Seandroid: Add policies to enable all QDCM functionalities.

Address all SELinux denial messages related to QDCM tool functionality and the color service SDK application. Add policies to allow: 1- /persist/ read & write for display confid 2- /data/misc/display/ read & write 3- Allow access to colorservice for display sdk from android app. 4- Enable pp-daemon functionalities for the non user-debug and eng builds, since OEMs actively use QDCM tool, and they require full functionality. Change-Id: I43545eaf8e63f0e43f40197cd01cddc8c6a5351a
author: Zohaib Alam <zalam@codeaurora.org> 2014-11-13 09:12:02 -0500
committer: Ping Li <pingli@codeaurora.org> 2014-12-15 23:54:31 -0800
commit: bbd41752706c691a039d52ba5b674a914cfb11e3 (patch)
tree: 1483a2b366fed04b9a0b73873c22cb436e6d509a /common
parent: 76af6c79f100cf8fb43f682e3b80f59d83ab7de0 (diff)
download: android_device_qcom_sepolicy-bbd41752706c691a039d52ba5b674a914cfb11e3.tar.gz
android_device_qcom_sepolicy-bbd41752706c691a039d52ba5b674a914cfb11e3.tar.bz2
android_device_qcom_sepolicy-bbd41752706c691a039d52ba5b674a914cfb11e3.zip
5 files changed, 23 insertions, 17 deletions
diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te
index 5a623349..6c9ad161 100755
--- a/common/mm-pp-daemon.te
+++ b/common/mm-pp-daemon.te
@@ -8,14 +8,17 @@ init_daemon_domain(mm-pp-daemon)
 allow mm-pp-daemon graphics_device:chr_file rw_file_perms;
 allow mm-pp-daemon graphics_device:dir search;
 
-# Allow reading calibration data from persist
-allow mm-pp-daemon persist_file:file r_file_perms;
-allow mm-pp-daemon persist_file:dir search;
+# Allow reading/writing to persist
+# The color config file is dynamically created
+allow mm-pp-daemon persist_file:dir rw_dir_perms;
+allow mm-pp-daemon persist_file:file create_file_perms;
+
+# Allow reading/writing data config files
+allow mm-pp-daemon display_config:dir create_dir_perms;
+allow mm-pp-daemon display_config:file create_file_perms;
 
-# Allow pp daemon to save settings to /data
-allow mm-pp-daemon display_config:file rw_file_perms;
 allow mm-pp-daemon system_prop:property_service set;
-#Calibration can only be done on userdebug or eng builds
+
 userdebug_or_eng(`
     # Display calibration service opens /dev/diag in order to communicate with the
     # target device
@@ -32,12 +35,13 @@ userdebug_or_eng(`
     allow mm-pp-daemon shell_exec:file rx_file_perms;
     allow mm-pp-daemon system_file:file execute_no_trans;
     allow mm-pp-daemon zygote_exec:file rx_file_perms;
+    allow mm-pp-daemon self:process ptrace;
+')
 
-    # Allow writing to persist
-    allow mm-pp-daemon persist_file:file rw_file_perms;
+# Allow mm-pp-daemon to change the brightness of the target during display
+# calibration
+allow mm-pp-daemon sysfs:file rw_file_perms;
 
-    # Allow mm-pp-daemon to change the brightness of the target during display
-    # calibration
-    allow mm-pp-daemon sysfs:file rw_file_perms;
-    unix_socket_connect(mm-pp-daemon, property, init)
-')
+# Allow socket calls in pp-daemon
+unix_socket_connect(mm-pp-daemon, property, init)
+unix_socket_connect(mm-pp-daemon, pps, init)
diff --git a/common/service.te b/common/service.te
index 3d1689e7..f8714953 100644
--- a/common/service.te
+++ b/common/service.te
@@ -5,3 +5,4 @@ type cne_service,               service_manager_type;
 type wbc_service,               service_manager_type;
 type dun_service,               service_manager_type;
 type digitalpen_service,        service_manager_type;
+type color_service,             service_manager_type;
diff --git a/common/service_contexts b/common/service_contexts
index 16318443..7365d2c1 100644
--- a/common/service_contexts
+++ b/common/service_contexts
@@ -6,3 +6,4 @@ vendor.qcom.PeripheralManager                  u:object_r:per_mgr_service:s0
 wbc_service                                    u:object_r:wbc_service:s0
 dun                                            u:object_r:dun_service:s0
 DigitalPen                                     u:object_r:digitalpen_service:s0
+com.qti.snapdragon.sdk.display.IColorService   u:object_r:color_service:s0
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
index 9c984ace..854ff8c7 100644
--- a/common/surfaceflinger.te
+++ b/common/surfaceflinger.te
@@ -2,10 +2,7 @@ allow surfaceflinger sysfs_graphics:file rw_file_perms;
 allow surfaceflinger shell_data_file:dir search;
 
 # Allows pp-daemon to refresh the screen in calibration mode
-userdebug_or_eng(`
-  allow surfaceflinger mm-pp-daemon:dir search;
-  allow surfaceflinger mm-pp-daemon:file r_file_perms;
-')
+r_dir_file(surfaceflinger, mm-pp-daemon)
 
 binder_call(surfaceflinger, location)
 binder_call(surfaceflinger, tee)
diff --git a/common/system_app.te b/common/system_app.te
index 1666d69d..45532f47 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -29,3 +29,6 @@ allow system_app bluetooth:unix_stream_socket ioctl;
 
 # access to tee domain
 allow system_app tee:unix_dgram_socket sendto;
+
+# access to color service SDK
+allow system_app color_service:service_manager add;
author	Zohaib Alam <zalam@codeaurora.org>	2014-11-13 09:12:02 -0500
committer	Ping Li <pingli@codeaurora.org>	2014-12-15 23:54:31 -0800
commit	bbd41752706c691a039d52ba5b674a914cfb11e3 (patch)
tree	1483a2b366fed04b9a0b73873c22cb436e6d509a /common
parent	76af6c79f100cf8fb43f682e3b80f59d83ab7de0 (diff)
download	android_device_qcom_sepolicy-bbd41752706c691a039d52ba5b674a914cfb11e3.tar.gz android_device_qcom_sepolicy-bbd41752706c691a039d52ba5b674a914cfb11e3.tar.bz2 android_device_qcom_sepolicy-bbd41752706c691a039d52ba5b674a914cfb11e3.zip