From 2b1834356a9d7122b62e4f9aa5f6496c100e99b8 Mon Sep 17 00:00:00 2001 From: Srinivasa Rao Kuppala Date: Tue, 27 Feb 2018 18:03:10 +0530 Subject: sepolicy: sepolicy cleanup on msm8953 and sdm450 Bootup related sepolicy cleanup on msm8953 and sdm450 Change-Id: I82b1c14246a95f3099eb1840ed7fc859b462c774 --- common/file.te | 6 ------ msm8953/file_contexts | 4 ---- msm8953/genfs_contexts | 29 +++++++++++++++++++++++++++++ msm8953/init_shell.te | 2 -- msm8953/mm-qcamerad.te | 3 +-- 5 files changed, 30 insertions(+), 14 deletions(-) create mode 100644 msm8953/genfs_contexts diff --git a/common/file.te b/common/file.te index 994cc040..2f1895c3 100644 --- a/common/file.te +++ b/common/file.te @@ -85,12 +85,6 @@ type sysfs_usb_mtp_device, sysfs_type, fs_type; # sysfs module for usb_f_mtp/parameters type sysfs_spmi_device, sysfs_type, fs_type; -# sysfs devices for enable -type sysfs_dcc_device, sysfs_type, fs_type; - -# sysfs devices for video4linux -type sysfs_video4linux_device, sysfs_type, fs_type; - # sysfs vadc device for hvdcp/quickcharge type sysfs_vadc_dev, sysfs_type, fs_type; # sysfs spmi device for hvdcp/quickcharge diff --git a/msm8953/file_contexts b/msm8953/file_contexts index a9c0142a..e7fa97d1 100644 --- a/msm8953/file_contexts +++ b/msm8953/file_contexts @@ -56,10 +56,6 @@ /sys/devices/platform/soc/200f000\.qcom,spmi/spmi-0/spmi0-03/200f000\.qcom,spmi:qcom,pmi8950@3:qcom,haptic@c000/leds/vibrator/activate u:object_r:sysfs_spmi_device:s0 /sys/devices/platform/soc/200f000.qcom,spmi/spmi-0/spmi0-03/200f000.qcom,spmi:qcom,pmi632@3:qcom,vibrator@5700/leds/vibrator/activate u:object_r:sysfs_spmi_device:s0 -/sys/devices/platform/soc/b3000.dcc(/.*)? u:object_r:sysfs_dcc_device:s0 - -#video4linux_ -/sys/devices/platform/soc/1b00000.qcom,msm-cam/video4linux/video0/name u:object_r:sysfs_video4linux_device:s0 ############################################################################################ #Same hal process libs diff --git a/msm8953/genfs_contexts b/msm8953/genfs_contexts new file mode 100644 index 00000000..a6df7878 --- /dev/null +++ b/msm8953/genfs_contexts @@ -0,0 +1,29 @@ +# Copyright (c) 2018, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +genfscon sysfs /devices/platform/soc/1b00000.qcom,msm-cam/video4linux/video0/name u:object_r:sysfs_graphics:s0 + diff --git a/msm8953/init_shell.te b/msm8953/init_shell.te index 2a2bef12..d448c248 100644 --- a/msm8953/init_shell.te +++ b/msm8953/init_shell.te @@ -36,5 +36,3 @@ allow qti_init_shell { allow qti_init_shell regionalization_file:dir r_dir_perms; allow qti_init_shell regionalization_file:file create_file_perms; -# For dcc -allow qti_init_shell sysfs_dcc_device:file rw_file_perms; diff --git a/msm8953/mm-qcamerad.te b/msm8953/mm-qcamerad.te index 5ed285a5..354b6133 100644 --- a/msm8953/mm-qcamerad.te +++ b/msm8953/mm-qcamerad.te @@ -26,5 +26,4 @@ # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #for v4L node "name" access -allow mm-qcamerad sysfs_graphics:file r_file_perms; -allow mm-qcamerad sysfs_video4linux_device:file rw_file_perms; +allow mm-qcamerad sysfs_graphics:file rw_file_perms; -- cgit v1.2.3 From ef3a7d6d73476511502e60688ee8e873d4b3f4b7 Mon Sep 17 00:00:00 2001 From: Pullakavi Srinivas Date: Mon, 12 Feb 2018 22:27:49 +0530 Subject: sepolicy: Allow composer to access persist node Change-Id: I9acfd08ac4bd43f733e78d7e78b93eb491e84dbc --- apq8098_latv/file_contexts | 3 +-- common/file_contexts | 1 + msm8998/file_contexts | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/apq8098_latv/file_contexts b/apq8098_latv/file_contexts index 3568088a..6d63abda 100644 --- a/apq8098_latv/file_contexts +++ b/apq8098_latv/file_contexts @@ -1,4 +1,4 @@ -# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved. +# Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are @@ -105,7 +105,6 @@ # /sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0 /sys/devices/virtual/graphics/fb([0-3])+/lineptr_value u:object_r:sysfs_graphics:s0 -/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode u:object_r:sysfs_graphics:s0 /sys/devices/virtual/graphics/fb([0-3])+/cec/enable u:object_r:sysfs_graphics:s0 /sys/devices/virtual/graphics/fb([0-3])+/cec/enable_compliance u:object_r:sysfs_graphics:s0 /sys/devices/virtual/graphics/fb([0-3])+/cec/logical_addr u:object_r:sysfs_graphics:s0 diff --git a/common/file_contexts b/common/file_contexts index 1f727100..2a1121d3 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -404,6 +404,7 @@ /sys/devices/virtual/graphics/fb([0-3])+/dyn_pu u:object_r:sysfs_graphics:s0 /sys/devices/virtual/graphics/fb([0-3])+/ad u:object_r:sysfs_graphics:s0 /sys/devices/virtual/graphics/fb([0-3])+/pp_bl_event u:object_r:sysfs_graphics:s0 +/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode u:object_r:sysfs_graphics:s0 /sys/devices/virtual/rotator/mdss_rotator/caps u:object_r:sysfs_graphics:s0 /sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/modes u:object_r:sysfs_graphics:s0 diff --git a/msm8998/file_contexts b/msm8998/file_contexts index 713ae22c..c7c92ef7 100644 --- a/msm8998/file_contexts +++ b/msm8998/file_contexts @@ -1,4 +1,4 @@ -# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved. +# Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are @@ -91,4 +91,3 @@ # /sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0 /sys/devices/virtual/graphics/fb([0-3])+/lineptr_value u:object_r:sysfs_graphics:s0 -/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode u:object_r:sysfs_graphics:s0 -- cgit v1.2.3 From 025298272b5c45cfbb57b5923d1ff44b6688a9a9 Mon Sep 17 00:00:00 2001 From: Arthur Shuai Date: Sun, 11 Feb 2018 18:35:06 +0800 Subject: Sepolicy: update policy for mmi_sys Add mmi_diag to mmi_sys_exec. Change-Id: I8027465368193b94ec9deba80d78aed35c451c79 --- private/file_contexts | 1 + private/mmi_sys.te | 2 ++ 2 files changed, 3 insertions(+) diff --git a/private/file_contexts b/private/file_contexts index 85d9c860..129bf5c6 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -48,6 +48,7 @@ /system/bin/qvrservice u:object_r:qvrd_exec:s0 /system/bin/wfdservice u:object_r:wfdservice_exec:s0 /system/bin/mmi u:object_r:mmi_sys_exec:s0 +/system/bin/mmi_diag u:object_r:mmi_sys_exec:s0 ####### data files ################ /data/misc/seemp(/.*)? u:object_r:seemp_data_file:s0 diff --git a/private/mmi_sys.te b/private/mmi_sys.te index 790d1125..11bda28c 100644 --- a/private/mmi_sys.te +++ b/private/mmi_sys.te @@ -40,3 +40,5 @@ allow mmi_sys ion_device:chr_file { ioctl open }; allow mmi_sys surfaceflinger_service:service_manager find; allow mmi_sys hal_graphics_mapper_hwservice:hwservice_manager find; hwbinder_use(mmi_sys) +get_prop(mmi_sys, hwservicemanager_prop); +allow mmi_sys mmi_sys_exec:file execute_no_trans; -- cgit v1.2.3 From 3c1bce448c926e3a1a89aa5ae46e587023d406b2 Mon Sep 17 00:00:00 2001 From: Kineret Berger Date: Wed, 14 Feb 2018 10:56:44 +0200 Subject: sesepolicy: Add permission to spdaemon to access SSR channel Instead of using sp_keymaster for SSR notifications, we'll use a dummy channel - spdaemon_ssr. Change-Id: If6e83d470b7bf437f9935c9953a5fbc8bfe6e452 --- common/device.te | 3 +++ common/file_contexts | 1 + common/spdaemon.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/common/device.te b/common/device.te index f4dea16d..1d919f78 100644 --- a/common/device.te +++ b/common/device.te @@ -100,6 +100,9 @@ type sec_nvm_device, dev_type; # Define cryptoapp device type cryptoapp_device, dev_type; +# Define spdaemon_ssr device +type spdaemon_ssr_device, dev_type; + # Define qsee_ipc_irq_spss device type qsee_ipc_irq_spss_device, dev_type; diff --git a/common/file_contexts b/common/file_contexts index 2a1121d3..416a4cbc 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -23,6 +23,7 @@ /dev/sec_nvm_.* u:object_r:sec_nvm_device:s0 /dev/sp_keymaster u:object_r:sp_keymaster_device:s0 /dev/cryptoapp u:object_r:cryptoapp_device:s0 +/dev/spdaemon_ssr u:object_r:spdaemon_ssr_device:s0 /dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0 /dev/radio0 u:object_r:fm_radio_device:s0 /dev/btpower u:object_r:bt_device:s0 diff --git a/common/spdaemon.te b/common/spdaemon.te index fc018343..30292bfa 100644 --- a/common/spdaemon.te +++ b/common/spdaemon.te @@ -47,6 +47,9 @@ allow spdaemon sp_keymaster_device:chr_file rw_file_perms; # Allow access to cryptoapp device allow spdaemon cryptoapp_device:chr_file rw_file_perms; +# Allow access to spdaemon_ssr device +allow spdaemon spdaemon_ssr_device:chr_file rw_file_perms; + # Allow access to ion device allow spdaemon ion_device:chr_file rw_file_perms; -- cgit v1.2.3 From 4856ba808c7e32e7bec1a7af997041fe23e20486 Mon Sep 17 00:00:00 2001 From: Ashay Jaiswal Date: Sun, 4 Mar 2018 14:02:03 +0530 Subject: Sepolicy: update sepolicy for hvdcp Update sepolicy labels for sysfs files exposed by charger and QG driver. Change-Id: I6ff34a9bb3657d587f75ad35d622cdbff98d0043 --- common/file_contexts | 9 ++++++--- common/hvdcp.te | 4 +--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/common/file_contexts b/common/file_contexts index 2a1121d3..f2b3c339 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -331,15 +331,18 @@ /sys/devices/f9200000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 /sys/devices/msm_dwc3/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 /sys/devices/msm_otg/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 -/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 -/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/pc_port(/.*)? u:object_r:sysfs_usb_supply:s0 +/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb[0-9]+/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 +/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb[0-9]+/power_supply/pc_port(/.*)? u:object_r:sysfs_usb_supply:s0 /sys/devices(/platform)?/soc/[a-z0-9]+.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[0-9]+-charger@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0 /sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,usb-pdphy@[0-9]+/usbpd/usbpd[0-9](/.*)? u:object_r:sysfs_usbpd_device:s0 /sys/devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0 /sys/devices/qpnp-charger.*/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0 -/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0 +/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb[0-9]+/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0 +/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smbcharger/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0 /sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qpnp,fg/power_supply/bms(/.*)? u:object_r:sysfs_battery_supply:s0 +/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qpnp,qg/power_supply/bms(/.*)? u:object_r:sysfs_battery_supply:s0 /sys/class/qcom-battery(/.*)? u:object_r:sysfs_battery_supply:s0 +/sys/class/charge_pump(/.*)? u:object_r:sysfs_battery_supply:s0 /sys/devices(/platform)?/soc/qpnp-linear-charger-[a-z0-9]+/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0 /sys/devices(/platform)?/soc/qpnp-vm-bms-[a-z0-9]+/power_supply/bms(/.*)? u:object_r:sysfs_battery_supply:s0 /sys/devices/soc/qpnp-smbcharger-[a-z0-9]+/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0 diff --git a/common/hvdcp.te b/common/hvdcp.te index e176c9da..fc9759b7 100644 --- a/common/hvdcp.te +++ b/common/hvdcp.te @@ -7,13 +7,13 @@ init_daemon_domain(hvdcp) # Add rules for access permissions allow hvdcp hvdcp_device:chr_file rw_file_perms; +allow hvdcp qg_device:chr_file rw_file_perms; allow hvdcp { sysfs_battery_supply sysfs_usb_supply sysfs_usbpd_device sysfs_vadc_dev sysfs_spmi_dev - qg_device }:dir r_dir_perms; allow hvdcp { @@ -22,7 +22,6 @@ allow hvdcp { sysfs_usbpd_device sysfs_vadc_dev sysfs_spmi_dev - qg_device }:file rw_file_perms; allow hvdcp { @@ -30,7 +29,6 @@ allow hvdcp { sysfs_usb_supply sysfs_vadc_dev sysfs_spmi_dev - qg_device }:lnk_file r_file_perms; allow hvdcp self:capability { setgid setuid }; -- cgit v1.2.3 From 6dcf00fb577954e660dce2aacb0b25f0a7df5773 Mon Sep 17 00:00:00 2001 From: padarshr Date: Mon, 4 Dec 2017 20:26:11 +0530 Subject: sepolicy: qcs605: Add contexts for storsec_[ab] block device This is for update_engine to read/write the storsec partition during OTA upgrade. Change-Id: Ib30fbd769f2baac1504558f337458353f85a7c9d --- qcs605/file_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qcs605/file_contexts b/qcs605/file_contexts index 40b3d162..2ecfe880 100644 --- a/qcs605/file_contexts +++ b/qcs605/file_contexts @@ -48,6 +48,7 @@ /dev/block/platform/soc/1d84000.ufshc/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/mdtp u:object_r:mdtp_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/dip u:object_r:dip_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/storsec u:object_r:boot_block_device:s0 #rawdump partition /dev/block/platform/soc/1d84000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0 @@ -78,6 +79,7 @@ /dev/block/platform/soc/1d84000.ufshc/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0 #for eMMC # A/B partitions. @@ -106,6 +108,7 @@ /dev/block/platform/soc/7c4000.sdhci/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0 /dev/block/platform/soc/7c4000.sdhci/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7c4000.sdhci/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7c4000.sdhci/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0 #non A/B /dev/block/platform/soc/7c4000.sdhci/by-name/system u:object_r:system_block_device:s0 @@ -125,6 +128,7 @@ /dev/block/platform/soc/7c4000.sdhci/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/soc/7c4000.sdhci/by-name/mdtp u:object_r:mdtp_device:s0 /dev/block/platform/soc/7c4000.sdhci/by-name/dip u:object_r:dip_device:s0 +/dev/block/platform/soc/7c4000.sdhci/by-name/storsec u:object_r:boot_block_device:s0 #rawdump partition /dev/block/platform/soc/7c4000.sdhci/by-name/rawdump u:object_r:rawdump_block_device:s0 -- cgit v1.2.3 From dd737e453e934e2607c84efd966200bdad622534 Mon Sep 17 00:00:00 2001 From: Varun Garg Date: Mon, 19 Feb 2018 11:06:55 +0530 Subject: Adding rule for radio to access perf hal Adding rule for radio daemon to access perf hal Change-Id: Ib805d97363d697bd49434364ea77d475c0a91542 --- common/radio.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/radio.te b/common/radio.te index acb7d814..1bee9d68 100644 --- a/common/radio.te +++ b/common/radio.te @@ -17,3 +17,4 @@ userdebug_or_eng(` allow radio hal_imsrcsd_hwservice:hwservice_manager find; binder_call(radio, hal_rcsservice) ') +hal_client_domain(radio, hal_perf) -- cgit v1.2.3 From 571f266bd588dc6a5fc856b8316e6ae7fb82811b Mon Sep 17 00:00:00 2001 From: Suresh Kumar Sugguna Date: Mon, 5 Feb 2018 12:57:53 +0530 Subject: sepolicy: initial qmmf-webserver sepolicy drop. Add qmmf webserver and corresponding permissions Change-Id: I85e0bb7be9a30992d8ff565a9cfc2f839e09f957 --- qcs605/file.te | 3 +++ qcs605/file_contexts | 2 ++ qcs605/property_contexts | 1 + qcs605/qmmf-servd.te | 2 ++ qcs605/qmmf-webserverd.te | 59 +++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 67 insertions(+) create mode 100644 qcs605/qmmf-webserverd.te diff --git a/qcs605/file.te b/qcs605/file.te index c403cfec..ed9efc58 100644 --- a/qcs605/file.te +++ b/qcs605/file.te @@ -27,3 +27,6 @@ # qmmf data file type qmmf_data_file, file_type, data_file_type; + +# vam data file +type qmmf_vam_data_file, file_type, data_file_type; diff --git a/qcs605/file_contexts b/qcs605/file_contexts index 2ecfe880..1cf4ac01 100644 --- a/qcs605/file_contexts +++ b/qcs605/file_contexts @@ -155,6 +155,8 @@ # qmmf server /(vendor|system/vendor)/bin/qmmf-server u:object_r:qmmf-servd_exec:s0 +/(vendor|system/vendor)/bin/qmmf-webserver-zygote u:object_r:qmmf-webserverd_exec:s0 # qmmf data files /data/misc/qmmf(/.*)? u:object_r:qmmf_data_file:s0 +/data/misc/vam(/.*)? u:object_r:qmmf_vam_data_file:s0 diff --git a/qcs605/property_contexts b/qcs605/property_contexts index 057446f0..4faa3e08 100644 --- a/qcs605/property_contexts +++ b/qcs605/property_contexts @@ -27,3 +27,4 @@ qmmf. u:object_r:qmmf_prop:s0 persist.qmmf. u:object_r:qmmf_prop:s0 +vam. u:object_r:qmmf_prop:s0 diff --git a/qcs605/qmmf-servd.te b/qcs605/qmmf-servd.te index 080d528b..6dda04a4 100644 --- a/qcs605/qmmf-servd.te +++ b/qcs605/qmmf-servd.te @@ -76,3 +76,5 @@ allow qmmf-servd ion_device:chr_file r_file_perms; hal_client_domain(qmmf-servd, hal_graphics_allocator) hal_client_domain(qmmf-servd, hal_configstore) r_dir_file(qmmf-servd, oemfs) + +binder_call(qmmf-servd, qmmf-webserverd) diff --git a/qcs605/qmmf-webserverd.te b/qcs605/qmmf-webserverd.te new file mode 100644 index 00000000..fc99edb2 --- /dev/null +++ b/qcs605/qmmf-webserverd.te @@ -0,0 +1,59 @@ +# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type qmmf-webserverd, domain; +type qmmf-webserverd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(qmmf-webserverd) + +net_domain(qmmf-webserverd) + +vndbinder_use(qmmf-webserverd); +binder_call(qmmf-webserverd, qmmf-servd) + +allow qmmf-webserverd { qmmf_system_service + qmmf_recorder_service + qmmf_audio_service + qmmf_player_service + qmmf_display_service + }:service_manager find; + +allow qmmf-webserverd ion_device:chr_file r_file_perms; +allow qmmf-webserverd proc_net:file r_file_perms; + +allow qmmf-webserverd qmmf_vam_data_file:dir create_dir_perms; +allow qmmf-webserverd qmmf_vam_data_file:file create_file_perms; + +allow qmmf-webserverd qmmf_data_file:dir rw_dir_perms; +allow qmmf-webserverd qmmf_data_file:file create_file_perms; + +allow qmmf-webserverd camera_data_file:dir w_dir_perms; +allow qmmf-webserverd camera_data_file:file create_file_perms; + +set_prop(qmmf-webserverd, qmmf_prop) + +r_dir_file(qmmf-webserverd, input_device); +allow qmmf-webserverd input_device:chr_file r_file_perms; -- cgit v1.2.3 From f449b4b657f3bdb7e0c8d35071be58a64c689b90 Mon Sep 17 00:00:00 2001 From: padarshr Date: Mon, 12 Mar 2018 14:23:46 +0530 Subject: Add appropriate selabel to ImageFv partition. Since ImageFv is now an upgradable A/B partition, adding appropriate selabel to it. Even though this partition is added to sdm845 presently, assigning the label to all targets, so that OTA won't be broken if/when ImageFv partition is added in other targets. Change-Id: I188edb41aeb86945277d1ab4fabb885678c2a4ed --- apq8098_latv/file_contexts | 1 + msm8937/file_contexts | 1 + msm8953/file_contexts | 1 + msm8996/file_contexts | 2 ++ msm8998/file_contexts | 1 + qcs605/file_contexts | 2 ++ sdm660/file_contexts | 2 ++ sdm670/file_contexts | 2 ++ sdm845/file_contexts | 1 + 9 files changed, 13 insertions(+) diff --git a/apq8098_latv/file_contexts b/apq8098_latv/file_contexts index 6d63abda..583cd2d6 100644 --- a/apq8098_latv/file_contexts +++ b/apq8098_latv/file_contexts @@ -72,6 +72,7 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/mdtp_[ab] u:object_r:mdtp_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/dsp_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 # Block device holding the GPT, where the A/B attributes are stored. /dev/block/platform/soc/1da4000.ufshc/sd[ade] u:object_r:gpt_block_device:s0 diff --git a/msm8937/file_contexts b/msm8937/file_contexts index d119cf96..cb9a2e8f 100644 --- a/msm8937/file_contexts +++ b/msm8937/file_contexts @@ -82,6 +82,7 @@ /dev/block/platform/soc/7824900.sdhci/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/system_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/vendor_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/sbl1_[ab] u:object_r:xbl_block_device:s0 diff --git a/msm8953/file_contexts b/msm8953/file_contexts index e7fa97d1..32cef739 100644 --- a/msm8953/file_contexts +++ b/msm8953/file_contexts @@ -83,5 +83,6 @@ /dev/block/platform/soc/7824900.sdhci/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/system_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/vendor_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/sbl1_[ab] u:object_r:xbl_block_device:s0 diff --git a/msm8996/file_contexts b/msm8996/file_contexts index 591522aa..dd470338 100644 --- a/msm8996/file_contexts +++ b/msm8996/file_contexts @@ -132,6 +132,7 @@ /dev/block/platform/soc/7464900.sdhci/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7464900.sdhci/by-name/system_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/7464900.sdhci/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7464900.sdhci/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7464900.sdhci/by-name/vendor_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/7464900.sdhci/by-name/xbl_[ab] u:object_r:xbl_block_device:s0 @@ -151,6 +152,7 @@ /dev/block/platform/soc/624000.ufshc/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/624000.ufshc/by-name/system_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/624000.ufshc/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/624000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/624000.ufshc/by-name/vendor_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/624000.ufshc/by-name/xbl_[ab] u:object_r:xbl_block_device:s0 diff --git a/msm8998/file_contexts b/msm8998/file_contexts index c7c92ef7..d8a7e66c 100644 --- a/msm8998/file_contexts +++ b/msm8998/file_contexts @@ -70,6 +70,7 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/mdtp_[ab] u:object_r:mdtp_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/dsp_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 # Block device holding the GPT, where the A/B attributes are stored. /dev/block/platform/soc/1da4000.ufshc/sd[ade] u:object_r:gpt_block_device:s0 diff --git a/qcs605/file_contexts b/qcs605/file_contexts index 2ecfe880..e6e02e37 100644 --- a/qcs605/file_contexts +++ b/qcs605/file_contexts @@ -80,6 +80,7 @@ /dev/block/platform/soc/1d84000.ufshc/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 #for eMMC # A/B partitions. @@ -109,6 +110,7 @@ /dev/block/platform/soc/7c4000.sdhci/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7c4000.sdhci/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7c4000.sdhci/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7c4000.sdhci/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 #non A/B /dev/block/platform/soc/7c4000.sdhci/by-name/system u:object_r:system_block_device:s0 diff --git a/sdm660/file_contexts b/sdm660/file_contexts index 042bf6e0..f0972327 100644 --- a/sdm660/file_contexts +++ b/sdm660/file_contexts @@ -107,6 +107,7 @@ /dev/block/platform/soc/c0c4000.sdhci/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/c0c4000.sdhci/by-name/system_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/c0c4000.sdhci/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/c0c4000.sdhci/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/c0c4000.sdhci/by-name/vendor_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/c0c4000.sdhci/by-name/xbl_[ab] u:object_r:xbl_block_device:s0 @@ -129,6 +130,7 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/system_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/vendor_[ab] u:object_r:system_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/xbl_[ab] u:object_r:xbl_block_device:s0 diff --git a/sdm670/file_contexts b/sdm670/file_contexts index af38f8bc..ade87276 100644 --- a/sdm670/file_contexts +++ b/sdm670/file_contexts @@ -80,6 +80,7 @@ /dev/block/platform/soc/1d84000.ufshc/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 #for eMMC # A/B partitions. @@ -109,6 +110,7 @@ /dev/block/platform/soc/7c4000.sdhci/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7c4000.sdhci/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/7c4000.sdhci/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7c4000.sdhci/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 #non A/B /dev/block/platform/soc/7c4000.sdhci/by-name/system u:object_r:system_block_device:s0 diff --git a/sdm845/file_contexts b/sdm845/file_contexts index 256c53c9..f597ab87 100644 --- a/sdm845/file_contexts +++ b/sdm845/file_contexts @@ -76,6 +76,7 @@ /dev/block/platform/soc/1d84000.ufshc/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/soc/1d84000.ufshc/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0 # Block device holding the GPT, where the A/B attributes are stored. /dev/block/platform/soc/1d84000.ufshc/sd[ade] u:object_r:gpt_block_device:s0 -- cgit v1.2.3