diff options
Diffstat (limited to 'common')
-rw-r--r-- | common/bluetooth.te | 1 | ||||
-rw-r--r-- | common/mediaserver.te | 2 | ||||
-rw-r--r-- | common/netmgrd.te | 7 | ||||
-rw-r--r-- | common/system_app.te | 1 | ||||
-rw-r--r-- | common/untrusted_app.te | 7 |
5 files changed, 15 insertions, 3 deletions
diff --git a/common/bluetooth.te b/common/bluetooth.te index 76045285..4f1d579b 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -15,7 +15,6 @@ allow bluetooth input_device:chr_file { open read write ioctl }; allow bluetooth persist_file:dir search; allow bluetooth persist_file:file rw_file_perms; -allow bluetooth wpa:unix_stream_socket connectto; #For ANT tty communication and to set wc_transport prop allow system_server bluetooth_prop:property_service set; diff --git a/common/mediaserver.te b/common/mediaserver.te index 241bc15f..dbd59da8 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -20,7 +20,7 @@ userdebug_or_eng(` allow mediaserver sysfs_esoc:dir r_dir_perms; allow mediaserver sysfs_esoc:lnk_file read; - +allow mediaserver system_app_data_file:file rw_file_perms; # access to perflock allow mediaserver mpctl_socket:dir r_dir_perms; unix_socket_send(mediaserver, mpctl, mpdecision) diff --git a/common/netmgrd.te b/common/netmgrd.te index 35ad1daa..51d39a2d 100644 --- a/common/netmgrd.te +++ b/common/netmgrd.te @@ -23,13 +23,15 @@ allow netmgrd smem_log_device:chr_file { rw_file_perms }; #Allow operations on different types of sockets allow netmgrd netmgrd:rawip_socket { create getopt setopt write }; -allow netmgrd netmgrd:netlink_xfrm_socket { create bind }; +allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read }; allow netmgrd netmgrd:netlink_socket { write read create bind }; allow netmgrd netmgrd:socket { create ioctl }; allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write }; allow netmgrd init:unix_stream_socket { connectto }; allow netmgrd property_socket:sock_file write; +unix_socket_connect(netmgrd, cnd, cnd); + qmux_socket(netmgrd); #Allow writing of ipv6 network properties @@ -49,6 +51,9 @@ allow netmgrd sysfs_esoc:dir r_dir_perms; #Allow communication with netd allow netmgrd netd_socket:sock_file write; +allow netmgrd net_data_file:file r_file_perms; +allow netmgrd wpa_exec:file rx_file_perms; +allow netmgrd net_data_file:dir r_dir_perms; #Allow nemtgrd to use esoc api's to determine target allow netmgrd shell_exec:file { execute r_file_perms execute_no_trans }; diff --git a/common/system_app.te b/common/system_app.te index 4e2c5f02..7844edfb 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -21,3 +21,4 @@ userdebug_or_eng(` ') allow system_app cnd_data_file:dir w_dir_perms; allow system_app cnd_data_file:file create_file_perms; +allow system_app bluetooth:unix_stream_socket ioctl; diff --git a/common/untrusted_app.te b/common/untrusted_app.te index 4968a679..bce77b0e 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -2,3 +2,10 @@ allow dpmd untrusted_app:fd use; allow dpmd untrusted_app:tcp_socket { read write }; allow untrusted_app dpmd:unix_stream_socket connectto; allow untrusted_app dpmd_socket:sock_file write; + +# access to perflock +allow untrusted_app mpctl_socket:dir r_dir_perms; +unix_socket_send(untrusted_app, mpctl, perfd) +unix_socket_connect(untrusted_app, mpctl, perfd) +unix_socket_send(untrusted_app, mpctl, mpdecision) +unix_socket_connect(untrusted_app, mpctl, mpdecision) |