diff options
author | Avijit Kanti Das <avijitnsec@codeaurora.org> | 2015-05-12 14:07:41 -0700 |
---|---|---|
committer | Divya Sharma <c_shard@codeaurora.org> | 2015-06-26 11:13:47 -0700 |
commit | 441bad4f456ab96ac64d10a508d2a42ab8e0b365 (patch) | |
tree | 27078f93e6eaba02eafe4181a3d41f0fa76de27f /apq8084 | |
parent | 11230bb0164cac6c948417d8abc255cd2b2c04f3 (diff) | |
download | android_device_qcom_sepolicy-441bad4f456ab96ac64d10a508d2a42ab8e0b365.tar.gz android_device_qcom_sepolicy-441bad4f456ab96ac64d10a508d2a42ab8e0b365.tar.bz2 android_device_qcom_sepolicy-441bad4f456ab96ac64d10a508d2a42ab8e0b365.zip |
Replacing permissions with macros
Replacing all the permissions with macros
Allow all domians except untrusted_app to access diag_device
Restrict untrusted_app to access diag_device
Change-Id: Ibad902746f25a23f10840fae3c0bac65b2ff74e0
Diffstat (limited to 'apq8084')
-rw-r--r-- | apq8084/Android.mk | 1 | ||||
-rw-r--r-- | apq8084/qca1530.te | 74 |
2 files changed, 74 insertions, 1 deletions
diff --git a/apq8084/Android.mk b/apq8084/Android.mk deleted file mode 100644 index 44473973..00000000 --- a/apq8084/Android.mk +++ /dev/null @@ -1 +0,0 @@ -BOARD_SEPOLICY_UNION += \ diff --git a/apq8084/qca1530.te b/apq8084/qca1530.te new file mode 100644 index 00000000..8ee50d6b --- /dev/null +++ b/apq8084/qca1530.te @@ -0,0 +1,74 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + +type qca1530, domain; +type qca1530_exec, exec_type, file_type; +net_domain(qca1530) +init_daemon_domain(qca1530) + +userdebug_or_eng(` + domain_auto_trans(shell, qca1530_exec, qca1530) + domain_auto_trans(adbd, qca1530_exec, qca1530) +') + +qmux_socket(qca1530) +wakelock_use(qca1530) +unix_socket_connect(qca1530, property, init) + +# need to access sharemem log device for smem logs +allow qca1530 smem_log_device:chr_file rw_file_perms; + +allow qca1530 location_data_file:dir create_dir_perms; +allow qca1530 location_data_file:file create_file_perms; +allow qca1530 qca1530_data_file:dir create_dir_perms; +allow qca1530 qca1530_data_file:file create_file_perms; +allow qca1530 sysfs_qca1530:file { rw_file_perms setattr }; +allow qca1530 sysfs_qca1530:dir r_dir_perms; +allow qca1530 self:capability { + setuid + setgid + setpcap + dac_override + net_raw + fowner + chown + fsetid + sys_nice +}; + +allow qca1530 self:capability2 syslog; +allow qca1530 self:{ unix_dgram_socket packet_socket socket } create_socket_perms; + +# Execute the shell or system commands. +allow qca1530 { qca1530_exec shell_exec }:file rx_file_perms; +allow qca1530 system_file:file x_file_perms; + +#Setting sys.qca1530 property in QCA1530 detect service +#Setting system default properties on start command to system server +allow qca1530 { qca1530_prop ctl_default_prop }:property_service set; + +# Access to serial port conncting to QCA1530 chip +allow qca1530 serial_device:chr_file rw_file_perms; |