diff options
62 files changed, 564 insertions, 29 deletions
@@ -1,9 +1,10 @@ -# Board specific SELinux policy variable definitions -ifeq ($(call is-vendor-board-platform,QCOM),true) -BOARD_SEPOLICY_DIRS := \ - $(BOARD_SEPOLICY_DIRS) \ - device/qcom/sepolicy \ - device/qcom/sepolicy/common \ - device/qcom/sepolicy/test \ - device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM) -endif +# Don't recurse into the platform makefiles. We don't care about them, and +# we don't want to force a reset of BOARD_SEPOLICY_DIRS +# +# If you want to use these policies, add a +# +# include device/qcom/sepolicy/sepolicy.mk +# +# to your device's BoardConfig. It is highly recommended that in case +# you have your own BOARD_SEPOLICY_DIRS and BOARD_SEPOLICY_UNION declarations, +# the inclusion happens _before_ those lines diff --git a/apq8084/file_contexts b/apq8084/file_contexts index ac2402e1..02d3b7f9 100644 --- a/apq8084/file_contexts +++ b/apq8084/file_contexts @@ -28,10 +28,13 @@ ################################### # Primary storage device nodes # +/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/modem u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_partition:s0 /dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0 diff --git a/common/device.te b/common/device.te index 97df8a70..4778a3b4 100644 --- a/common/device.te +++ b/common/device.te @@ -8,6 +8,9 @@ type hsic_device, dev_type; #Define the mhi device type mhi_device, dev_type; +#Define the bhi device +type bhi_device, dev_type; + #device type for smd device nodes, ie /dev/smd* type smd_device, dev_type; diff --git a/common/dpmservice_app.te b/common/dpmservice_app.te index 6dc8748b..47f23bc0 100644 --- a/common/dpmservice_app.te +++ b/common/dpmservice_app.te @@ -42,3 +42,9 @@ allow dpmservice_app system_api_service:service_manager find; #allow dpmservice to search mediaserver and radio service. allow dpmservice_app mediaserver_service:service_manager find; allow dpmservice_app radio_service:service_manager find; + +#don't audit /proc/<pid>/stat denials +dontaudit dpmservice_app domain:dir r_dir_perms; + +#allow dpmservice to get running time for apps +r_dir_file(dpmservice_app, appdomain) diff --git a/common/file.te b/common/file.te index c1c59541..8474d598 100644 --- a/common/file.te +++ b/common/file.te @@ -130,9 +130,6 @@ type mmi_data_file, file_type, data_file_type; #bluetooth firmware file types type bt_firmware_file, fs_type, contextmount_type; -#needed by vold -type proc_dirty_ratio, fs_type; - #File types by mmi type mmi_socket, file_type; @@ -175,3 +172,6 @@ type ssr_ramdump_data_file, file_type, data_file_type; # qtitetherservice files type qtitetherservice_app_data_file, file_type, data_file_type; + +# Boot KPI Marker files +type sys_bootkpi, sysfs_type, file_type; diff --git a/common/file_contexts b/common/file_contexts index 66d295d4..fe31cc18 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -7,6 +7,7 @@ /dev/hsicctl.* u:object_r:hsic_device:s0 /dev/kgsl-3d0 u:object_r:gpu_device:s0 /dev/mhi_pipe_.* u:object_r:mhi_device:s0 +/dev/bhi u:object_r:bhi_device:s0 /dev/msm_.* u:object_r:audio_device:s0 /dev/usf1 u:object_r:usf_device:s0 /dev/msm_dsps u:object_r:sensors_device:s0 @@ -47,6 +48,7 @@ /dev/pta u:object_r:pta_device:s0 /dev/mdss_rotator u:object_r:graphics_device:s0 /dev/hbtp_input u:object_r:hbtp_device:s0 +/dev/hbtp_vm u:object_r:hbtp_device:s0 /dev/jdi-bu21150 u:object_r:bu21150_device:s0 /dev/voice_svc u:object_r:voice_device:s0 /dev/avtimer u:object_r:avtimer_device:s0 @@ -93,6 +95,7 @@ /dev/socket/ims_qmid u:object_r:ims_socket:s0 /dev/socket/ims_datad u:object_r:ims_socket:s0 /dev/socket/ims_rtpd u:object_r:ims_socket:s0 +/dev/socket/perfd(/.*)? u:object_r:mpctl_socket:s0 /dev/socket/perfd u:object_r:mpctl_socket:s0 /dev/socket/qlogd u:object_r:qlogd_socket:s0 /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 @@ -134,6 +137,7 @@ /system/bin/mmi u:object_r:mmi_exec:s0 /system/bin/mpdecision u:object_r:mpdecision_exec:s0 /system/vendor/bin/perfd u:object_r:perfd_exec:s0 +/data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0 /system/bin/iop u:object_r:dumpstate_exec:s0 /system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0 /system/bin/imsdatadaemon u:object_r:ims_exec:s0 @@ -273,6 +277,7 @@ /data/rfs.* u:object_r:rfs_file:s0 /data/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0 /data/camera(/.*)? u:object_r:camera_socket:s0 +/data/fdAlbum u:object_r:camera_data_file:s0 /data/misc/stargate(/.*)? u:object_r:qfp-daemon_data_file:s0 /data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 /data/time(/.*)? u:object_r:time_data_file:s0 diff --git a/common/gatekeeperd.te b/common/gatekeeperd.te new file mode 100644 index 00000000..00a32af5 --- /dev/null +++ b/common/gatekeeperd.te @@ -0,0 +1,2 @@ +# allow gatekeeperd to open firmware images (ex. kmota) +r_dir_file(gatekeeperd, firmware_file) diff --git a/common/genfs_contexts b/common/genfs_contexts index f92adbdb..c3d58b54 100755 --- a/common/genfs_contexts +++ b/common/genfs_contexts @@ -1,2 +1,3 @@ genfscon proc /asound/card0/state u:object_r:proc_audiod:s0 genfscon proc /proc/sys/vm/dirty_ratio u:object_r:proc_dirty_ratio:s0 +genfscon sys /sys/bootkpi/marker_entry u:object_r:sys_bootkpi:s0 diff --git a/common/hbtp.te b/common/hbtp.te index 22aa1bc1..0a9e4eba 100644 --- a/common/hbtp.te +++ b/common/hbtp.te @@ -5,14 +5,35 @@ type hbtp_exec, exec_type, file_type; init_daemon_domain(hbtp) # Allow access for /dev/hbtp_input and /dev/jdi-bu21150 -allow hbtp { hbtp_device bu21150_device }:chr_file rw_file_perms; - -allow hbtp hbtp_cfg_file:dir rw_dir_perms; -allow hbtp hbtp_cfg_file:file create_file_perms; +allow hbtp { hbtp_device qdsp_device bu21150_device }:chr_file rw_file_perms; allow hbtp hbtp_log_file:dir rw_dir_perms; allow hbtp hbtp_log_file:file create_file_perms; +allow hbtp sysfs_usb_supply:dir search; +allow hbtp sysfs_usb_supply:file rw_file_perms; + +allow hbtp sysfs:file write; + allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind }; binder_use(hbtp); + +allow hbtp improve_touch_service:service_manager add; + +userdebug_or_eng(` + binder_call(hbtp, untrusted_app); +') + +binder_call(hbtp, platform_app); + +binder_call(hbtp, surfaceflinger); + +# Allow the service to access wakelock sysfs +allow hbtp sysfs_wake_lock:file r_file_perms; + +# Allow the service to change to system from root +allow hbtp self:capability { setgid setuid }; + +# Allow the service to access wakelock capability +wakelock_use(hbtp) diff --git a/common/healthd.te b/common/healthd.te index c98ebff2..7c1b19a1 100644 --- a/common/healthd.te +++ b/common/healthd.te @@ -1,6 +1,7 @@ r_dir_file(healthd, sysfs_battery_supply) r_dir_file(healthd, sysfs_usb_supply) r_dir_file(healthd, sysfs_thermal); +allow healthd alarm_device:chr_file rw_file_perms; #allow healthd read rtc device file allow healthd rtc_device:chr_file r_file_perms; diff --git a/common/hostapd.te b/common/hostapd.te index 54cec32d..f23418bf 100644 --- a/common/hostapd.te +++ b/common/hostapd.te @@ -42,5 +42,6 @@ allow hostapd cnd:{ allow hostapd cnd:fifo_file r_file_perms; allow hostapd smem_log_device:chr_file rw_file_perms; allow hostapd fstman:unix_dgram_socket sendto; +unix_socket_send(hostapd, wpa, netd) allow hostapd netd:unix_dgram_socket sendto; allow hostapd wpa_socket:sock_file write; diff --git a/common/init.te b/common/init.te index 68352329..9d82a94a 100644 --- a/common/init.te +++ b/common/init.te @@ -19,3 +19,6 @@ allow init tmpfs:lnk_file create_file_perms; #allow it for most domain. Do not honor LD_PRELOAD #for lmkd allow init { domain -lmkd }:process noatsecure; + +# allow setting proc_dirt_ratio fron init.rc scripts +allow init proc_dirty_ratio:file rw_file_perms; diff --git a/common/init_shell.te b/common/init_shell.te index 5a150b36..36e18462 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -11,6 +11,8 @@ allow qti_init_shell rootfs:file entrypoint; # this is needed for dynamic_fps and bw_mode_bitmap allow qti_init_shell sysfs_graphics:file {rw_file_perms setattr}; allow qti_init_shell sysfs:file setattr; +#For chown on scaling_min/scaling_max nodes. +allow qti_init_shell sysfs_devices_system_cpu:file setattr; allow qti_init_shell persist_file:dir w_dir_perms; allow qti_init_shell persist_file:file create_file_perms; @@ -25,6 +27,9 @@ allow qti_init_shell fm_radio_device:chr_file r_file_perms; #give permission to read/write fm dir for calibration file allow qti_init_shell fm_data_file: dir rw_dir_perms; +#allow shell to access /dev/vm_bms +allow qti_init_shell vm_bms_device:chr_file getattr; + # create/open, read/write permission for fm calibration file. allow qti_init_shell fm_data_file: file create_file_perms; @@ -78,6 +83,10 @@ allow qti_init_shell { # Needed for starting console in userdebug mode userdebug_or_eng(`ctl_console_prop coresight_prop') rmnet_mux_prop + ctl_hbtp_prop + #Needed for starting vm_bms executable post-boot + vm_bms_prop + radio_noril_prop }:property_service set; allow qti_init_shell efs_boot_dev:blk_file r_file_perms; diff --git a/common/keystore.te b/common/keystore.te index 524fc3f4..0a825c1f 100644 --- a/common/keystore.te +++ b/common/keystore.te @@ -1,2 +1,5 @@ # Allow keystore to operate using qseecom_device allow keystore tee_device:chr_file rw_file_perms; + +# Allow keystore to search and get keymaste.mdt +r_dir_file(keystore, firmware_file) diff --git a/common/location.te b/common/location.te index 7763e7f1..aa0c8e61 100644 --- a/common/location.te +++ b/common/location.te @@ -49,3 +49,6 @@ allow location persist_file:dir r_dir_perms; #Allow access to netmgrd socket netmgr_socket(location); + +#Allow access to properties +set_prop(location, location_prop); diff --git a/common/mdm_helper.te b/common/mdm_helper.te index 61c9a22d..d0c4b205 100755..100644 --- a/common/mdm_helper.te +++ b/common/mdm_helper.te @@ -48,3 +48,7 @@ r_dir_file(mdm_helper, firmware_file) #Needed in order to collect ramdumps allow mdm_helper tombstone_data_file:dir create_dir_perms; allow mdm_helper tombstone_data_file:file create_file_perms; + +#Needed to allow boot over PCIe +allow mdm_helper bhi_device:chr_file rw_file_perms; +allow mdm_helper mhi_device:chr_file rw_file_perms; diff --git a/common/mediaserver.te b/common/mediaserver.te index 27281424..6eae758b 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -32,6 +32,7 @@ allow mediaserver dts_data_file:file create_file_perms; allow mediaserver mpctl_socket:dir r_dir_perms; unix_socket_send(mediaserver, mpctl, mpdecision) unix_socket_connect(mediaserver, mpctl, mpdecision) +unix_socket_connect(mediaserver, thermal, thermal-engine) # access to perflock allow mediaserver mpctl_socket:dir r_dir_perms; @@ -73,4 +74,11 @@ binder_call(mediaserver, bootanim); #Allow mediaserver to access service manager STAProxyService #Allow mediaserver to access service manager wfdservice allow mediaserver { STAProxyService wfdservice_service }:service_manager find; + +# Allow mediaserver to search and get the widevine, playready firmwares +allow mediaserver firmware_file:dir search; +allow mediaserver firmware_file:file { read getattr open }; allow mediaserver surfaceflinger:unix_stream_socket rw_socket_perms; + +# Rule for RILD to talk to peripheral manager +use_per_mgr(mediaserver); diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index 11bb6ad1..a9e81e76 100644 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -43,6 +43,9 @@ userdebug_or_eng(` allow mm-pp-daemon { shell_exec zygote_exec }:file rx_file_perms; allow mm-pp-daemon system_file:file x_file_perms; allow mm-pp-daemon self:process ptrace; + + # This allows pp-daemon to set debug property + allow mm-pp-daemon debug_prop:property_service set; ') # Allow mm-pp-daemon to change the brightness of the target during display diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index 6e99c281..7bc5dfe6 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -5,6 +5,7 @@ init_daemon_domain(mm-qcamerad) #added to support EZTune for camera userdebug_or_eng(` allow mm-qcamerad debugfs:dir r_dir_perms; + allow mm-qcamerad debugfs:file read; allow mm-qcamerad camera_data_file:file create_file_perms; allow mm-qcamerad self:tcp_socket create_stream_socket_perms; allow mm-qcamerad node:tcp_socket node_bind; @@ -13,9 +14,15 @@ userdebug_or_eng(` allow mm-qcamerad port:tcp_socket name_bind; allow mm-qcamerad self:tcp_socket { accept listen }; allow mm-qcamerad camera_data_file:file create_file_perms; + + # mm-qcamerad needs to set persist.camera. property + set_prop(mm-qcamerad, camera_prop) + ') #Communicate with user land process through domain socket +type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket1"; +type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket2"; allow mm-qcamerad camera_socket:sock_file { create unlink write }; allow mm-qcamerad camera_socket:dir w_dir_perms; unix_socket_connect(mm-qcamerad, sensors, sensors) @@ -46,6 +53,13 @@ allow mm-qcamerad sensorservice_service:service_manager find; r_dir_file(mm-qcamerad, adsprpcd_file); r_dir_file(mm-qcamerad, firmware_file) +allow mm-qcamerad graphics_device:dir r_file_perms; +allow mm-qcamerad graphics_device:dir r_dir_perms; + +# /data/fdAlbum +type_transition mm-qcamerad system_data_file:file camera_data_file "fdAlbum"; +allow mm-qcamerad camera_data_file:file create_file_perms; + allow mm-qcamerad graphics_device:dir r_dir_perms; #Allow access to /dev/graphics/fb* for screen capture diff --git a/common/perfd.te b/common/perfd.te index d67954fc..0cec6b7c 100644 --- a/common/perfd.te +++ b/common/perfd.te @@ -14,6 +14,8 @@ allow perfd { allow perfd self:{ netlink_kobject_uevent_socket socket} create_socket_perms; # mpctl socket +allow perfd mpctl_socket:dir rw_dir_perms; +allow perfd mpctl_socket:sock_file create_file_perms; allow perfd mpctl_socket:sock_file rw_file_perms; # default_values file @@ -23,6 +25,9 @@ allow perfd mpctl_data_file:file create_file_perms; # Allow poll of system_server status r_dir_file(perfd, system_server) +# Allow perfd to check for existence of other processes +allow perfd domain:process signull; + # Allow access to thermal sysfs entry r_dir_file(perfd, sysfs_thermal) allow perfd sysfs_thermal:file write; diff --git a/common/platform_app.te b/common/platform_app.te index a2f50756..7400f96e 100644 --- a/common/platform_app.te +++ b/common/platform_app.te @@ -19,5 +19,8 @@ allow platform_app nfc_service:service_manager find; #Allow platform apps to interact with seemp health daemon binder_call(platform_app, seemp_health_daemon) +# Allow improveTouch service to be found +binder_call(platform_app, hbtp); + # Allow cneservice to be found allow platform_app cne_service:service_manager find; diff --git a/common/property.te b/common/property.te index a8821776..996c61e6 100644 --- a/common/property.te +++ b/common/property.te @@ -10,6 +10,7 @@ type usf_prop, property_type; type freq_prop, property_type; type perfd_prop, property_type; +type vm_bms_prop, property_type; #To start vm_bms type qti_prop, property_type; type ipacm_prop, property_type; type ipacm-diag_prop, property_type; @@ -36,5 +37,9 @@ type qemu_hw_mainkeys_prop, property_type; type coresight_prop, property_type; +type ctl_hbtp_prop, property_type; type alarm_boot_prop, property_type; type boot_animation_prop, property_type; + +#properties set from script read from apps +type radio_noril_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index cf8d8d94..f3e41fa5 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -14,12 +14,14 @@ min_freq_0 u:object_r:freq_prop:s0 min_freq_4 u:object_r:freq_prop:s0 ctl.perfd u:object_r:perfd_prop:s0 ctl.iop u:object_r:perfd_prop:s0 +ctl.vm_bms u:object_r:vm_bms_prop:s0 qualcomm.bluetooth. u:object_r:bluetooth_prop:s0 ctl.ipacm u:object_r:ipacm_prop:s0 ctl.ipacm-diag u:object_r:ipacm-diag_prop:s0 ctl.qti u:object_r:qti_prop:s0 ctl.sensors u:object_r:sensors_prop:s0 ctl.msm_irqbalance u:object_r:msm_irqbalance_prop:s0 +ctl.msm_irqbal_lb u:object_r:msm_irqbalance_prop:s0 camera. u:object_r:camera_prop:s0 persist.camera. u:object_r:camera_prop:s0 sf.lcd_density u:object_r:sf_lcd_density_prop:s0 @@ -30,8 +32,12 @@ ctl.mpdecision u:object_r:mpdecision_prop:s0 qualcomm.perf.cores_online u:object_r:mpdecision_prop:s0 netd.fstman. u:object_r:netd_prop:s0 location. u:object_r:location_prop:s0 +qc.izat. u:object_r:location_prop:s0 persist.rmnet.mux u:object_r:rmnet_mux_prop:s0 qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0 dbg.coresight.cfg_file u:object_r:coresight_prop:s0 +ctl.hbtp u:object_r:ctl_hbtp_prop:s0 +sys.audio.init u:object_r:audio_prop:s0 alarm_boot u:object_r:alarm_boot_prop:s0 debug.sf.nobootanimation u:object_r:boot_animation_prop:s0 +radio.noril u:object_r:radio_noril_prop:s0 diff --git a/common/qtitetherservice_app.te b/common/qtitetherservice_app.te index 24f35e85..2549dd29 100644 --- a/common/qtitetherservice_app.te +++ b/common/qtitetherservice_app.te @@ -43,3 +43,8 @@ allow qtitetherservice_app qtitetherservice_app_data_file:dir create_dir_perms; allow qtitetherservice_app qtitetherservice_app_data_file:{ file lnk_file } create_file_perms; allow qtitetherservice_app wcnss_service_exec:file rx_file_perms; + +# TEMPORARY: Type transitioning via seapp_contexts from system_app isn't working +# +allow system_app qtitetherservice_app_data_file:dir create_dir_perms; +allow system_app qtitetherservice_app_data_file:{ file lnk_file } create_file_perms; diff --git a/common/recovery.te b/common/recovery.te index c83bc974..68147f81 100644 --- a/common/recovery.te +++ b/common/recovery.te @@ -2,8 +2,8 @@ recovery_only(` # Read files on /sdcard allow recovery sdcard_type:dir r_dir_perms; allow recovery sdcard_type:file r_file_perms; - allow recovery vfat:dir r_dir_perms; - allow recovery vfat:file r_file_perms; + allow recovery vfat:dir create_dir_perms; + allow recovery vfat:file create_file_perms; allow recovery system_data_file:file r_file_perms; allow recovery system_data_file:dir r_dir_perms; allow recovery RIDL_data_file:file r_file_perms; diff --git a/common/ridl.te b/common/ridl.te index 6577a2c4..5d95a619 100644 --- a/common/ridl.te +++ b/common/ridl.te @@ -29,7 +29,6 @@ type RIDL, domain; type RIDL_exec, exec_type, file_type; -type_transition RIDL RIDL_data_file:sock_file RIDL_socket; allow RIDL RIDL_socket:sock_file create_file_perms; allow RIDL RIDL_socket:dir create_dir_perms; @@ -88,12 +87,15 @@ userdebug_or_eng(` # Access to ANR/segfaults allow RIDL tombstone_data_file:dir rw_dir_perms; allow RIDL tombstone_data_file:file { unlink rw_file_perms }; - allow RIDL anr_data_file:dir rw_dir_perms; - allow RIDL anr_data_file:file { unlink rw_file_perms }; + allow RIDL anr_data_file:dir rw_dir_perms; + allow RIDL anr_data_file:file { unlink rw_file_perms }; # tcpdump allow RIDL self:packet_socket create_socket_perms; allow RIDL self:capability net_raw; + + # allow location + allow RIDL app_api_service:service_manager find; ') # drop root caps @@ -108,3 +110,6 @@ allow RIDL storage_file:dir r_dir_perms; # allow logcat access read_logd( RIDL ); + +# allow netstats +allow RIDL system_api_service:service_manager find; diff --git a/common/service.te b/common/service.te index ef6d0ff9..4120049b 100644 --- a/common/service.te +++ b/common/service.te @@ -12,6 +12,7 @@ type STAProxyService, service_manager_type; type dun_service, service_manager_type; type imscm_service, system_api_service, service_manager_type; type color_service, service_manager_type; +type improve_touch_service, service_manager_type; type wfdservice_service, service_manager_type; type usf_service, service_manager_type; type dtseagleservice_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index dfbbed47..c57eab7e 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -12,6 +12,8 @@ STAProxyService u:object_r:STAProxyService:s0 dun u:object_r:dun_service:s0 qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 +improveTouch.TouchService u:object_r:improve_touch_service:s0 +improveTouch.TouchManagerService u:object_r:improve_touch_service:s0 wfdservice u:object_r:wfdservice_service:s0 DigitalPen u:object_r:usf_service:s0 dts_eagle_service u:object_r:dtseagleservice_service:s0 diff --git a/common/ssr_diag.te b/common/ssr_diag.te index b58fdb16..b58fdb16 100755..100644 --- a/common/ssr_diag.te +++ b/common/ssr_diag.te diff --git a/common/subsystem_ramdump.te b/common/subsystem_ramdump.te index 3678eb94..3678eb94 100755..100644 --- a/common/subsystem_ramdump.te +++ b/common/subsystem_ramdump.te diff --git a/common/system_server.te b/common/system_server.te index 86888b08..4aca89f3 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -120,3 +120,6 @@ allow system_server iqfp_service:service_manager find; #for seemp unix_socket_send(system_server, seempdw, seempd) + +# allow tethering to access dhcp leases +r_dir_file(system_server, dhcp_data_file) diff --git a/common/thermal-engine.te b/common/thermal-engine.te index faed9c1a..d85cb50f 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -48,3 +48,6 @@ unix_socket_connect(thermal-engine, mpctl, mpdecision) #This is to allow access to uio device allow thermal-engine uio_device:chr_file rw_file_perms; + +#Label the thermal sockets correctly +type_transition thermal-engine socket_device:sock_file thermal_socket; diff --git a/common/uncrypt.te b/common/uncrypt.te new file mode 100644 index 00000000..8701a6dc --- /dev/null +++ b/common/uncrypt.te @@ -0,0 +1,3 @@ +allow uncrypt misc_partition:blk_file w_file_perms; +allow uncrypt misc_partition:dir r_dir_perms; + diff --git a/common/untrusted_app.te b/common/untrusted_app.te index 911ffcd8..2407de34 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -5,6 +5,10 @@ unix_socket_connect(untrusted_app, mpctl, mpdecision) # diag device node access is restricted to untrusted_app neverallow untrusted_app diag_device:chr_file rw_file_perms; +# allow apps to read battery status +allow untrusted_app sysfs_battery_supply:dir r_dir_perms; +allow untrusted_app sysfs_battery_supply:file r_file_perms; + # test apps needs to communicate with imscm # using binder call userdebug_or_eng(` @@ -13,3 +17,9 @@ userdebug_or_eng(` # for finding wbc_service allow untrusted_app wbc_service:service_manager find; + +# using binder call +userdebug_or_eng(` + allow untrusted_app improve_touch_service:service_manager find; + binder_call(untrusted_app, hbtp); +') diff --git a/common/vold.te b/common/vold.te index 5332ec94..08476cf3 100755 --- a/common/vold.te +++ b/common/vold.te @@ -4,3 +4,4 @@ allow vold cache_file:dir w_dir_perms; allow vold { fscklogs cache_file }:file create_file_perms; allow vold { proc_sysrq proc_dirty_ratio }:file rw_file_perms; wakelock_use(vold) +allow vold swap_block_device:blk_file r_file_perms; diff --git a/common/wcnss_service.te b/common/wcnss_service.te index 62c31c4d..d9222763 100644 --- a/common/wcnss_service.te +++ b/common/wcnss_service.te @@ -14,7 +14,6 @@ allow wcnss_service wifi_data_file:file create_file_perms; allow wcnss_service system_prop:property_service set; allow wcnss_service persist_file:dir r_dir_perms; -qmux_socket(wcnss_service); allow wcnss_service self:socket create_socket_perms; allow wcnss_service smem_log_device:chr_file rw_file_perms; diff --git a/common/wfdservice.te b/common/wfdservice.te index 35e47912..c4fd8ceb 100644 --- a/common/wfdservice.te +++ b/common/wfdservice.te @@ -55,9 +55,12 @@ allow wfdservice uhid_device:chr_file rw_file_perms; #Allow PROT_EXEC for 3rd party library loaded by wfdservice allow wfdservice self:process execmem; -#Allow access to read mmosal_logmask file in /data partition userdebug_or_eng(` +#Allow access to read mmosal_logmask file in /data partition allow wfdservice system_data_file:file r_file_perms; +#Allow access to dump encoder/decoder dumps in /data/misc/media + allow wfdservice media_data_file:dir w_dir_perms; + allow wfdservice media_data_file:file create_file_perms; ') #Allow access to firmware files for HDCP session diff --git a/msm8226/file_contexts b/msm8226/file_contexts index ae2c3a76..cbbfdbec 100644 --- a/msm8226/file_contexts +++ b/msm8226/file_contexts @@ -27,6 +27,8 @@ ################################### # Primary storage device nodes # +/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -34,5 +36,7 @@ /dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_partition:s0 /dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/config u:object_r:frp_block_device:s0 diff --git a/msm8909/file_contexts b/msm8909/file_contexts index 071b83db..caf3ec17 100644 --- a/msm8909/file_contexts +++ b/msm8909/file_contexts @@ -27,6 +27,8 @@ ################################### # Primary storage device nodes # +/dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -34,5 +36,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/ssd u:object_r:ssd_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_partition:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 diff --git a/msm8916/file_contexts b/msm8916/file_contexts index 54b6ca7e..74254358 100644 --- a/msm8916/file_contexts +++ b/msm8916/file_contexts @@ -28,6 +28,8 @@ ################################### # Primary storage device nodes # +/dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -37,3 +39,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 + +/dev/block/platform/soc.0/7824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 diff --git a/msm8916/init_shell.te b/msm8916/init_shell.te new file mode 100644 index 00000000..0d962af8 --- /dev/null +++ b/msm8916/init_shell.te @@ -0,0 +1,32 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# media_codecs_eld_prop - to choose target specific media_codecs.xml +# media_settings_xml_prop - to choose target specific media_profiles.xml +allow qti_init_shell { + media_msm8939hw_prop +}:property_service set; diff --git a/msm8916/mm-qcamerad.te b/msm8916/mm-qcamerad.te new file mode 100644 index 00000000..98f2ca90 --- /dev/null +++ b/msm8916/mm-qcamerad.te @@ -0,0 +1,2 @@ +# The current BSP's faceproc library still needs this +allow mm-qcamerad system_file:file execmod; diff --git a/msm8916/property.te b/msm8916/property.te new file mode 100644 index 00000000..78560cd2 --- /dev/null +++ b/msm8916/property.te @@ -0,0 +1,30 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#properites for init.qcom.sh script +type media_msm8939hw_prop, property_type; + diff --git a/msm8916/property_contexts b/msm8916/property_contexts new file mode 100644 index 00000000..bbdf9d61 --- /dev/null +++ b/msm8916/property_contexts @@ -0,0 +1,28 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +media.msm8939hw u:object_r:media_msm8939hw_prop:s0 diff --git a/msm8937/file_contexts b/msm8937/file_contexts new file mode 100644 index 00000000..13ddaeec --- /dev/null +++ b/msm8937/file_contexts @@ -0,0 +1,45 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +################################### +# Primary storage device nodes +# +/dev/block/mmcblk0 u:object_r:root_block_device:s0 +/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 + +#Using soc instead of soc.0 for 3.18 kernel +/dev/block/platform/soc/7824900.sdhci/by-name/fsg u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/ssd u:object_r:ssd_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/misc u:object_r:misc_partition:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/dip u:object_r:dip_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 diff --git a/msm8952/file_contexts b/msm8952/file_contexts index 4d126cc2..f1983f9b 100644 --- a/msm8952/file_contexts +++ b/msm8952/file_contexts @@ -38,8 +38,10 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/dip u:object_r:dip_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 #Using soc instead of soc.0 to make it compatable with 3.18 kernel @@ -53,3 +55,4 @@ /dev/block/platform/soc/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/dip u:object_r:dip_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 diff --git a/msm8960/bootkpi.te b/msm8960/bootkpi.te new file mode 100644 index 00000000..e932e692 --- /dev/null +++ b/msm8960/bootkpi.te @@ -0,0 +1,36 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Access to the marker_entry for logging KPI's +userdebug_or_eng(` + allow zygote sys_bootkpi:file rw_file_perms; + allow mediaserver sys_bootkpi:file rw_file_perms; + allow system_server sys_bootkpi:file rw_file_perms; + allow surfaceflinger sys_bootkpi:file rw_file_perms; + allow untrusted_app sys_bootkpi:file rw_file_perms; + allow location sys_bootkpi:file rw_file_perms; +') diff --git a/msm8960/device.te b/msm8960/device.te index 24d277a0..c49ff00d 100755 --- a/msm8960/device.te +++ b/msm8960/device.te @@ -1,2 +1,5 @@ #mdm helper device type mdm_device, dev_type; + +#device type for gss device nodes, ie /dev/gss +type gss_device, dev_type; diff --git a/msm8960/file.te b/msm8960/file.te index e5cea972..e8a78cc5 100644 --- a/msm8960/file.te +++ b/msm8960/file.te @@ -1,2 +1,30 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE + #efs file types type efs_data_file, file_type, data_file_type; +type mpdecision_socket, file_type; diff --git a/msm8960/file_contexts b/msm8960/file_contexts index f90ff1ce..c43f6a14 100755 --- a/msm8960/file_contexts +++ b/msm8960/file_contexts @@ -5,19 +5,46 @@ /dev/msm_rotator u:object_r:graphics_device:s0 /dev/mdp_arb u:object_r:graphics_device:s0 /dev/mdm u:object_r:mdm_device:s0 + +################################### +# Block devices +# +/dev/block/mmcblk0 u:object_r:root_block_device:s0 +/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/fsc u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/m9kefs1 u:object_r:efs_boot_dev:s0 +/dev/block/platform/msm_sdcc\.1/by-name/m9kefs2 u:object_r:efs_boot_dev:s0 +/dev/block/platform/msm_sdcc\.1/by-name/m9kefs3 u:object_r:efs_boot_dev:s0 +/dev/block/platform/msm_sdcc\.1/by-name/m9kefsc u:object_r:efs_boot_dev:s0 +/dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_partition:s0 +/dev/block/platform/msm_sdcc\.1/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0 + /dev/block/bootdevice/by-name/m9kefs1 u:object_r:efs_boot_dev:s0 /dev/block/bootdevice/by-name/m9kefs2 u:object_r:efs_boot_dev:s0 /dev/block/bootdevice/by-name/m9kefs3 u:object_r:efs_boot_dev:s0 /dev/block/bootdevice/by-name/m9kefsc u:object_r:efs_boot_dev:s0 +/dev/gss u:object_r:gss_device:s0 +/dev/pps[0-9] u:object_r:gss_device:s0 +/dev/socket/mpdecision u:object_r:mpdecision_socket:s0 ################################### # System files # /system/bin/thermald u:object_r:thermal-engine_exec:s0 +/system/bin/thermal-engine u:object_r:thermal-engine_exec:s0 /system/bin/qcks u:object_r:mdm_helper_exec:s0 /system/bin/efks u:object_r:mdm_helper_exec:s0 +/system/bin/DR_AP_Service u:object_r:location_exec:s0 ################################### # Data files # /data/qcks(/.*)? u:object_r:efs_data_file:s0 +/sys/bootkpi/marker_entry u:object_r:sys_bootkpi:s0 diff --git a/msm8960/init_shell.te b/msm8960/init_shell.te new file mode 100644 index 00000000..a58c8b6f --- /dev/null +++ b/msm8960/init_shell.te @@ -0,0 +1,32 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE + +#For property starting with hw +#ctl_thermal-engine_prop - for access the thermal-engine +allow qti_init_shell { + ctl_thermal-engine_prop +}:property_service set; diff --git a/msm8960/location.te b/msm8960/location.te new file mode 100644 index 00000000..67ce6800 --- /dev/null +++ b/msm8960/location.te @@ -0,0 +1,29 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#For gss device +allow location gss_device:chr_file rw_file_perms; diff --git a/msm8960/property.te b/msm8960/property.te new file mode 100644 index 00000000..cba96b2a --- /dev/null +++ b/msm8960/property.te @@ -0,0 +1,29 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE + +#property for thermal daemon +type ctl_thermal-engine_prop, property_type; diff --git a/msm8960/property_contexts b/msm8960/property_contexts new file mode 100644 index 00000000..bb3c9d52 --- /dev/null +++ b/msm8960/property_contexts @@ -0,0 +1 @@ +ctl.thermal-engine u:object_r:ctl_thermal-engine_prop:s0 diff --git a/msm8960/rmt_storage.te b/msm8960/rmt_storage.te deleted file mode 100644 index 3b3bbb29..00000000 --- a/msm8960/rmt_storage.te +++ /dev/null @@ -1,5 +0,0 @@ -# rmt_storage - rmt_storage daemon -allow rmt_storage rpmb_device:blk_file { open read }; -allow rmt_storage ssd_device:blk_file { open read write }; -unix_socket_connect(rmt_storage, property, init) -allow rmt_storage ctl_default_prop:property_service set; diff --git a/msm8960/system_server.te b/msm8960/system_server.te index 1ac7260e..0185b373 100644 --- a/msm8960/system_server.te +++ b/msm8960/system_server.te @@ -1,2 +1,5 @@ # WifiStateMachine to access wpa_wlan0 socket allow system_server init:unix_dgram_socket sendto; + +#For gss +allow system_server gss_device:chr_file rw_file_perms; diff --git a/msm8960/thermal-engine.te b/msm8960/thermal-engine.te index 85c93f16..bc7bfc8e 100644 --- a/msm8960/thermal-engine.te +++ b/msm8960/thermal-engine.te @@ -1,2 +1,33 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE + allow thermal-engine self:netlink_kobject_uevent_socket { create read setopt bind }; allow thermal-engine socket_device:dir w_dir_perms; + +#connect to mpdecision +unix_socket_connect(thermal-engine, mpdecision, mpdecision) +allow thermal-engine self:capability net_admin; diff --git a/msm8974/file_contexts b/msm8974/file_contexts index 7fbc7037..a4ead6da 100644 --- a/msm8974/file_contexts +++ b/msm8974/file_contexts @@ -27,6 +27,8 @@ ################################### # Primary storage device nodes # +/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -34,5 +36,7 @@ /dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_partition:s0 /dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/config u:object_r:frp_block_device:s0 diff --git a/msm8974/mm-qcamerad.te b/msm8974/mm-qcamerad.te new file mode 100644 index 00000000..98f2ca90 --- /dev/null +++ b/msm8974/mm-qcamerad.te @@ -0,0 +1,2 @@ +# The current BSP's faceproc library still needs this +allow mm-qcamerad system_file:file execmod; diff --git a/msm8996/file_contexts b/msm8996/file_contexts index e5de37b7..948bdcda 100644 --- a/msm8996/file_contexts +++ b/msm8996/file_contexts @@ -48,7 +48,10 @@ /dev/block/platform/soc/624000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc/624000.ufshc/by-name/cache u:object_r:cache_block_device:s0 /dev/block/platform/soc/624000.ufshc/by-name/frp u:object_r:frp_block_device:s0 - +/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0 +/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0 +/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0 +/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0 # eMMC devices /dev/block/platform/soc/7464900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0 @@ -67,6 +70,10 @@ /dev/block/platform/soc/7464900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc/7464900.sdhci/by-name/cache u:object_r:cache_block_device:s0 /dev/block/platform/soc/7464900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0 +/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0 +/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0 +/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0 ################################### # System files diff --git a/sepolicy.mk b/sepolicy.mk new file mode 100644 index 00000000..37168769 --- /dev/null +++ b/sepolicy.mk @@ -0,0 +1,9 @@ +# Board specific SELinux policy variable definitions +BOARD_SEPOLICY_DIRS := \ + $(BOARD_SEPOLICY_DIRS) \ + device/qcom/sepolicy \ + device/qcom/sepolicy/common \ + device/qcom/sepolicy/test \ + device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM) + +-include vendor/cm/sepolicy/qcom/sepolicy.mk diff --git a/test/file_contexts b/test/file_contexts index 9a44684a..9a44684a 100755..100644 --- a/test/file_contexts +++ b/test/file_contexts |