From d316c27a3c1a251d28dbf010a08e413711ada61b Mon Sep 17 00:00:00 2001 From: taozhang Date: Mon, 15 Aug 2016 11:00:23 +0800 Subject: common: Add SELinux policy for Android N fastmmi Add SELinux policy for Android N fastmmi WIFI case need new policy CRs-Fixed: 1050368 Change-Id: I4548c0bec2192e7f182739289b8d8c51ac0dbbf8 --- common/mmi.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/mmi.te b/common/mmi.te index 05a00828..56b2be94 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -45,6 +45,8 @@ allow mmi wpa_exec:file rx_file_perms; allow mmi wcnss_service_exec:file rx_file_perms; allow mmi kernel:key search; allow mmi kernel:system module_request; +allow mmi toolbox_exec:file rx_file_perms; +allow mmi system_file:system module_load; #audio case allow mmi audio_device:dir r_dir_perms; -- cgit v1.2.3 From d0f871f32ba8fe92beabbdd2b8b01f9f4f6bca54 Mon Sep 17 00:00:00 2001 From: Brahmaji K Date: Tue, 13 Sep 2016 17:12:11 +0530 Subject: sepolicy: Add rule to have permissions to cache recovery file Add selinux rules to have permissions to create, read and write permissions to /cache/recovery/command file, which is required to wipe the data when maximum wrong attempts of password reached. CRs-fixed: 1042922 Change-Id: I999815c1771583ba495a078cf333302bdef6ca5d --- common/vold.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common/vold.te b/common/vold.te index 08476cf3..48411ebf 100755 --- a/common/vold.te +++ b/common/vold.te @@ -2,6 +2,11 @@ allow vold tee_device:chr_file rw_file_perms; allow vold self:capability sys_boot; allow vold cache_file:dir w_dir_perms; allow vold { fscklogs cache_file }:file create_file_perms; + +# Read and write /cache/recovery/command +allow vold cache_recovery_file:dir rw_dir_perms; +allow vold cache_recovery_file:file create_file_perms; + allow vold { proc_sysrq proc_dirty_ratio }:file rw_file_perms; wakelock_use(vold) allow vold swap_block_device:blk_file r_file_perms; -- cgit v1.2.3 From 8f5cc18ea709d6d938ea62752b3bb695063f4bf0 Mon Sep 17 00:00:00 2001 From: Jonathan Wicks Date: Tue, 13 Sep 2016 20:25:42 -0600 Subject: sepolicy: allow init script to read GPU frequencies sysfs node init script will read GPU frequencies from sysfs node and copy the values to a system property to allow 3rd party apps that rely on these frequencies to still work. CRs-Fixed: 1066935 Change-Id: I0bb0f5e8e060090b0bc470a7113b23ce8cc4a964 --- common/file.te | 3 +++ common/init_shell.te | 3 +++ common/property_contexts | 2 ++ msm8996/file_contexts | 2 ++ 4 files changed, 10 insertions(+) diff --git a/common/file.te b/common/file.te index 29d6a721..2d31a6d4 100644 --- a/common/file.te +++ b/common/file.te @@ -203,3 +203,6 @@ type wififtmd_socket, file_type; type persist_alarm_file, file_type; type persist_time_file, file_type; + +# kgsl file type for sysfs access +type sysfs_kgsl, sysfs_type, fs_type; diff --git a/common/init_shell.te b/common/init_shell.te index bc88f3b1..ccd806c0 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -188,3 +188,6 @@ allow qti_init_shell persist_alarm_file:file r_file_perms; #Allow /sys access to write zram disksize allow qti_init_shell sysfs_zram:dir r_dir_perms; allow qti_init_shell sysfs_zram:file w_file_perms; + +# To get GPU frequencies +allow qti_init_shell sysfs_kgsl:file r_file_perms; diff --git a/common/property_contexts b/common/property_contexts index ea5bbda5..487bbd61 100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -84,3 +84,5 @@ ro.hwui.texture_cache_size u:object_r:hwui_prop:s0 persist.graphics.vulkan.disable u:object_r:graphics_vulkan_prop:s0 #boot mode property sys.boot_mode u:object_r:boot_mode_prop:s0 +# GPU +ro.gpu.available_frequencies u:object_r:freq_prop:s0 diff --git a/msm8996/file_contexts b/msm8996/file_contexts index 02618e09..6c3e83bd 100644 --- a/msm8996/file_contexts +++ b/msm8996/file_contexts @@ -96,6 +96,8 @@ # /sys/devices/virtual/graphics/fb([0-2])+/lineptr_value u:object_r:sysfs_graphics:s0 +/sys/devices/soc/b00000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_available_frequencies u:object_r:sysfs_kgsl:s0 + ################################### # data files # -- cgit v1.2.3 From 34d2f3dfeb11a0bdf43c124acf10fe2c1590b4ef Mon Sep 17 00:00:00 2001 From: Garmond Leung Date: Mon, 19 Sep 2016 11:47:54 -0700 Subject: voiceprint: update configuration to address permission issue Some configurations were missing from the current te file Change-Id: I2772dc300bb3cfdbe39a5bede8d653aa35eea14a CRs-Fixed: 1066977 --- msmcobalt/qvop.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/msmcobalt/qvop.te b/msmcobalt/qvop.te index 47b61b31..ce69fa4d 100644 --- a/msmcobalt/qvop.te +++ b/msmcobalt/qvop.te @@ -41,4 +41,6 @@ allow qvop iqvop_service:service_manager add; binder_use(qvop) allow qvop tee_device:chr_file rw_file_perms; -r_dir_file(qvop, firmware_file) \ No newline at end of file +r_dir_file(qvop, firmware_file) + +allow qvop ion_device:chr_file r_file_perms; \ No newline at end of file -- cgit v1.2.3 From 0f2093fa6c7b750477f7aa10266cc11e26a2dc37 Mon Sep 17 00:00:00 2001 From: Nikhilesh Reddy Date: Mon, 19 Sep 2016 15:18:27 -0700 Subject: sepolicy: Update rmt_storage and rfs_access Update the rmt_storage and rfs_access policy to add: 1) Write perms to the kmsg device 2) Capability net_bind_service CRs-Fixed: 1068549 Change-Id: I3d107cf871645383d0f7de548f0d55515dd7240e --- common/rfs_access.te | 4 ++++ common/rmt_storage.te | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/common/rfs_access.te b/common/rfs_access.te index 69c14e65..318fffc1 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -53,6 +53,7 @@ allow rfs_access self:capability { setuid setgid setpcap + net_bind_service net_raw }; @@ -62,6 +63,9 @@ allow rfs_access self:capability { allow rfs_access self:capability { dac_read_search chown dac_override }; +#For access to the kmsg device +allow rfs_access kmsg_device:chr_file w_file_perms; + #Prevent other domains from accessing RFS data files. neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms; neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms; diff --git a/common/rmt_storage.te b/common/rmt_storage.te index 6b43ae07..f043becc 100644 --- a/common/rmt_storage.te +++ b/common/rmt_storage.te @@ -18,6 +18,7 @@ allow rmt_storage self:capability { setgid sys_admin dac_override + net_bind_service net_raw setpcap }; @@ -32,6 +33,9 @@ wakelock_use(rmt_storage) allow rmt_storage self:socket create_socket_perms; allow rmt_storage uio_device:chr_file rw_file_perms; +#For access to the kmsg device +allow rmt_storage kmsg_device:chr_file w_file_perms; + #debugfs access userdebug_or_eng(` typeattribute rmt_storage qti_debugfs_domain; -- cgit v1.2.3 From d03e52e97336845afe16951f20fc49aca8acbee5 Mon Sep 17 00:00:00 2001 From: Swetha Chikkaboraiah Date: Mon, 19 Sep 2016 14:40:34 +0530 Subject: selinux: restorecon interactive sysfs files before use Interactive files in sysfs receives the default sysfs type. Allow int_shell-sh domain to restorecon these to sysfs_devices_system_cpu. Change-Id: Ia0cfce4e3c00e4ad67c13a1a3f37e82e8435a2ab --- common/init_shell.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/init_shell.te b/common/init_shell.te index ccd806c0..487caf05 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -116,7 +116,8 @@ allow qti_init_shell { r_dir_file(qti_init_shell, sysfs_thermal) allow qti_init_shell sysfs_socinfo:file write; - +allow qti_init_shell sysfs:{ dir file lnk_file } relabelfrom; +allow qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto; # Check if /dev/sensors or /dev/msm_dsps present allow qti_init_shell sensors_data_file:dir r_dir_perms; allow qti_init_shell sensors_device:chr_file r_file_perms; -- cgit v1.2.3 From 10408aa7698d75a8a0a2f4817576ff4761ffc807 Mon Sep 17 00:00:00 2001 From: Ameya Thakur Date: Tue, 20 Sep 2016 18:06:09 -0700 Subject: common: Remove the references to misc_device AOSP now defines the misc partition with it's own label. Removing references to the older one from the internal sepolicy files. CRs-Fixed: 1069576 Change-Id: I4c29491abef1f235a190bcd1e157aec406fac2fa --- common/device.te | 3 --- common/mmi.te | 3 --- common/qcomsysd.te | 1 - msmcobalt/file_contexts | 2 +- 4 files changed, 1 insertion(+), 8 deletions(-) diff --git a/common/device.te b/common/device.te index f1997642..362be377 100644 --- a/common/device.te +++ b/common/device.te @@ -69,9 +69,6 @@ type efs_boot_dev, dev_type; #MBA debug image partition type mba_debug_dev, dev_type; -#Misc partition -type misc_partition, dev_type; - #logdump partition type logdump_partition, dev_type; diff --git a/common/mmi.te b/common/mmi.te index 56b2be94..92e1ebcd 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -36,9 +36,6 @@ allow mmi persist_file:dir r_dir_perms; allow mmi sensors_persist_file:dir create_dir_perms; allow mmi sensors_persist_file:file create_file_perms; -#allow mmi operation on MISC partition -allow mmi misc_partition:blk_file w_file_perms; - #wifi case allow mmi system_file:file x_file_perms; allow mmi wpa_exec:file rx_file_perms; diff --git a/common/qcomsysd.te b/common/qcomsysd.te index 2dbd2cbc..c1257cb8 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -10,7 +10,6 @@ allow qcomsysd smem_log_device:chr_file rw_file_perms; #Needed to read/write cookies to the misc partition allow qcomsysd block_device:dir r_dir_perms; allow qcomsysd { - misc_partition #Needed to access the bootselect partition bootselect_device }:blk_file rw_file_perms; diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index 0a29e092..6d9ea862 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -37,7 +37,7 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/ssd u:object_r:ssd_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/misc u:object_r:misc_partition:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/rpm u:object_r:rpmb_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 -- cgit v1.2.3 From 01e74c0236bd12b4193d24aed7f19ec139e4bfbf Mon Sep 17 00:00:00 2001 From: Sanjay Singh Date: Thu, 22 Sep 2016 16:04:49 +0530 Subject: Sepolicy: Allow mediaserver to access media_settings_xml_prop mediaserver should be able to access media_settings_xml_prop. change-Id: Ia099814177b7be00109c6a5cf5417317376b8ca0 --- msm8952/mediaserver.te | 3 +++ msm8952/property.te | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/msm8952/mediaserver.te b/msm8952/mediaserver.te index 0f88a051..5bd54323 100644 --- a/msm8952/mediaserver.te +++ b/msm8952/mediaserver.te @@ -27,3 +27,6 @@ # allow mediaserver to access media.msm8956hw allow mediaserver media_msm8956hw_prop:file r_file_perms; +allow mediaserver media_settings_xml_prop:file r_file_perms; +allow mediaserver seempd:unix_dgram_socket sendto; +allow mediaserver seempdw_socket:sock_file write; diff --git a/msm8952/property.te b/msm8952/property.te index 9b93f862..2cfa17e8 100644 --- a/msm8952/property.te +++ b/msm8952/property.te @@ -27,5 +27,5 @@ #properites for init.qcom.sh script type media_msm8956hw_prop, property_type; -type media_settings_xml_prop, property_type; +type media_settings_xml_prop, property_type, core_property_type; type media_msm8956_version_prop, property_type; -- cgit v1.2.3 From a4d03d9174386fadf9bef3903410658246d8625e Mon Sep 17 00:00:00 2001 From: Amir Samuelov Date: Sat, 24 Sep 2016 07:31:41 +0300 Subject: sepolicy: restore persist-time file It was accidentally removed, so restore it for time daemon. CRs-Fixed: 1070511 Change-Id: Ic618467a6c219828041c3f47d7696dca47cf62f4 --- common/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/file_contexts b/common/file_contexts index d27f2981..54d1c0e4 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -351,6 +351,7 @@ /persist/drm(/.*)? u:object_r:persist_drm_file:s0 /persist/sensors(/.*)? u:object_r:sensors_persist_file:s0 /persist/alarm(/.*)? u:object_r:persist_alarm_file:s0 +/persist/time(/.*)? u:object_r:persist_time_file:s0 /persist/data(/.*)? u:object_r:persist_drm_file:s0 /persist/data/tz(/.*)? u:object_r:persist_drm_file:s0 /persist/data/sfs(/.*)? u:object_r:persist_drm_file:s0 -- cgit v1.2.3 From 8a64f1bc5d0bda143ac23576e6f4c28dc29236d1 Mon Sep 17 00:00:00 2001 From: vaibhav bhalla Date: Mon, 9 Nov 2015 23:59:42 +0530 Subject: sepolicy: Add set property permission for irq balance Sepolicy changes needed on new OS to support IRQ Balance. This property need to set during early boot. CRs-Fixed: 936950 Change-Id: Ia4b0bd9d8a24b596ff6186501378a031112e33d2 --- common/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/property_contexts b/common/property_contexts index 487bbd61..bb4720d9 100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -46,6 +46,7 @@ ctl.ipacm-diag u:object_r:ipacm-diag_prop:s0 ctl.qti u:object_r:qti_prop:s0 ctl.sensors u:object_r:sensors_prop:s0 ctl.msm_irqbalance u:object_r:msm_irqbalance_prop:s0 +ctl.msm_irqbal_lb u:object_r:msm_irqbalance_prop:s0 camera. u:object_r:camera_prop:s0 persist.camera. u:object_r:camera_prop:s0 spcomlib. u:object_r:spcomlib_prop:s0 -- cgit v1.2.3 From 992e1f7060bd2373afd1bc342b7d657f99362390 Mon Sep 17 00:00:00 2001 From: Ameya Thakur Date: Thu, 22 Sep 2016 16:26:35 -0700 Subject: msmcobalt: file_context: Add file context for non-hlos mount points The non-hlos mount points(/firmware and /bt_firmware) are now built as a part of the image rather than being created on the fly. Adding the labels for both of them here. Also added a rule to allow init to mount the non-hlos partitions on the same. Change-Id: Idb2bf7cb3894421ef78354cb965e7fbb77627172 --- common/init.te | 4 ++++ msmcobalt/file_contexts | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/common/init.te b/common/init.te index 02d804cd..6cde24b0 100644 --- a/common/init.te +++ b/common/init.te @@ -27,3 +27,7 @@ allow init { domain -lmkd }:process noatsecure; allow init configfs:dir r_dir_perms; allow init configfs:file { rw_file_perms link }; allow init configfs:lnk_file create_file_perms; + +#Allow init to mount non-hlos partitions in A/B builds +allow init firmware_file:dir { mounton }; +allow init bt_firmware_file:dir { mounton }; diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index 0a29e092..c22e4a62 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -55,3 +55,8 @@ # data files # /data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 + +################################## +# non-hlos mount points +/firmware u:object_r:firmware_file:s0 +/bt_firmware u:object_r:bt_firmware_file:s0 -- cgit v1.2.3 From 894035f3315543549a1981e60295d6c707e163d7 Mon Sep 17 00:00:00 2001 From: Dante Russo Date: Fri, 16 Sep 2016 15:03:10 -0700 Subject: Permissions needed for LOWI To use a per-interface socket during Plug-Fest ANQP testing CRs-fixed: 994517 Change-Id: Ie15eece2cde55b921f976fc9f369333ea9e8efc1 --- common/location.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/common/location.te b/common/location.te index 393bae60..a72adc11 100644 --- a/common/location.te +++ b/common/location.te @@ -41,7 +41,11 @@ allow location sensors_persist_file:dir r_dir_perms; allow location sensors_persist_file:file r_file_perms; #wifi -allow location wifi_data_file:dir r_dir_perms; +userdebug_or_eng(` +allow location wifi_data_file:dir create_dir_perms; +allow location wifi_data_file:sock_file create_file_perms; +allow location su:unix_dgram_socket sendto; +') unix_socket_send(wpa, location, location) allow location wpa:unix_dgram_socket sendto; allow location wpa_socket:dir rw_dir_perms; -- cgit v1.2.3 From f043009b151c298ba1c90d5a2e4588d61e4ccf6b Mon Sep 17 00:00:00 2001 From: Zhao Fan Date: Fri, 30 Sep 2016 16:27:27 +0800 Subject: Allow apps to find imscm service Apps fails to connect to imscm service. Allow it to find imscm service Change-Id: I39c7b4b81ce0ebc91abe14fc153088e710d195fa CRs-Fixed: 1073791 --- common/platform_app.te | 2 +- common/system_app.te | 1 + common/untrusted_app.te | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/common/platform_app.te b/common/platform_app.te index bc558e90..0dd94ddc 100644 --- a/common/platform_app.te +++ b/common/platform_app.te @@ -10,7 +10,7 @@ binder_call(platform_app, secotad) # Allow platform apps to interact with imscm daemon binder_call(platform_app, imscm) - +allow platform_app imscm_service:service_manager find; allow platform_app color_service:service_manager find; # Allow NFC service to be found diff --git a/common/system_app.te b/common/system_app.te index 255e5664..01d999af 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -100,6 +100,7 @@ binder_call(system_app, secotad) # allow system_app to interact with imscm daemon binder_call(system_app, imscm) +allow system_app imscm_service:service_manager find; # access to seemp folder allow system_app seemp_file:dir r_dir_perms; diff --git a/common/untrusted_app.te b/common/untrusted_app.te index c2b75d54..8f6d10b7 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -9,6 +9,7 @@ neverallow untrusted_app diag_device:chr_file rw_file_perms; # using binder call userdebug_or_eng(` binder_call(untrusted_app, imscm) + allow untrusted_app imscm_service:service_manager find; ') # for finding wbc_service -- cgit v1.2.3