diff options
author | Michael Bestas <mikeioannina@gmail.com> | 2017-01-02 02:00:30 +0200 |
---|---|---|
committer | Michael Bestas <mikeioannina@gmail.com> | 2017-01-02 02:00:30 +0200 |
commit | 988a518c3bb62890100950d5b83485f9e3467e4a (patch) | |
tree | 6cc5a32a6fcb9fd2691fc3f9f6e11de476f0a58b /common | |
parent | d9d06c2c5b83dd352d6158e547bda89fcc247649 (diff) | |
parent | 625c892b5557fbeb9fbf8a779b993dda843ae180 (diff) | |
download | android_device_qcom_sepolicy-988a518c3bb62890100950d5b83485f9e3467e4a.tar.gz android_device_qcom_sepolicy-988a518c3bb62890100950d5b83485f9e3467e4a.tar.bz2 android_device_qcom_sepolicy-988a518c3bb62890100950d5b83485f9e3467e4a.zip |
Merge tag 'LA.UM.5.5.r1-02200-8x96.0' of https://source.codeaurora.org/quic/la/device/qcom/sepolicy into cm-14.1staging/cm-14.1-cafrebase
"LA.UM.5.5.r1-02200-8x96.0"
Change-Id: Ib0496c25c7a1dc2ea988f219c0ba12d0eda6623c
Diffstat (limited to 'common')
-rw-r--r-- | common/bluetooth.te | 5 | ||||
-rw-r--r-- | common/dataservice_app.te | 1 | ||||
-rw-r--r-- | common/device.te | 3 | ||||
-rw-r--r-- | common/file.te | 3 | ||||
-rw-r--r-- | common/file_contexts | 4 | ||||
-rw-r--r-- | common/init.te | 3 | ||||
-rw-r--r-- | common/init_shell.te | 3 | ||||
-rwxr-xr-x | common/mmi.te | 2 | ||||
-rw-r--r-- | common/nqnfcinfo.te | 39 | ||||
-rwxr-xr-x | common/property.te | 4 | ||||
-rwxr-xr-x | common/property_contexts | 3 | ||||
-rwxr-xr-x[-rw-r--r--] | common/qcomsysd.te | 3 | ||||
-rw-r--r-- | common/qseecomd.te | 3 | ||||
-rw-r--r-- | common/recovery.te | 6 | ||||
-rw-r--r-- | common/rfs_access.te | 1 | ||||
-rw-r--r-- | common/rmt_storage.te | 2 | ||||
-rw-r--r-- | common/system_server.te | 2 | ||||
-rw-r--r-- | common/wcnss_filter.te | 4 | ||||
-rw-r--r-- | common/wfdservice.te | 3 |
19 files changed, 90 insertions, 4 deletions
diff --git a/common/bluetooth.te b/common/bluetooth.te index ffe1ed90..eef36b8d 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -11,6 +11,10 @@ type btsnoop, bluetoothdomain, domain_deprecated; type btsnoop_exec, exec_type, file_type; domain_auto_trans(init, btsnoop_exec, bluetooth) +type bt_logger, bluetoothdomain; +type bt_logger_exec, exec_type, file_type; +domain_auto_trans(init, bt_logger_exec, bluetooth) + type btnvtool, bluetoothdomain, domain_deprecated; type btnvtool_exec, exec_type, file_type; domain_auto_trans(init, btnvtool_exec, bluetooth) @@ -37,6 +41,7 @@ allow bluetooth { serial_device #BT needes read and write on smd device node smd_device + bt_device }:chr_file rw_file_perms; #Access to persist_file diff --git a/common/dataservice_app.te b/common/dataservice_app.te index 36056c17..140f0363 100644 --- a/common/dataservice_app.te +++ b/common/dataservice_app.te @@ -33,6 +33,7 @@ net_domain(dataservice_app) allow dataservice_app { qtitetherservice_service dpmservice cne_service } :service_manager { add find } ; allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find; +set_prop(dataservice_app, persist_dpm_prop) set_prop(dataservice_app, sys_usb_tethering_prop) diff --git a/common/device.te b/common/device.te index 362be377..22179749 100644 --- a/common/device.te +++ b/common/device.te @@ -138,3 +138,6 @@ type avtimer_device, dev_type; #define AT device type at_device, dev_type; + +#define Bluetooth device +type bt_device, dev_type; diff --git a/common/file.te b/common/file.te index 2d31a6d4..b2290e7e 100644 --- a/common/file.te +++ b/common/file.te @@ -206,3 +206,6 @@ type persist_time_file, file_type; # kgsl file type for sysfs access type sysfs_kgsl, sysfs_type, fs_type; + +# secure touch files +type sysfs_securetouch, fs_type, sysfs_type; diff --git a/common/file_contexts b/common/file_contexts index b0bb68b6..fb1e296b 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -10,6 +10,7 @@ /dev/bhi u:object_r:bhi_device:s0 /dev/msm_.* u:object_r:audio_device:s0 /dev/i2c-6 u:object_r:audio_device:s0 +/dev/wcd_dsp0_control u:object_r:audio_device:s0 /dev/wcd-dsp-glink u:object_r:audio_device:s0 /dev/usf1 u:object_r:usf_device:s0 /dev/msm_dsps u:object_r:sensors_device:s0 @@ -25,6 +26,7 @@ /dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0 /dev/seemplog u:object_r:seemplog_device:s0 /dev/radio0 u:object_r:fm_radio_device:s0 +/dev/btpower u:object_r:bt_device:s0 /dev/rtc0 u:object_r:rtc_device:s0 /dev/sdsprpc-smd u:object_r:dsp_device:s0 /dev/sensors u:object_r:sensors_device:s0 @@ -135,6 +137,7 @@ /system/bin/ATFWD-daemon u:object_r:atfwd_exec:s0 /system/bin/PktRspTest u:object_r:diag_exec:s0 /system/bin/audiod u:object_r:audiod_exec:s0 +/system/vendor/bin/nqnfcinfo u:object_r:nqnfcinfo_exec:s0 /system/bin/charger_monitor u:object_r:charger_monitor_exec:s0 /system/bin/hvdcp_opti u:object_r:hvdcp_exec:s0 /system/bin/cnd u:object_r:cnd_exec:s0 @@ -231,6 +234,7 @@ /system/bin/sapd u:object_r:sapd_exec:s0 /system/bin/btnvtool u:object_r:btnvtool_exec:s0 /system/bin/btsnoop u:object_r:btsnoop_exec:s0 +/system/bin/bt_logger u:object_r:bt_logger_exec:s0 /system/bin/dun-server u:object_r:dun-server_exec:s0 /system/bin/wfdservice u:object_r:wfdservice_exec:s0 /system/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0 diff --git a/common/init.te b/common/init.te index 6cde24b0..772e5fe4 100644 --- a/common/init.te +++ b/common/init.te @@ -31,3 +31,6 @@ allow init configfs:lnk_file create_file_perms; #Allow init to mount non-hlos partitions in A/B builds allow init firmware_file:dir { mounton }; allow init bt_firmware_file:dir { mounton }; + +#dontaudit non configfs usb denials +dontaudit init sysfs:dir write; diff --git a/common/init_shell.te b/common/init_shell.te index 487caf05..22dc2769 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -160,6 +160,9 @@ allow qti_init_shell kernel:key search; # To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr }; +# To change owner/permissions of secure touch sysfs files +r_dir_file(qti_init_shell, sysfs_securetouch) + # core-ctl allow qti_init_shell cgroup:dir add_name; diff --git a/common/mmi.te b/common/mmi.te index 3fedc290..417f6009 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -61,6 +61,8 @@ allow mmi bluetooth_data_file:dir rw_dir_perms; allow mmi bluetooth_data_file:file create_file_perms; allow mmi bluetooth_prop:property_service set; allow mmi smd_device:chr_file rw_file_perms; +allow mmi persist_bluetooth_file:file r_file_perms; +allow mmi wcnss_filter:unix_stream_socket connectto; #GPS case allow mmi location_data_file:fifo_file create_file_perms; diff --git a/common/nqnfcinfo.te b/common/nqnfcinfo.te new file mode 100644 index 00000000..3efc94c3 --- /dev/null +++ b/common/nqnfcinfo.te @@ -0,0 +1,39 @@ +#Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +#Redistribution and use in source and binary forms, with or without +#modification, are permitted provided that the following conditions are +#met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type nqnfcinfo, domain; +type nqnfcinfo_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(nqnfcinfo) + +r_dir_file(nqnfcinfo, sysfs_socinfo); + +set_prop(nqnfcinfo, nfc_nq_prop); + +# Access device nodes inside /dev/nq-nci +allow nqnfcinfo nfc_device:chr_file rw_file_perms; diff --git a/common/property.te b/common/property.te index c3032b10..5ae8f71e 100755 --- a/common/property.te +++ b/common/property.te @@ -72,6 +72,8 @@ type sys_usb_configfs_prop, property_type; type sys_usb_tethering_prop, property_type; type coresight_prop, property_type, core_property_type; +type persist_dpm_prop, property_type, core_property_type; + type ctl_hbtp_prop, property_type; type alarm_boot_prop, property_type, core_property_type; @@ -95,3 +97,5 @@ type hwui_prop, property_type, core_property_type; type graphics_vulkan_prop, property_type, core_property_type; #boot mode property type boot_mode_prop, property_type; +#properties for nfc +type nfc_nq_prop, property_type, core_property_type; diff --git a/common/property_contexts b/common/property_contexts index bbaf87b4..5d457153 100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -68,6 +68,7 @@ qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0 ro.dbg.coresight.cfg_file u:object_r:coresight_prop:s0 ctl.hbtp u:object_r:ctl_hbtp_prop:s0 sys.audio.init u:object_r:audio_prop:s0 +persist.dpm.feature u:object_r:persist_dpm_prop:s0 ro.alarm_boot u:object_r:alarm_boot_prop:s0 debug.sf.nobootanimation u:object_r:boot_animation_prop:s0 debug.gralloc. u:object_r:debug_gralloc_prop:s0 @@ -88,3 +89,5 @@ persist.graphics.vulkan.disable u:object_r:graphics_vulkan_prop:s0 sys.boot_mode u:object_r:boot_mode_prop:s0 # GPU ro.gpu.available_frequencies u:object_r:freq_prop:s0 +# NFC +sys.nfc.nq. u:object_r:nfc_nq_prop:s0 diff --git a/common/qcomsysd.te b/common/qcomsysd.te index c1257cb8..d9edea1f 100644..100755 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -21,9 +21,10 @@ allow qcomsysd sysfs_socinfo:file w_file_perms; allow qcomsysd self:capability { dac_override sys_boot }; use_per_mgr(qcomsysd); #allow qcomsysd access boot mode switch -allow qcomsysd boot_mode_prop:property_service set; +set_prop(qcomsysd, boot_mode_prop); #diag userdebug_or_eng(` diag_use(qcomsysd) + allow qcomsysd sysfs:file w_file_perms; ') diff --git a/common/qseecomd.te b/common/qseecomd.te index a2118202..8e2f8955 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -47,6 +47,9 @@ allow tee time_daemon:unix_stream_socket connectto; allow tee graphics_device:dir r_dir_perms; allow tee graphics_device:chr_file r_file_perms; +#allow tee access for secure touch to work +allow tee sysfs_securetouch:file rw_file_perms; + allow tee surfaceflinger_service : service_manager find; binder_call(tee, surfaceflinger) diff --git a/common/recovery.te b/common/recovery.te index 210c4050..c5b2c0ec 100644 --- a/common/recovery.te +++ b/common/recovery.te @@ -17,4 +17,10 @@ recovery_only(` allow recovery sg_device:chr_file rw_file_perms; allow recovery self:capability sys_rawio; allow recovery sg_device:chr_file ioctl; + # Enable adb on configfs devices + allow recovery configfs:file rw_file_perms; + allow recovery configfs:dir rw_dir_perms; + set_prop(recovery, ffs_prop); + get_prop(recovery, sys_usb_controller_prop); + get_prop(recovery, boot_mode_prop); ') diff --git a/common/rfs_access.te b/common/rfs_access.te index 318fffc1..629f9e46 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -54,7 +54,6 @@ allow rfs_access self:capability { setgid setpcap net_bind_service - net_raw }; # RFS UID and GIDs were changed and moved from old values to new ones OEM range. diff --git a/common/rmt_storage.te b/common/rmt_storage.te index f043becc..56f6f928 100644 --- a/common/rmt_storage.te +++ b/common/rmt_storage.te @@ -17,9 +17,7 @@ allow rmt_storage self:capability { setuid setgid sys_admin - dac_override net_bind_service - net_raw setpcap }; diff --git a/common/system_server.te b/common/system_server.te index f77d8a71..d95864c3 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -87,6 +87,8 @@ allow system_server { graphics_device audio_device tee_device + #allow access to power control ANT chip + bt_device }:chr_file rw_file_perms; #For firmware diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te index 7d84a76e..41045f60 100644 --- a/common/wcnss_filter.te +++ b/common/wcnss_filter.te @@ -50,6 +50,10 @@ r_dir_file(wcnss_filter, bt_firmware_file) allow wcnss_filter bluetooth_data_file:dir create_dir_perms; allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms; +allow wcnss_filter persist_bluetooth_file:dir r_dir_perms; +allow wcnss_filter persist_bluetooth_file:file r_file_perms; +allow wcnss_filter persist_file:dir r_dir_perms; + #diag userdebug_or_eng(` diag_use(wcnss_filter) diff --git a/common/wfdservice.te b/common/wfdservice.te index 276e2e15..1514e055 100644 --- a/common/wfdservice.te +++ b/common/wfdservice.te @@ -39,6 +39,9 @@ allow wfdservice audio_device:dir r_dir_perms; #Allow access to /dev/graphics/fb* for screen capture allow wfdservice graphics_device:chr_file rw_file_perms; +#Allow access to encoder for YUV statistics +allow wfdservice gpu_device:chr_file rw_file_perms; + #Allow communication with init over property server unix_socket_connect(wfdservice, property, init); |