diff options
author | William Clark <wclark@codeaurora.org> | 2015-08-21 12:44:50 -0700 |
---|---|---|
committer | William Clark <wclark@codeaurora.org> | 2015-08-24 10:08:31 -0700 |
commit | 8052d8a186f553d9f5f5424a5576735a061630b0 (patch) | |
tree | 214ed063e14ebb53c0d14517bc1b42991cc91d77 | |
parent | c8c034f83b5c731b3dcfc3f44a3e780c2ad18c5f (diff) | |
download | android_device_qcom_sepolicy-8052d8a186f553d9f5f5424a5576735a061630b0.tar.gz android_device_qcom_sepolicy-8052d8a186f553d9f5f5424a5576735a061630b0.tar.bz2 android_device_qcom_sepolicy-8052d8a186f553d9f5f5424a5576735a061630b0.zip |
sepolicy: Add rules for seemp
Allow seempd to read files
Change-Id: Iae5c431d512aa937c0006d913fd2be1f9cefa59a
-rw-r--r-- | common/seempd.te | 13 | ||||
-rw-r--r-- | common/service.te | 1 | ||||
-rw-r--r-- | common/service_contexts | 2 | ||||
-rw-r--r-- | common/system_server.te | 6 | ||||
-rw-r--r-- | test/platform_app.te | 31 | ||||
-rw-r--r-- | test/untrusted_app.te | 31 |
6 files changed, 84 insertions, 0 deletions
diff --git a/common/seempd.te b/common/seempd.te index f2737934..dc3b5dbb 100644 --- a/common/seempd.te +++ b/common/seempd.te @@ -14,3 +14,16 @@ r_dir_file(seempd, firmware_file) #allow access to packages.list allow seempd system_data_file:file r_file_perms; + +#allow binder calls +binder_use(seempd) +binder_call(seempd, system_server) +binder_call(seempd, appdomain) + +#allow read access to proc files for app_domain +dontaudit seempd domain:dir r_dir_perms; +r_dir_file(seempd, appdomain) + +#for seemp +allow seempd seemp_service:service_manager add; +allow seempd self:binder call; diff --git a/common/service.te b/common/service.te index 905cc8a1..f3f19092 100644 --- a/common/service.te +++ b/common/service.te @@ -14,3 +14,4 @@ type usf_service, service_manager_type; type dtseagleservice_service, service_manager_type; type gba_auth_service, service_manager_type; type izat_service, system_api_service, service_manager_type; +type seemp_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index 9f4545de..465db38a 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -17,3 +17,5 @@ dts_eagle_service u:object_r:dtseagleservice_servic wfd.native.mm.service u:object_r:wfdservice_service:s0 extphone u:object_r:radio_service:s0 com.qualcomm.location.izat.IzatService u:object_r:izat_service:s0 +qti.security.seemp u:object_r:seemp_service:s0 +seempservice u:object_r:seemp_service:s0 diff --git a/common/system_server.te b/common/system_server.te index b31af81c..723af16a 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -98,3 +98,9 @@ allow system_server RIDL:fifo_file write; #Rules for system server to talk to peripheral manager use_per_mgr(system_server); + +#allow binder calls +binder_call(system_server, seempd) + +#for seemp +unix_socket_send(system_server, seempdw, seempd) diff --git a/test/platform_app.te b/test/platform_app.te new file mode 100644 index 00000000..6025eb4e --- /dev/null +++ b/test/platform_app.te @@ -0,0 +1,31 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +userdebug_or_eng(` + r_dir_file(platform_app, seemp_file) + allow platform_app seemp_file: file w_file_perms; +') diff --git a/test/untrusted_app.te b/test/untrusted_app.te new file mode 100644 index 00000000..245be906 --- /dev/null +++ b/test/untrusted_app.te @@ -0,0 +1,31 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +userdebug_or_eng(` + r_dir_file(untrusted_app, seemp_file) + allow untrusted_app seemp_file: file w_file_perms; +') |