sepolicy: added seccamd policy

This change is required to make sure the secure camera daemon cannot
make anything it shouldn't.

Change-Id: I59378b4821fd6e94f0146462febf7e66bb078bbd

3 files changed, 71 insertions, 0 deletions

diff --git a/msm8996/file_contexts b/msm8996/file_contexts
index e5de37b7..b902f194 100644
--- a/msm8996/file_contexts
+++ b/msm8996/file_contexts
@@ -73,6 +73,7 @@
 #
 /system/bin/qvop-daemon u:object_r:qvop_exec:s0
 /system/bin/tloc_daemon u:object_r:tlocd_exec:s0
+/system/vendor/bin/seccamd u:object_r:seccamd_exec:s0
 
 ###################################
 # data files
diff --git a/msm8996/mediaserver.te b/msm8996/mediaserver.te
new file mode 100644
index 00000000..bbce3656
--- /dev/null
+++ b/msm8996/mediaserver.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+binder_call(mediaserver, seccamd)
diff --git a/msm8996/seccamd.te b/msm8996/seccamd.te
new file mode 100644
index 00000000..1f945a80
--- /dev/null
+++ b/msm8996/seccamd.te
@@ -0,0 +1,42 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type seccamd, domain;
+type seccamd_exec, exec_type, file_type;
+
+init_daemon_domain(seccamd)
+
+# Allow finding the media related services
+allow seccamd { mediaserver_service surfaceflinger_service }:service_manager find;
+
+# Allow interacting with camera related service, including callbacks
+binder_use(seccamd)
+binder_call(seccamd, surfaceflinger)
+binder_call(seccamd, mediaserver)
+
+# Allow interacting with qseecom
+allow seccamd tee_device:chr_file rw_file_perms;