diff options
| -rw-r--r-- | Android.mk | 21 | ||||
| -rw-r--r-- | common/attributes | 3 | ||||
| -rw-r--r-- | common/file_contexts | 2 | ||||
| -rw-r--r-- | common/gatekeeperd.te | 2 | ||||
| -rw-r--r-- | common/iop.te | 3 | ||||
| -rw-r--r-- | common/keystore.te | 3 | ||||
| -rw-r--r--[-rwxr-xr-x] | common/mdm_helper.te | 0 | ||||
| -rw-r--r-- | common/mediaserver.te | 5 | ||||
| -rw-r--r-- | common/mm-qcamerad.te | 8 | ||||
| -rw-r--r--[-rwxr-xr-x] | common/ssr_diag.te | 0 | ||||
| -rw-r--r--[-rwxr-xr-x] | common/subsystem_ramdump.te | 0 | ||||
| -rw-r--r-- | common/system_server.te | 2 | ||||
| -rw-r--r-- | common/thermal-engine.te | 3 | ||||
| -rw-r--r-- | common/untrusted_app.te | 4 | ||||
| -rw-r--r-- | common/wcnss_service.te | 2 | ||||
| -rw-r--r-- | msm8226/file_contexts | 3 | ||||
| -rw-r--r-- | msm8909/file_contexts | 3 | ||||
| -rw-r--r-- | msm8916/file_contexts | 1 | ||||
| -rwxr-xr-x | msm8960/file_contexts | 39 | ||||
| -rw-r--r-- | msm8974/file_contexts | 3 | ||||
| -rw-r--r-- | sepolicy.mk | 9 | ||||
| -rw-r--r--[-rwxr-xr-x] | test/file_contexts | 0 | ||||
| -rw-r--r-- | test/qti-testscripts.te | 4 |
23 files changed, 88 insertions, 32 deletions
@@ -1,11 +1,10 @@ -# Board specific SELinux policy variable definitions -ifeq ($(call is-vendor-board-platform,QCOM),true) -LOCAL_PATH:= $(call my-dir) -BOARD_SEPOLICY_DIRS := \ - $(BOARD_SEPOLICY_DIRS) \ - $(LOCAL_PATH) \ - $(LOCAL_PATH)/common \ - $(LOCAL_PATH)/test \ - $(LOCAL_PATH)/$(TARGET_BOARD_PLATFORM) - -endif +# Don't recurse into the platform makefiles. We don't care about them, and +# we don't want to force a reset of BOARD_SEPOLICY_DIRS +# +# If you want to use these policies, add a +# +# include device/qcom/sepolicy/sepolicy.mk +# +# to your device's BoardConfig. It is highly recommended that in case +# you have your own BOARD_SEPOLICY_DIRS and BOARD_SEPOLICY_UNION declarations, +# the inclusion happens _before_ those lines diff --git a/common/attributes b/common/attributes index 839eaf26..e6f4b443 100644 --- a/common/attributes +++ b/common/attributes @@ -26,4 +26,5 @@ # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Domain type used for debugfs access -attribute qti_debugfs_domain; +# (moved to system/sepolicy) +# attribute qti_debugfs_domain; diff --git a/common/file_contexts b/common/file_contexts index fcbffe9e..498ca0de 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -9,6 +9,7 @@ /dev/mhi_pipe_.* u:object_r:mhi_device:s0 /dev/bhi u:object_r:bhi_device:s0 /dev/msm_.* u:object_r:audio_device:s0 +/dev/i2c-6 u:object_r:audio_device:s0 /dev/wcd-dsp-glink u:object_r:audio_device:s0 /dev/usf1 u:object_r:usf_device:s0 /dev/msm_dsps u:object_r:sensors_device:s0 @@ -306,6 +307,7 @@ /data/rfs.* u:object_r:rfs_file:s0 /data/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0 /data/camera(/.*)? u:object_r:camera_socket:s0 +/data/fdAlbum u:object_r:camera_data_file:s0 /data/misc/stargate(/.*)? u:object_r:qfp-daemon_data_file:s0 /data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 /data/time(/.*)? u:object_r:time_data_file:s0 diff --git a/common/gatekeeperd.te b/common/gatekeeperd.te new file mode 100644 index 00000000..00a32af5 --- /dev/null +++ b/common/gatekeeperd.te @@ -0,0 +1,2 @@ +# allow gatekeeperd to open firmware images (ex. kmota) +r_dir_file(gatekeeperd, firmware_file) diff --git a/common/iop.te b/common/iop.te index 20ff39fc..87087116 100644 --- a/common/iop.te +++ b/common/iop.te @@ -41,7 +41,8 @@ r_dir_file( dumpstate, appdomain ); r_dir_file( dumpstate, apk_data_file ); #Create a socket for receiving info from IOP -allow dumpstate iop_socket:sock_file rw_file_perms; +type_transition dumpstate iop_data_file:sock_file iop_socket "iop"; +allow dumpstate iop_socket:sock_file { create_file_perms unlink }; #default_values file allow dumpstate iop_data_file:dir rw_dir_perms; diff --git a/common/keystore.te b/common/keystore.te index 524fc3f4..0a825c1f 100644 --- a/common/keystore.te +++ b/common/keystore.te @@ -1,2 +1,5 @@ # Allow keystore to operate using qseecom_device allow keystore tee_device:chr_file rw_file_perms; + +# Allow keystore to search and get keymaste.mdt +r_dir_file(keystore, firmware_file) diff --git a/common/mdm_helper.te b/common/mdm_helper.te index bbbc3e51..bbbc3e51 100755..100644 --- a/common/mdm_helper.te +++ b/common/mdm_helper.te diff --git a/common/mediaserver.te b/common/mediaserver.te index 07d8494e..10c05aa5 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -58,6 +58,7 @@ binder_call(mediaserver, poweroffhandler); allow mediaserver mpctl_socket:dir r_dir_perms; unix_socket_send(mediaserver, mpctl, mpdecision) unix_socket_connect(mediaserver, mpctl, mpdecision) +unix_socket_connect(mediaserver, thermal, thermal-engine) # access to perflock allow mediaserver mpctl_socket:dir r_dir_perms; @@ -98,3 +99,7 @@ allow mediaserver surfaceflinger:unix_stream_socket rw_socket_perms; # DOLBY_START set_prop(mediaserver, dolby_prop) # DOLBY_END + +# Allow mediaserver to search and get the widevine, playready firmwares +allow mediaserver firmware_file:dir search; +allow mediaserver firmware_file:file { read getattr open }; diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index d5d2be68..eb11d73b 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -16,11 +16,13 @@ userdebug_or_eng(` allow mm-qcamerad camera_data_file:file create_file_perms; # mm-qcamerad needs to set persist.camera. property - allow mm-qcamerad camera_prop:property_service set; + set_prop(mm-qcamerad, camera_prop) ') #Communicate with user land process through domain socket +type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket1"; +type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket2"; allow mm-qcamerad camera_socket:sock_file { create unlink write }; allow mm-qcamerad camera_socket:dir w_dir_perms; unix_socket_connect(mm-qcamerad, sensors, sensors) @@ -69,3 +71,7 @@ binder_call(mm-qcamerad, mmi); allow mm-qcamerad input_device:dir r_dir_perms; allow mm-qcamerad input_device:chr_file r_file_perms; allow mm-qcamerad sysfs:file rw_file_perms; + +# /data/fdAlbum +type_transition mm-qcamerad system_data_file:file camera_data_file "fdAlbum"; +allow mm-qcamerad camera_data_file:file create_file_perms; diff --git a/common/ssr_diag.te b/common/ssr_diag.te index f04ab537..f04ab537 100755..100644 --- a/common/ssr_diag.te +++ b/common/ssr_diag.te diff --git a/common/subsystem_ramdump.te b/common/subsystem_ramdump.te index c58fd187..c58fd187 100755..100644 --- a/common/subsystem_ramdump.te +++ b/common/subsystem_ramdump.te diff --git a/common/system_server.te b/common/system_server.te index 0081be89..f77d8a71 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -47,6 +47,8 @@ allow system_server { # required for ANT App to connectto wcnss_filter sockets allow system_server bluetooth:unix_stream_socket connectto; # access to iop +allow system_server iop_socket:dir r_dir_perms; +allow system_server iop_data_file:dir r_dir_perms; unix_socket_send(system_server, iop, dumpstate) unix_socket_connect(system_server, iop, dumpstate) diff --git a/common/thermal-engine.te b/common/thermal-engine.te index b347958f..33a0efed 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -49,6 +49,9 @@ unix_socket_connect(thermal-engine, mpctl, mpdecision) #This is to allow access to uio device allow thermal-engine uio_device:chr_file rw_file_perms; +#Label the thermal sockets correctly +type_transition thermal-engine socket_device:sock_file thermal_socket; + userdebug_or_eng(` diag_use(thermal-engine) ') diff --git a/common/untrusted_app.te b/common/untrusted_app.te index 8f6d10b7..32e1f5db 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -5,6 +5,10 @@ unix_socket_connect(untrusted_app, mpctl, mpdecision) # diag device node access is restricted to untrusted_app neverallow untrusted_app diag_device:chr_file rw_file_perms; +# allow apps to read battery status +allow untrusted_app sysfs_battery_supply:dir r_dir_perms; +allow untrusted_app sysfs_battery_supply:file r_file_perms; + # test apps needs to communicate with imscm # using binder call userdebug_or_eng(` diff --git a/common/wcnss_service.te b/common/wcnss_service.te index 05b31d40..9f18d044 100644 --- a/common/wcnss_service.te +++ b/common/wcnss_service.te @@ -14,7 +14,6 @@ allow wcnss_service wifi_data_file:file create_file_perms; allow wcnss_service system_prop:property_service set; allow wcnss_service persist_file:dir r_dir_perms; -qmux_socket(wcnss_service); allow wcnss_service self:socket create_socket_perms; allow wcnss_service smem_log_device:chr_file rw_file_perms; @@ -32,6 +31,7 @@ allow wcnss_service self:netlink_generic_socket create_socket_perms; allow wcnss_service firmware_file:dir r_dir_perms; allow wcnss_service firmware_file:file r_file_perms; allow wcnss_service sysfs:file w_file_perms; +allow wcnss_service storage_file:dir search; # allow access to netd unix_socket_connect(wcnss_service, netd, netd) diff --git a/msm8226/file_contexts b/msm8226/file_contexts index 89dd1840..83dc7578 100644 --- a/msm8226/file_contexts +++ b/msm8226/file_contexts @@ -27,6 +27,8 @@ ################################### # Primary storage device nodes # +/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -35,5 +37,6 @@ /dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 diff --git a/msm8909/file_contexts b/msm8909/file_contexts index 642cfb5a..bbebd72c 100644 --- a/msm8909/file_contexts +++ b/msm8909/file_contexts @@ -27,6 +27,8 @@ ################################### # Primary storage device nodes # +/dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -35,6 +37,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 diff --git a/msm8916/file_contexts b/msm8916/file_contexts index c59fe8fb..c6835dda 100644 --- a/msm8916/file_contexts +++ b/msm8916/file_contexts @@ -39,6 +39,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/system u:object_r:system_block_device:s0 diff --git a/msm8960/file_contexts b/msm8960/file_contexts index e59fdad6..d1f3d66b 100755 --- a/msm8960/file_contexts +++ b/msm8960/file_contexts @@ -5,22 +5,30 @@ /dev/msm_rotator u:object_r:graphics_device:s0 /dev/mdp_arb u:object_r:graphics_device:s0 /dev/mdm u:object_r:mdm_device:s0 -/dev/block/bootdevice/by-name/m9kefs1 u:object_r:efs_boot_dev:s0 -/dev/block/bootdevice/by-name/m9kefs2 u:object_r:efs_boot_dev:s0 -/dev/block/bootdevice/by-name/m9kefs3 u:object_r:efs_boot_dev:s0 -/dev/block/bootdevice/by-name/m9kefsc u:object_r:efs_boot_dev:s0 -/dev/gss u:object_r:gss_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/fsg u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/ssd u:object_r:ssd_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/boot u:object_r:boot_block_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/msm_sdcc.1/by-name/logdump u:object_r:logdump_partition:s0 -/dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/socket/mpdecision u:object_r:mpdecision_socket:s0 + +################################### +# Block devices +# +/dev/block/mmcblk0 u:object_r:root_block_device:s0 +/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/fsc u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/msm_sdcc\.1/by-name/m9kefs1 u:object_r:efs_boot_dev:s0 +/dev/block/platform/msm_sdcc\.1/by-name/m9kefs2 u:object_r:efs_boot_dev:s0 +/dev/block/platform/msm_sdcc\.1/by-name/m9kefs3 u:object_r:efs_boot_dev:s0 +/dev/block/platform/msm_sdcc\.1/by-name/m9kefsc u:object_r:efs_boot_dev:s0 +/dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0 + ################################### # System files # @@ -28,7 +36,6 @@ /system/bin/thermal-engine u:object_r:thermal-engine_exec:s0 /system/bin/qcks u:object_r:mdm_helper_exec:s0 /system/bin/efks u:object_r:mdm_helper_exec:s0 -/system/bin/DR_AP_Service u:object_r:location_exec:s0 ################################### # Data files diff --git a/msm8974/file_contexts b/msm8974/file_contexts index 4de2687e..48d10ef4 100644 --- a/msm8974/file_contexts +++ b/msm8974/file_contexts @@ -27,6 +27,8 @@ ################################### # Primary storage device nodes # +/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -35,5 +37,6 @@ /dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 diff --git a/sepolicy.mk b/sepolicy.mk new file mode 100644 index 00000000..37168769 --- /dev/null +++ b/sepolicy.mk @@ -0,0 +1,9 @@ +# Board specific SELinux policy variable definitions +BOARD_SEPOLICY_DIRS := \ + $(BOARD_SEPOLICY_DIRS) \ + device/qcom/sepolicy \ + device/qcom/sepolicy/common \ + device/qcom/sepolicy/test \ + device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM) + +-include vendor/cm/sepolicy/qcom/sepolicy.mk diff --git a/test/file_contexts b/test/file_contexts index 9a44684a..9a44684a 100755..100644 --- a/test/file_contexts +++ b/test/file_contexts diff --git a/test/qti-testscripts.te b/test/qti-testscripts.te index 4d3eadfd..d8f20eab 100644 --- a/test/qti-testscripts.te +++ b/test/qti-testscripts.te @@ -26,7 +26,9 @@ # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. userdebug_or_eng(` - type qti-testscripts, domain, domain_deprecated, mlstrustedsubject; + # forward declaration is done in system/sepolicy to avoid neverallow issues + + # type qti-testscripts, domain, domain_deprecated, mlstrustedsubject; permissive qti-testscripts; domain_trans(init, shell_exec, qti-testscripts) |