From 22f764212ccca6092f285304893f3528e71dad5d Mon Sep 17 00:00:00 2001 From: Amit Blay Date: Thu, 14 Jan 2016 17:07:10 +0200 Subject: sepolicy: Add support for new mdtpd MDTP daemon (mdtpd) was created. All MDTP threads were removed from QSEECOM. This change moves all MDTP specific rules from the qseecomd domain to the mdtp domain. Change-Id: I12f624c89f6fe43b09a7c748c2b0b26dc8c0a0ee --- common/file_contexts | 2 +- common/mdtp.te | 32 ++++++++++++++++++++++++++++++++ common/qseecomd.te | 22 ---------------------- 3 files changed, 33 insertions(+), 23 deletions(-) diff --git a/common/file_contexts b/common/file_contexts index 1f01146e..2f428e58 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -220,7 +220,7 @@ /system/bin/tbaseLoader u:object_r:tbaseLoader_exec:s0 /system/bin/mcStarter u:object_r:mcStarter_exec:s0 /system/bin/fstman u:object_r:fstman_exec:s0 -/system/vendor/bin/mdtp_service u:object_r:mdtpdaemon_exec:s0 +/system/vendor/bin/mdtpd u:object_r:mdtpdaemon_exec:s0 ################################### # sysfs files diff --git a/common/mdtp.te b/common/mdtp.te index f69456c4..ee09f772 100644 --- a/common/mdtp.te +++ b/common/mdtp.te @@ -28,6 +28,17 @@ type mdtpdaemon, domain; type mdtpdaemon_exec, exec_type, file_type; +allow mdtpdaemon self:capability { + setuid + setgid +}; + +userdebug_or_eng(` + #Needed for kill(pid, 0) existance test + allow mdtpdaemon su:process signull; + allow mdtpdaemon self:capability kill; +') + #Allow for transition from init domain to mdtpdaemon init_daemon_domain(mdtpdaemon) @@ -48,9 +59,30 @@ r_dir_file(mdtpdaemon, firmware_file) #Allow access to qsee directories allow mdtpdaemon data_qsee_file:dir create_dir_perms; +allow mdtpdaemon data_qsee_file:file create_file_perms; #Allow access to qsee fifos allow mdtpdaemon data_qsee_file:fifo_file create_file_perms; #Allow access to tee device allow mdtpdaemon tee_device:chr_file rw_file_perms; + +# Provide access to block devices +allow mdtpdaemon block_device:dir r_dir_perms; +allow mdtpdaemon mdtp_device:blk_file rw_file_perms; +allow mdtpdaemon dip_device:blk_file rw_file_perms; +allow mdtpdaemon system_block_device:blk_file r_file_perms; + +# Provide access to QTI Crypto driver for MDTP +# allow mdtpdaemon qce_device:chr_file rw_file_perms; + +# Provide read access to all /system files for MDTP file-to-block-mapping +r_dir_file(mdtpdaemon, exec_type) +r_dir_file(mdtpdaemon, system_file) + +# Provide mdtpd ability to access QMUXD/IPCRouter for QMI +qmux_socket(mdtpdaemon); +allow mdtpdaemon self:socket create_socket_perms; + +# Provide tee ability to run executables in rootfs for MDTP +allow mdtpdaemon rootfs:file x_file_perms; diff --git a/common/qseecomd.te b/common/qseecomd.te index f97849d6..2140c583 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -75,25 +75,3 @@ allow tee qfp-daemon_data_file:file create_file_perms; allow tee fingerprintd_data_file:dir create_dir_perms; allow tee fingerprintd_data_file:file create_file_perms; -# Provide access to block devices for MDTP -allow tee mdtp_device:blk_file rw_file_perms; -allow tee dip_device:blk_file rw_file_perms; -allow tee system_block_device:blk_file r_file_perms; - -# Provide access to QC Crypto driver for MDTP -allow tee qce_device:chr_file rw_file_perms; - -# Provide access to /data/misc/qsee/mdtp for MDTP temp files -allow tee data_qsee_file:dir create_dir_perms; -allow tee data_qsee_file:{ file fifo_file } create_file_perms; - -# Provide read access to all /system files for MDTP file-to-block-mapping -r_dir_file(tee, exec_type) -r_dir_file(tee, system_file) - -# Provide tee ability to access QMUXD/IPCRouter for QMI -qmux_socket(tee); -allow tee self:socket create_socket_perms; - -# Provide tee ability to run executables in rootfs for MDTP -allow tee rootfs:file x_file_perms; -- cgit v1.2.3