:file create_file_perms; allow rild time_daemon:unix_stream_socket connectto; + +dontaudit rild domain:dir r_dir_perms; +r_dir_file(rild, netmgrd) diff --git a/common/service.te b/common/service.te index f8714953..e6625706 100644 --- a/common/service.te +++ b/common/service.te @@ -5,4 +5,5 @@ type cne_service, service_manager_type; type wbc_service, service_manager_type; type dun_service, service_manager_type; type digitalpen_service, service_manager_type; +type imscm_service, service_manager_type; type color_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index 7365d2c1..eccd3fdb 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -6,4 +6,5 @@ vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0 wbc_service u:object_r:wbc_service:s0 dun u:object_r:dun_service:s0 DigitalPen u:object_r:digitalpen_service:s0 +qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 diff --git a/common/system_app.te b/common/system_app.te index 83395385..64ab3171 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -37,3 +37,6 @@ allow system_app color_service:service_manager add; userdebug_or_eng(` r_dir_file(system_app, firmware_file); ') + +# access to time_daemon +allow system_app time_daemon:unix_stream_socket connectto; diff --git a/common/system_server.te b/common/system_server.te index ef613015..349d802c 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -2,8 +2,8 @@ # allow system_server to communicate with cnd process over cnd_socket unix_socket_connect(system_server, cnd, cnd) # allow system/framework applications to update the cnd configuration files -allow system_server cnd_data_file:dir { read open write getattr add_name }; -allow system_server cnd_data_file:file { create write getattr setattr read lock open }; +allow system_server cnd_data_file:dir rw_dir_perms; +allow system_server cnd_data_file:file create_file_perms; # Access to sensors socket unix_socket_connect(system_server, sensors, sensors) @@ -43,6 +43,9 @@ allow system_server digitalpen_service:service_manager add; #For ssr allow system_server ssr_device:chr_file { read open }; +allow system_server fuse:dir search; +allow system_server persist_file:dir search; + #For ANT tty communication and to set wc_transport prop allow system_server bluetooth_prop:property_service set; allow system_server serial_device:chr_file rw_file_perms; diff --git a/common/vold.te b/common/vold.te index d639d6f5..71b32cd0 100644..100755 --- a/common/vold.te +++ b/common/vold.te @@ -6,3 +6,4 @@ allow vold proc_sysrq:file rw_file_perms; allow vold self:capability sys_boot; allow vold cache_file:dir { write add_name }; allow vold cache_file:file { write create open }; +allow vold proc_dirty_ratio:file rw_file_perms; diff --git a/common/wpa.te b/common/wpa.te index d5f775b8..15a01643 100644 --- a/common/wpa.te +++ b/common/wpa.te @@ -7,3 +7,6 @@ allow wpa proc_net:file write; # allow wpa_supplicant to send back wifi information to cnd allow wpa cnd:unix_dgram_socket sendto; + +# permission for wpa socket which IMS use to communicate +allow wpa ims:unix_dgram_socket sendto; diff --git a/msm8960/device.te b/msm8960/device.te new file mode 100755 index 00000000..24d277a0 --- /dev/null +++ b/msm8960/device.te @@ -0,0 +1,2 @@ +#mdm helper device +type mdm_device, dev_type; diff --git a/msm8960/file.te b/msm8960/file.te new file mode 100644 index 00000000..e5cea972 --- /dev/null +++ b/msm8960/file.te @@ -0,0 +1,2 @@ +#efs file types +type efs_data_file, file_type, data_file_type; diff --git a/msm8960/file_contexts b/msm8960/file_contexts new file mode 100755 index 00000000..7e514561 --- /dev/null +++ b/msm8960/file_contexts @@ -0,0 +1,22 @@ +################################### +# Dev nodes +# +/dev/msm_camera(/.*)? u:object_r:camera_device:s0 +/dev/msm_rotator u:object_r:graphics_device:s0 +/dev/mdm u:object_r:mdm_device:s0 +/dev/block/bootdevice/by-name/m9kefs1 u:object_r:efs_boot_dev:s0 +/dev/block/bootdevice/by-name/m9kefs2 u:object_r:efs_boot_dev:s0 +/dev/block/bootdevice/by-name/m9kefs3 u:object_r:efs_boot_dev:s0 +/dev/block/bootdevice/by-name/m9kefsc u:object_r:efs_boot_dev:s0 + +################################### +# System files +# +/system/bin/thermald u:object_r:thermal-engine_exec:s0 +/system/bin/qcks u:object_r:mdm_helper_exec:s0 +/system/bin/efks u:object_r:mdm_helper_exec:s0 + +################################### +# Data files +# +/data/qcks(/.*)? u:object_r:efs_data_file:s0 diff --git a/msm8960/mdm_helper.te b/msm8960/mdm_helper.te new file mode 100755 index 00000000..5fe3608a --- /dev/null +++ b/msm8960/mdm_helper.te @@ -0,0 +1,8 @@ +#Needed in order to access the data partition bin files +type_transition mdm_helper system_data_file:{ file } efs_data_file; + +allow mdm_helper mdm_device:file rw_file_perms; +allow mdm_helper mdm_device:chr_file rw_file_perms; +allow mdm_helper self:capability { dac_read_search dac_override }; +allow mdm_helper efs_data_file:file create_file_perms; +allow mdm_helper efs_data_file:dir create_dir_perms; diff --git a/msm8960/mm-pp-daemon.te b/msm8960/mm-pp-daemon.te new file mode 100644 index 00000000..cbaafcf5 --- /dev/null +++ b/msm8960/mm-pp-daemon.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + #Allow pp-daemon to access stream socket + allow mm-pp-daemon init:unix_stream_socket { read write }; +') diff --git a/msm8960/mpdecision.te b/msm8960/mpdecision.te new file mode 100644 index 00000000..f9adcee0 --- /dev/null +++ b/msm8960/mpdecision.te @@ -0,0 +1,3 @@ +allow mpdecision socket_device:dir w_dir_perms; +allow mpdecision socket_device:sock_file create; +allow mpdecision self:capability sys_nice; diff --git a/msm8960/rild.te b/msm8960/rild.te new file mode 100644 index 00000000..81cafff7 --- /dev/null +++ b/msm8960/rild.te @@ -0,0 +1,2 @@ +#allow rild to access smd_cmx_qmi device; +allow rild smd_device:chr_file rw_file_perms; diff --git a/msm8960/rmt_storage.te b/msm8960/rmt_storage.te new file mode 100644 index 00000000..3b3bbb29 --- /dev/null +++ b/msm8960/rmt_storage.te @@ -0,0 +1,5 @@ +# rmt_storage - rmt_storage daemon +allow rmt_storage rpmb_device:blk_file { open read }; +allow rmt_storage ssd_device:blk_file { open read write }; +unix_socket_connect(rmt_storage, property, init) +allow rmt_storage ctl_default_prop:property_service set; diff --git a/msm8960/ssr_diag.te b/msm8960/ssr_diag.te new file mode 100644 index 00000000..6b170b03 --- /dev/null +++ b/msm8960/ssr_diag.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow ssr_diag self:netlink_kobject_uevent_socket create; +') diff --git a/msm8960/system_server.te b/msm8960/system_server.te new file mode 100644 index 00000000..1ac7260e --- /dev/null +++ b/msm8960/system_server.te @@ -0,0 +1,2 @@ +# WifiStateMachine to access wpa_wlan0 socket +allow system_server init:unix_dgram_socket sendto; diff --git a/msm8960/thermal-engine.te b/msm8960/thermal-engine.te new file mode 100644 index 00000000..707717df --- /dev/null +++ b/msm8960/thermal-engine.te @@ -0,0 +1,2 @@ +allow thermal-engine self:netlink_kobject_uevent_socket create; +allow thermal-engine socket_device:dir w_dir_perms; diff --git a/msm8960/wpa.te b/msm8960/wpa.te new file mode 100644 index 00000000..24ce72f1 --- /dev/null +++ b/msm8960/wpa.te @@ -0,0 +1,2 @@ +allow wpa devpts:chr_file rw_file_perms; +allow wpa init:unix_dgram_socket { read write }; diff --git a/msm8994/ims.te b/msm8994/ims.te deleted file mode 100644 index 13fad80c..00000000 --- a/msm8994/ims.te +++ /dev/null @@ -1,3 +0,0 @@ -allow ims self:capability net_raw; -allow ims self:socket { read bind create write ioctl }; -allow ims imscm_service:service_manager add; diff --git a/msm8994/service.te b/msm8994/service.te deleted file mode 100644 index e3b10477..00000000 --- a/msm8994/service.te +++ /dev/null @@ -1 +0,0 @@ -type imscm_service, service_manager_type; diff --git a/msm8994/service_contexts b/msm8994/service_contexts deleted file mode 100644 index aa230e63..00000000 --- a/msm8994/service_contexts +++ /dev/null @@ -1 +0,0 @@ -qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 diff --git a/test/qmi_test_service.te b/test/qmi_test_service.te index ed97c2ec..55066bbe 100644 --- a/test/qmi_test_service.te +++ b/test/qmi_test_service.te @@ -5,6 +5,8 @@ userdebug_or_eng(` type qmi_test_service, domain; domain_auto_trans(shell, qmi_test_service_exec, qmi_test_service) domain_auto_trans(adbd, qmi_test_service_exec, qmi_test_service) + #enable access to loader in 64 bit system + allow qmi_test_service shell:fd use; #test is launched from pseudo terminal so output goes there allow qmi_test_service devpts:chr_file {read write getattr ioctl}; #to access smem log @@ -20,4 +22,7 @@ userdebug_or_eng(` allow qmi_test_service qmi_test_service:capability {dac_override dac_read_search setgid setuid fsetid}; #QCCI calls qmuxd API. The API will internally require this qmux_socket(qmi_test_service); + #enable accessing the system health monitor to check the system health, + #if a request times out + allow qmi_test_service system_health_monitor_device:chr_file rw_file_perms; ') diff --git a/test/sensors_test.te b/test/sensors_test.te index 92872b50..2d8d2229 100644 --- a/test/sensors_test.te +++ b/test/sensors_test.te @@ -13,4 +13,5 @@ userdebug_or_eng(` allow sensors_test sensors_socket:sock_file rw_file_perms; allow sensors_test smd_device:chr_file rw_file_perms; allow sensors_test socket_device:dir r_dir_perms; + allow system_app sensors_test_exec:file rx_file_perms; ') |