diff options
Diffstat (limited to 'common')
-rw-r--r-- | common/app.te | 3 | ||||
-rw-r--r-- | common/dpmd.te | 38 | ||||
-rw-r--r-- | common/file.te | 3 | ||||
-rwxr-xr-x | common/file_contexts | 1 | ||||
-rw-r--r-- | common/init.te | 4 | ||||
-rw-r--r-- | common/radio.te | 3 | ||||
-rw-r--r-- | common/system_server.te | 8 | ||||
-rw-r--r-- | common/untrusted_app.te | 5 |
8 files changed, 28 insertions, 37 deletions
diff --git a/common/app.te b/common/app.te index 2714ae2d..ac49f975 100644 --- a/common/app.te +++ b/common/app.te @@ -1,6 +1,9 @@ # allow application to access cnd domain and socket unix_socket_connect(appdomain, cnd, cnd) +# allow application to access dpmd domain and socket +unix_socket_connect(appdomain, dpmwrapper, dpmd) + unix_socket_connect(appdomain, qlogd, qlogd) #Allow all apps to open and send ioctl to qdsp device allow appdomain qdsp_device:chr_file r_file_perms; diff --git a/common/dpmd.te b/common/dpmd.te index 683e22e1..a393a89e 100644 --- a/common/dpmd.te +++ b/common/dpmd.te @@ -1,44 +1,38 @@ #dpmd as domain type dpmd, domain; type dpmd_exec, exec_type, file_type; - -#file_type_auto_trans(dpmd, socket_device, dpmd_socket); +file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket); init_daemon_domain(dpmd) -type_transition dpmd system_data_file:{ file } dpmd_data_file; - +net_domain(dpmd) allow dpmd dpmd_exec:file execute_no_trans; -#allow dpmd to access diag service -userdebug_or_eng(` - allow dpmd diag_device:chr_file { read write ioctl open }; -') -allow dpmd dpmd_data_file:file { read lock getattr open setattr execute }; +#allow dpmd to access dpm_data_file +allow dpmd dpmd_data_file:file create_file_perms; +allow dpmd dpmd_data_file:dir create_dir_perms; #allow dpmd to access qmux radio socket qmux_socket(dpmd); #self capability -allow dpmd self:capability net_raw; -allow dpmd self:capability { chown fsetid dac_override }; -allow dpmd self:netlink_route_socket { create read write bind create nlmsg_read }; -allow dpmd sysfs_wake_lock:file { open append }; -allow dpmd self:capability net_admin; -allow dpmd self:rawip_socket { getopt create setopt }; +allow dpmd sysfs_wake_lock:file rw_file_perms; allow dpmd self:socket rw_socket_perms; allow dpmd self:netlink_socket rw_socket_perms; +allow dpmd self:capability { setuid setgid dac_override net_raw chown fsetid net_admin sys_module }; -#socket -allow dpmd self:udp_socket { ioctl create getopt }; -allow dpmd smem_log_device:chr_file { read write ioctl open }; -allow dpmd init:unix_stream_socket connectto; - -#llow dpmd to set system property -allow dpmd property_socket:sock_file write; +#socket, self +allow dpmd smem_log_device:chr_file rw_file_perms; +unix_socket_connect(dpmd, property, init) allow dpmd self:capability2 block_suspend; allow dpmd system_prop:property_service set; +allow dpmd ctl_default_prop:property_service set; +#misc. allow dpmd shell_exec:file { read execute open execute_no_trans }; allow dpmd system_file:file execute_no_trans; #kernel allow dpmd kernel:system module_request; + +#appdomain +allow dpmd appdomain:fd use; +allow dpmd appdomain:tcp_socket { read write getopt }; diff --git a/common/file.te b/common/file.te index 622f6d8f..1e5e53a4 100644 --- a/common/file.te +++ b/common/file.te @@ -13,7 +13,8 @@ type cnd_data_file, file_type; # Define dpmd data file type type dpmd_socket, file_type; -type dpmd_data_file, data_file_type; +type dpmwrapper_socket, file_type; +type dpmd_data_file, file_type, data_file_type; #Define the timeout for platform specific transports type sysfs_hsic_modem_wait, sysfs_type, fs_type; diff --git a/common/file_contexts b/common/file_contexts index 02167aa4..74356dfb 100755 --- a/common/file_contexts +++ b/common/file_contexts @@ -73,6 +73,7 @@ /dev/socket/qlogd u:object_r:qlogd_socket:s0 /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 /dev/socket/dpmd u:object_r:dpmd_socket:s0 +/dev/socket/dpmwrapper u:object_r:dpmwrapper_socket:s0 /dev/socket/pps u:object_r:pps_socket:s0 /dev/socket/rild2 u:object_r:rild_socket:s0 /dev/socket/rild2-debug u:object_r:rild_debug_socket:s0 diff --git a/common/init.te b/common/init.te index c31af56f..baf1f769 100644 --- a/common/init.te +++ b/common/init.te @@ -1,8 +1,4 @@ # Adding allow rule for search on /fuse allow init fuse:dir search; - -#allow dpmd to read, write on data file -allow init dpmd_data_file:dir { read open setattr }; - allow init self:capability sys_module; allow init fuse:dir mounton; diff --git a/common/radio.te b/common/radio.te index b7f248ca..c117da17 100644 --- a/common/radio.te +++ b/common/radio.te @@ -5,3 +5,6 @@ allow radio ims_socket:sock_file write; #Need permission to execute com.qualcomm.qti.telephony/app_dex/xx allow radio radio_data_file:file execute; allow radio shell_data_file:dir search; + +#Need permission to execute dpmd talk to radio layer +unix_socket_connect(radio, dpmd, dpmd) diff --git a/common/system_server.te b/common/system_server.te index 07b302f1..9a1c7db5 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -18,15 +18,13 @@ unix_socket_send(system_server, mpctl, mpdecision) unix_socket_connect(system_server, mpctl, mpdecision) # allow system/framework applications to update the dpmd configuration files -#allow system_server dpmd:unix_stream_socket connectto; unix_socket_connect(system_server, dpmd, dpmd); allow system_server dpmd_socket:sock_file write; -#allow system_server dpmd_data_file:dir { write read getattr open add_name }; -allow system_server dpmd_data_file:dir rw_dir_perms; -#allow system_server dpmd_data_file:file { write getattr setattr read lock create open }; -allow system_server dpmd_data_file:file rw_file_perms; +allow system_server dpmd_data_file:dir create_dir_perms; allow system_server dpmservice:service_manager add; +allow system_server dpmd_data_file:file create_file_perms; allow system_server socket_device:sock_file write; + unix_socket_send(system_server, mpctl, perfd) unix_socket_connect(system_server, mpctl, perfd) diff --git a/common/untrusted_app.te b/common/untrusted_app.te index bce77b0e..17857e6c 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -1,8 +1,3 @@ -allow dpmd untrusted_app:fd use; -allow dpmd untrusted_app:tcp_socket { read write }; -allow untrusted_app dpmd:unix_stream_socket connectto; -allow untrusted_app dpmd_socket:sock_file write; - # access to perflock allow untrusted_app mpctl_socket:dir r_dir_perms; unix_socket_send(untrusted_app, mpctl, perfd) |