diff options
| author | Sagar Dhawan <sdhawan@codeaurora.org> | 2017-06-14 13:51:47 -0700 |
|---|---|---|
| committer | Sagar Dhawan <sdhawan@codeaurora.org> | 2017-06-21 16:39:15 -0700 |
| commit | b5f0b0057b4744d3d2a14dec146e4ca7bc995d85 (patch) | |
| tree | 9603fb2f37f6811db9cd2fa9f23c780a6e295d93 /ssg | |
| parent | ae1a730d6f97b9dced8db84555b274b49fc058fb (diff) | |
| download | android_device_qcom_sepolicy-b5f0b0057b4744d3d2a14dec146e4ca7bc995d85.tar.gz android_device_qcom_sepolicy-b5f0b0057b4744d3d2a14dec146e4ca7bc995d85.tar.bz2 android_device_qcom_sepolicy-b5f0b0057b4744d3d2a14dec146e4ca7bc995d85.zip | |
Add domain for ssg apps
- Added rules that allow ssg apps
to access certain system features
- Added ssg production certificate
Change-Id: Ide81b76a5d6a1280913c4d5e2557a6198af03609
Diffstat (limited to 'ssg')
| -rw-r--r-- | ssg/keys.conf | 2 | ||||
| -rw-r--r-- | ssg/mac_permissions.xml | 12 | ||||
| -rw-r--r-- | ssg/seapp_contexts | 3 | ||||
| -rw-r--r-- | ssg/ssg_app.te | 48 | ||||
| -rw-r--r-- | ssg/ssg_app_cert.x509.pem | 22 |
5 files changed, 87 insertions, 0 deletions
diff --git a/ssg/keys.conf b/ssg/keys.conf new file mode 100644 index 00000000..19171fee --- /dev/null +++ b/ssg/keys.conf @@ -0,0 +1,2 @@ +[@SSG] +ALL : device/qcom/sepolicy/ssg/ssg_app_cert.x509.pem diff --git a/ssg/mac_permissions.xml b/ssg/mac_permissions.xml new file mode 100644 index 00000000..e39e3979 --- /dev/null +++ b/ssg/mac_permissions.xml @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + +<!-- +See /system/sepolicy/private/mac_permissions.xml +--> + + <signer signature="@SSG" > + <seinfo value="ssgapp" /> + </signer> + +</policy> diff --git a/ssg/seapp_contexts b/ssg/seapp_contexts new file mode 100644 index 00000000..7267cc89 --- /dev/null +++ b/ssg/seapp_contexts @@ -0,0 +1,3 @@ +# SSG apps for Connection Security +user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.connectionsecurity type=app_data_file levelFrom=all +user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.telemetry type=app_data_file levelFrom=all diff --git a/ssg/ssg_app.te b/ssg/ssg_app.te new file mode 100644 index 00000000..76eb2d81 --- /dev/null +++ b/ssg/ssg_app.te @@ -0,0 +1,48 @@ +# Copyright (c) 2017, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +## ssg_app +## +## This file defines the permissions that ssg_apps can carry + +type ssg_app, domain; + +app_domain(ssg_app) +net_domain(ssg_app) + +# Allow access to mlid socket +unix_socket_connect(ssg_app, mlid, mlid) + +allow ssg_app radio_service:service_manager find; +allow ssg_app surfaceflinger_service:service_manager find; +allow ssg_app app_api_service:service_manager find; + +# To get uuid and device info +allow ssg_app proc_cpuinfo:file r_file_perms; +allow ssg_app proc_meminfo:file r_file_perms; +r_dir_file(ssg_app, proc) diff --git a/ssg/ssg_app_cert.x509.pem b/ssg/ssg_app_cert.x509.pem new file mode 100644 index 00000000..70ad39fa --- /dev/null +++ b/ssg/ssg_app_cert.x509.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpzCCAo+gAwIBAgIELmaGwzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMC +VVMxEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xJDAiBgNVBAoT +G1F1YWxjb21tIFRlY2hub2xvZ2llcywgSW5jLjEMMAoGA1UECxMDU1NHMRwwGgYD +VQQDExNTU0cgUHJpdmlsZWdlZCBBcHBzMB4XDTE3MDYxOTIxMDAxNloXDTQ0MTEw +NDIxMDAxNlowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYD +VQQHEwdVbmtub3duMSQwIgYDVQQKExtRdWFsY29tbSBUZWNobm9sb2dpZXMsIElu +Yy4xDDAKBgNVBAsTA1NTRzEcMBoGA1UEAxMTU1NHIFByaXZpbGVnZWQgQXBwczCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwaT66u+2CUj44EYbOTeKFy +7EAmj35UI02ifnJZg+voMHGrp4OII411Gwtx15oPt+Dg7kymqu8urcqDnIS1sEGZ +TCsgqFnVqvGWk0aLG4PwaKmLo5kU365xIWmVHv/eH4Zu7OW2dvfVkirzc/p6pNS4 +mUbKr52do66B/BWyGOQ6ocxkMap54i+JJsPFl4ejIoAb4VuQKsDzCrgWFJoLwbAJ +TMvwVjer3KIEsoD3rlftfmWJA8u2OcwhR9L0Z8gTVWdIUEj+BPo3hpA8lNg4OKGb +F5Nez/MDvagp3TAYk6E+ake+/uWiPPdoZLpu0WvZU0mLIwj+FOAayHk+GfQSQKsC +AwEAAaMhMB8wHQYDVR0OBBYEFFac8wwmHfDY9GZoPKgY7bzzZApSMA0GCSqGSIb3 +DQEBCwUAA4IBAQA7BZpaBmj5WCTbNCYlZmIWONui89XVjxGmD/43ipFLaXuvG6PV +8WDIt0kkZTnAi1e7NE1yk7MnQSa37gXf5eYWM7rMxX90gae+/P5P8RT8Gp4OhZT7 +ITNpWKYZEIumxvnHcK/nAWAPgInzBDkNksUawc3ACU0kgoOiJiXfXWuHgjnwWDdA +YS/MjlXyIju8x+1PkzyXbE2PNOuaQdlaZWXtzsdKVfxk4RK9Um3+9i1Xr6yPNIqR +suBjThaMw740u4wg2oOZITY6b7RBfn9nxYu8zHzmIWE2xiLB6Rg2c5a3fKiOWXiL +xhSlrs1uuE+54290ZDtOpCRA0M411ClkyjLU +-----END CERTIFICATE----- |