diff options
author | Elad Levi <elevi@codeaurora.org> | 2015-10-18 16:42:03 +0300 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2015-10-29 00:06:13 -0700 |
commit | faab16f909bd19edb58b70b7e3cc31126006c282 (patch) | |
tree | c235dccdd1154fc4817818a0edd6284be9b589af /msm8996 | |
parent | 901889a11d179597c9311900f66959d0130f1c4a (diff) | |
download | android_device_qcom_sepolicy-faab16f909bd19edb58b70b7e3cc31126006c282.tar.gz android_device_qcom_sepolicy-faab16f909bd19edb58b70b7e3cc31126006c282.tar.bz2 android_device_qcom_sepolicy-faab16f909bd19edb58b70b7e3cc31126006c282.zip |
sepolicy: added seccamd policy
This change is required to make sure the secure camera daemon cannot
make anything it shouldn't.
Change-Id: I59378b4821fd6e94f0146462febf7e66bb078bbd
Diffstat (limited to 'msm8996')
-rw-r--r-- | msm8996/file_contexts | 1 | ||||
-rw-r--r-- | msm8996/mediaserver.te | 28 | ||||
-rw-r--r-- | msm8996/seccamd.te | 42 |
3 files changed, 71 insertions, 0 deletions
diff --git a/msm8996/file_contexts b/msm8996/file_contexts index e5de37b7..b902f194 100644 --- a/msm8996/file_contexts +++ b/msm8996/file_contexts @@ -73,6 +73,7 @@ # /system/bin/qvop-daemon u:object_r:qvop_exec:s0 /system/bin/tloc_daemon u:object_r:tlocd_exec:s0 +/system/vendor/bin/seccamd u:object_r:seccamd_exec:s0 ################################### # data files diff --git a/msm8996/mediaserver.te b/msm8996/mediaserver.te new file mode 100644 index 00000000..bbce3656 --- /dev/null +++ b/msm8996/mediaserver.te @@ -0,0 +1,28 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +binder_call(mediaserver, seccamd) diff --git a/msm8996/seccamd.te b/msm8996/seccamd.te new file mode 100644 index 00000000..1f945a80 --- /dev/null +++ b/msm8996/seccamd.te @@ -0,0 +1,42 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type seccamd, domain; +type seccamd_exec, exec_type, file_type; + +init_daemon_domain(seccamd) + +# Allow finding the media related services +allow seccamd { mediaserver_service surfaceflinger_service }:service_manager find; + +# Allow interacting with camera related service, including callbacks +binder_use(seccamd) +binder_call(seccamd, surfaceflinger) +binder_call(seccamd, mediaserver) + +# Allow interacting with qseecom +allow seccamd tee_device:chr_file rw_file_perms; |