From b59ff09e910a88249ebba8fba6c2054b16642aea Mon Sep 17 00:00:00 2001 From: Subash Abhinov Kasiviswanathan Date: Wed, 12 Nov 2014 12:31:11 -0700 Subject: sepolicy: Allow clients of netmgrd read access to netmgrd stat file rild and location services - which are clients of netmgrd, needs to have unicast netlink message communication with netmgrd. For this, it needs to obtain the pid of the netmgrd. To determine the pid of netmgrd, rild needs access to parse through the proc file system and find the entry corresponding to netmgrd. Fix denials faced while accessing the various files corresponding to the processes in proc. [ 78.653558] type=1400 audit(2567.649:197): avc: denied { search } for pid=1190 comm="rild" name="1" dev="proc" ino=11739 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=dir permissive=0 [ 72.888233] type=1400 audit(1548.919:122): avc: denied { read } for pid=1181 comm="rild" name="stat" dev="proc" ino=14756 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=0 [ 66.428453] type=1400 audit(2167.259:82): avc: denied { open } for pid=1183 comm="rild" path="/proc/1/stat" dev="proc" ino=4086 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=0 [ 124.895876] type=1400 audit(2587.889:125): avc: denied { getattr } for pid=1164 comm="rild" path="/proc/1/stat" dev="proc" ino=25356 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=0 [ 124.897171] type=1400 audit(2587.889:1257): avc: denied { search } for pid=1164 comm="rild" name="2" dev="proc" ino=25252 scontext=u:r:rild:s0 tcontext=u:r:kernel:s0 tclass=dir permissive=0 [ 96.631049] type=1400 audit(3925.959:261): avc: denied { search } for pid=1176 comm="rild" name="297" dev="proc" ino=10500 scontext=u:r:rild:s0 tcontext=u:r:ueventd:s0 tclass=dir permissive=0 Allow these domains access to the proc stat files of netmgrd while silently denying access to all other files. Change-Id: I8d0d09cb9e85fdfa898f19a9eafe9ddaee6c208a --- common/location.te | 3 +++ common/rild.te | 3 +++ 2 files changed, 6 insertions(+) diff --git a/common/location.te b/common/location.te index 7d3a6261..5edf1326 100644 --- a/common/location.te +++ b/common/location.te @@ -23,3 +23,6 @@ allow location sensors:unix_stream_socket connectto; allow location sensors_device:chr_file r_file_perms; allow location sensors_socket:sock_file w_file_perms; allow location self:netlink_socket create_socket_perms; + +dontaudit location domain:dir r_dir_perms; +r_dir_file(location, netmgrd) diff --git a/common/rild.te b/common/rild.te index 73631c0d..54f2dd98 100644 --- a/common/rild.te +++ b/common/rild.te @@ -21,3 +21,6 @@ allow rild sysfs_ssr:lnk_file read; allow rild system_data_file:dir w_dir_perms; allow rild system_data_file:file create_file_perms; allow rild time_daemon:unix_stream_socket connectto; + +dontaudit rild domain:dir r_dir_perms; +r_dir_file(rild, netmgrd) -- cgit v1.2.3 From 295b6b9ff9113102a445677e0819bbeadd7921fb Mon Sep 17 00:00:00 2001 From: Samir Mehta Date: Thu, 13 Nov 2014 18:56:50 +0530 Subject: Sepolicy: Fix camera & surface flinger denials Device node were not proper /dev/msm_camera was labelled as audio_device which is wrong and /dev/msm_rotator as well as audio_device, so changing the label to appropriate to fix the false positive denials. Change-Id: I7b3ebbcb9999d794823ee7c0d7cad330d50be02e --- msm8960/file_contexts | 5 +++++ 1 file changed, 5 insertions(+) create mode 100755 msm8960/file_contexts diff --git a/msm8960/file_contexts b/msm8960/file_contexts new file mode 100755 index 00000000..0afaeb4f --- /dev/null +++ b/msm8960/file_contexts @@ -0,0 +1,5 @@ +################################### +# Dev nodes +# +/dev/msm_camera(/.*)? u:object_r:camera_device:s0 +/dev/msm_rotator u:object_r:graphics_device:s0 -- cgit v1.2.3 From 79b9e61a944e8fcdbcdff1a9df23ac93806d6425 Mon Sep 17 00:00:00 2001 From: Tatenda Chipeperekwa Date: Thu, 13 Nov 2014 12:46:23 -0800 Subject: SEAndroid: Allow mediaserver to access media files for testing Display APT test apps require access to "/data/display-test/media/*" location for test automation. Change-Id: If8b17594d129df119707d8212187c3c0e48ddb8e --- Android.mk | 3 ++- test/file.te | 3 +++ test/file_contexts | 3 +++ test/mediaserver_test.te | 5 +++++ 4 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 test/file.te create mode 100644 test/mediaserver_test.te diff --git a/Android.mk b/Android.mk index 1e6ffbf5..80d9d3bb 100644 --- a/Android.mk +++ b/Android.mk @@ -87,7 +87,8 @@ BOARD_SEPOLICY_UNION := \ wcnss_service.te \ mmi.te \ dhcp.te \ - wfd_app.te + wfd_app.te \ + mediaserver_test.te # Compile sensor pilicy only for SSC targets SSC_TARGET_LIST := apq8084 diff --git a/test/file.te b/test/file.te new file mode 100644 index 00000000..4b8b67d6 --- /dev/null +++ b/test/file.te @@ -0,0 +1,3 @@ +#Define the files written during the operation of mm-pp-daemon +type display_test_media_file, file_type, data_file_type; + diff --git a/test/file_contexts b/test/file_contexts index 95f96496..f41cc3c0 100755 --- a/test/file_contexts +++ b/test/file_contexts @@ -57,3 +57,6 @@ /system/bin/test-fake-ap u:object_r:location_exec:s0 /system/bin/loc_api_app u:object_r:location_exec:s0 /system/bin/test_loc_api_client u:object_r:location_exec:s0 + +#Context for mediaserver +/data/display-tests/media(/.*)? u:object_r:display_test_media_file:s0 diff --git a/test/mediaserver_test.te b/test/mediaserver_test.te new file mode 100644 index 00000000..338e67ba --- /dev/null +++ b/test/mediaserver_test.te @@ -0,0 +1,5 @@ +#Access to media files for testing +userdebug_or_eng(` + allow mediaserver display_test_media_file:dir r_dir_perms; + allow mediaserver display_test_media_file:file r_file_perms; +') -- cgit v1.2.3 From 58636a94e7cd5edcdcdf09ff1e62995e78d2ba39 Mon Sep 17 00:00:00 2001 From: Mohan Pallaka Date: Fri, 14 Nov 2014 14:41:22 -0800 Subject: Add secure policies for hbtp Add secure policies for hbtp(host based touch processing) service which uses device nodes through hbtp daemon Change-Id: I6dbd17947b1d6d9d4e8f9c2af6771252783ab8a3 --- Android.mk | 3 ++- common/device.te | 4 ++++ common/file_contexts | 3 +++ common/hbtp.te | 10 ++++++++++ 4 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 common/hbtp.te diff --git a/Android.mk b/Android.mk index 80d9d3bb..7f51d730 100644 --- a/Android.mk +++ b/Android.mk @@ -88,7 +88,8 @@ BOARD_SEPOLICY_UNION := \ mmi.te \ dhcp.te \ wfd_app.te \ - mediaserver_test.te + mediaserver_test.te \ + hbtp.te # Compile sensor pilicy only for SSC targets SSC_TARGET_LIST := apq8084 diff --git a/common/device.te b/common/device.te index 6823ecb6..927cf276 100755 --- a/common/device.te +++ b/common/device.te @@ -78,3 +78,7 @@ type mmc_block_device, dev_type; #Define Gadget serial device type gadget_serial_device, dev_type; + +#Added for hbtp +type bu21150_device, dev_type; +type hbtp_device, dev_type; diff --git a/common/file_contexts b/common/file_contexts index 74356dfb..131eb45f 100755 --- a/common/file_contexts +++ b/common/file_contexts @@ -52,6 +52,8 @@ /dev/dpl_ctrl u:object_r:rmnet_device:s0 /dev/wcnss_ctrl u:object_r:wcnss_device:s0 /dev/wcnss_wlan u:object_r:wcnss_device:s0 +/dev/hbtp_input u:object_r:hbtp_device:s0 +/dev/jdi-bu21150 u:object_r:bu21150_device:s0 ################################### # Dev socket nodes @@ -152,6 +154,7 @@ /system/vendor/bin/slim_ap_daemon u:object_r:location_exec:s0 /system/vendor/bin/qti u:object_r:qti_exec:s0 /system/bin/wcnss_service u:object_r:wcnss_service_exec:s0 +/system/vendor/bin/hbtp_daemon u:object_r:hbtp_exec:s0 ################################### # sysfs files diff --git a/common/hbtp.te b/common/hbtp.te new file mode 100644 index 00000000..08f5901f --- /dev/null +++ b/common/hbtp.te @@ -0,0 +1,10 @@ +# Policies for hbtp (host based touch processing) +type hbtp, domain; +type hbtp_exec, exec_type, file_type; + +init_daemon_domain(hbtp) + +# Allow access for /dev/hbtp_input and /dev/jdi-bu21150 +allow hbtp hbtp_device:chr_file rw_file_perms; +allow hbtp bu21150_device:chr_file rw_file_perms; + -- cgit v1.2.3 From 7bdce646e7ce6ef4fc75fbb99ef320371b7e63d9 Mon Sep 17 00:00:00 2001 From: Satya Durga Srinivasu Prabhala Date: Mon, 17 Nov 2014 17:08:36 -0800 Subject: sepolicy: sensors: add net_bind_service capability sensor daemon needs net_bind_service capability to work on top of QMI. Change-Id: Iaa6b3ab80774353f6cf2f5a42f4bfea0590bf14b --- common/sensors.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/sensors.te b/common/sensors.te index ef4abad4..f71c4444 100644 --- a/common/sensors.te +++ b/common/sensors.te @@ -14,7 +14,7 @@ allow sensors self:capability chown; dontaudit sensors self:capability fsetid; # Access /data/misc/sensors/debug and /data/system/sensors/settings -allow sensors self:capability { dac_override dac_read_search }; +allow sensors self:capability { dac_override dac_read_search net_bind_service }; # Sensors socket allow sensors sensors_socket:sock_file create_file_perms; -- cgit v1.2.3 From 99e09577c3e9bbe0ed58f8d3e808b7cf4bf3ad8e Mon Sep 17 00:00:00 2001 From: Katish Paran Date: Wed, 19 Nov 2014 11:32:18 +0530 Subject: sepolicy: Update policy for time daemon This patch updates the socket permission for time-daemon. Change-Id: Ifc7d377585e9699a21ed569fe0402de35992c13b --- common/system_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/system_app.te b/common/system_app.te index 0a4238a0..3cb20080 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -26,3 +26,6 @@ allow system_app bluetooth:unix_stream_socket ioctl; # access to tee domain allow system_app tee:unix_dgram_socket sendto; + +# access to time_daemon +allow system_app time_daemon:unix_stream_socket connectto; -- cgit v1.2.3 From 39bed8c5431a97d296a292090848c4c3c832c326 Mon Sep 17 00:00:00 2001 From: Rajshekar Eashwarappa Date: Wed, 19 Nov 2014 15:57:26 +0530 Subject: Sepolicy : Added dac_override to qcomsysd.te dac_override is added to self capabilities of qcom-system-daemon. Change-Id: I110c0159a921d75d639abac6ce3df2ac13578a2e --- common/qcomsysd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/qcomsysd.te b/common/qcomsysd.te index 7b786da4..f9c29166 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -20,3 +20,5 @@ allow qcomsysd bootselect_device:blk_file { open read getattr write }; #Needed to get image info from socinfo allow qcomsysd sysfs_socinfo:dir { open search read }; allow qcomsysd sysfs_socinfo:file { open read write }; + +allow qcomsysd self:capability { dac_override }; -- cgit v1.2.3 From 733050a425e9fbfeaa5f07bfcba0c30795ca7291 Mon Sep 17 00:00:00 2001 From: Ravi Kumar Siddojigari Date: Wed, 19 Nov 2014 17:32:24 +0530 Subject: SEAndroid: Updated vold domain related policy Updated vold domain related policy where it need access to dirty_ratio on proc and update kernel rules where it need access to the blk file on vold device node Change-Id: I0aca64860530d291e4c3a374e82a7d623498aa28 --- Android.mk | 4 +++- common/file.te | 3 +++ common/genfs_contexts | 1 + common/kernel.te | 1 + common/vold.te | 1 + 5 files changed, 9 insertions(+), 1 deletion(-) mode change 100644 => 100755 Android.mk mode change 100644 => 100755 common/file.te mode change 100644 => 100755 common/genfs_contexts create mode 100755 common/kernel.te mode change 100644 => 100755 common/vold.te diff --git a/Android.mk b/Android.mk old mode 100644 new mode 100755 index 7f51d730..4751e663 --- a/Android.mk +++ b/Android.mk @@ -89,7 +89,9 @@ BOARD_SEPOLICY_UNION := \ dhcp.te \ wfd_app.te \ mediaserver_test.te \ - hbtp.te + hbtp.te \ + kernel.te \ + vold.te # Compile sensor pilicy only for SSC targets SSC_TARGET_LIST := apq8084 diff --git a/common/file.te b/common/file.te old mode 100644 new mode 100755 index 1e5e53a4..93c6089a --- a/common/file.te +++ b/common/file.te @@ -104,3 +104,6 @@ type ipacm_data_file, file_type; #Define the files written during the operation of mmi type mmi_data_file, file_type, data_file_type; + +#needed by vold +type proc_dirty_ratio, fs_type; diff --git a/common/genfs_contexts b/common/genfs_contexts old mode 100644 new mode 100755 index 201bd78c..f92adbdb --- a/common/genfs_contexts +++ b/common/genfs_contexts @@ -1 +1,2 @@ genfscon proc /asound/card0/state u:object_r:proc_audiod:s0 +genfscon proc /proc/sys/vm/dirty_ratio u:object_r:proc_dirty_ratio:s0 diff --git a/common/kernel.te b/common/kernel.te new file mode 100755 index 00000000..2a9a0831 --- /dev/null +++ b/common/kernel.te @@ -0,0 +1 @@ +allow kernel block_device:blk_file r_file_perms; diff --git a/common/vold.te b/common/vold.te old mode 100644 new mode 100755 index d639d6f5..71b32cd0 --- a/common/vold.te +++ b/common/vold.te @@ -6,3 +6,4 @@ allow vold proc_sysrq:file rw_file_perms; allow vold self:capability sys_boot; allow vold cache_file:dir { write add_name }; allow vold cache_file:file { write create open }; +allow vold proc_dirty_ratio:file rw_file_perms; -- cgit v1.2.3 From 64f8f614a1243f42076b60464e86e46eb76282f2 Mon Sep 17 00:00:00 2001 From: Avijit Kanti Das Date: Thu, 20 Nov 2014 11:55:09 -0800 Subject: Seandroid: Moving connectionmanager policy to common Moving policies related to connection manager to common folder. Change-Id: I9be8a072c8b7fda4cab2e246ec68dbcd8d21f562 --- common/ims.te | 1 + common/service.te | 1 + common/service_contexts | 1 + msm8994/ims.te | 1 - msm8994/service.te | 1 - msm8994/service_contexts | 1 - 6 files changed, 3 insertions(+), 3 deletions(-) delete mode 100644 msm8994/service.te delete mode 100644 msm8994/service_contexts diff --git a/common/ims.te b/common/ims.te index 401ee51d..1a35abe2 100644 --- a/common/ims.te +++ b/common/ims.te @@ -13,3 +13,4 @@ binder_use(ims) unix_socket_connect(ims, property, init) allow ims self:socket { read bind create write ioctl }; allow ims system_prop:property_service set; +allow ims imscm_service:service_manager add; diff --git a/common/service.te b/common/service.te index 3d1689e7..ec90dda1 100644 --- a/common/service.te +++ b/common/service.te @@ -5,3 +5,4 @@ type cne_service, service_manager_type; type wbc_service, service_manager_type; type dun_service, service_manager_type; type digitalpen_service, service_manager_type; +type imscm_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index 16318443..b29e165e 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -6,3 +6,4 @@ vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0 wbc_service u:object_r:wbc_service:s0 dun u:object_r:dun_service:s0 DigitalPen u:object_r:digitalpen_service:s0 +qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 diff --git a/msm8994/ims.te b/msm8994/ims.te index 13fad80c..69bd1f3b 100644 --- a/msm8994/ims.te +++ b/msm8994/ims.te @@ -1,3 +1,2 @@ allow ims self:capability net_raw; allow ims self:socket { read bind create write ioctl }; -allow ims imscm_service:service_manager add; diff --git a/msm8994/service.te b/msm8994/service.te deleted file mode 100644 index e3b10477..00000000 --- a/msm8994/service.te +++ /dev/null @@ -1 +0,0 @@ -type imscm_service, service_manager_type; diff --git a/msm8994/service_contexts b/msm8994/service_contexts deleted file mode 100644 index aa230e63..00000000 --- a/msm8994/service_contexts +++ /dev/null @@ -1 +0,0 @@ -qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 -- cgit v1.2.3 From cfa67e9503d5be3000ead48d8f208c53bfe4a1ca Mon Sep 17 00:00:00 2001 From: Avijit Kanti Das Date: Thu, 20 Nov 2014 17:49:15 -0800 Subject: Seandroid: Adding policies for IMS Adding policy for IMS Change-Id: I65e5ac5c9cf9b110a1fe68ceab1df6fa9814294d --- common/ims.te | 40 ++++++++++++++++++++++++++++++++++------ common/mm-qcamerad.te | 3 +++ common/property.te | 1 + common/property_contexts | 1 + common/radio.te | 3 +++ msm8994/ims.te | 2 -- 6 files changed, 42 insertions(+), 8 deletions(-) delete mode 100644 msm8994/ims.te diff --git a/common/ims.te b/common/ims.te index 1a35abe2..fff18700 100644 --- a/common/ims.te +++ b/common/ims.te @@ -4,13 +4,41 @@ type ims_exec, exec_type, file_type; # Started by init init_daemon_domain(ims) +net_domain(ims) -allow radio ims_socket:sock_file { open read write }; -allow ims ims_socket:sock_file { open read write }; -allow ims property_socket:sock_file write; -allow ims servicemanager:binder call; +# Talk to qmuxd +qmux_socket(ims) + +# To make VT call binder_use(ims) + +# Bring up IMSPDM +allow ims kernel:system module_request; + +allow ims self:socket create_socket_perms; +allow ims self:capability { net_admin net_raw }; + +# Use generic netlink socket +allow ims self:netlink_socket create_socket_perms; + +# To run NDC command +allow ims shell_exec:file rx_file_perms; +allow ims system_file:file rx_file_perms; + +# IMS route installation +allow ims wcnss_service_exec:file rx_file_perms; + +# Talk to netd via netd_socket +unix_socket_connect(ims, netd, netd) + +# Talk to qumuxd via ims_socket +unix_socket_connect(ims, ims, qmuxd) + +# Talk to init via property_socket unix_socket_connect(ims, property, init) -allow ims self:socket { read bind create write ioctl }; -allow ims system_prop:property_service set; + +#Add connectionmanager service allow ims imscm_service:service_manager add; + +# Set property to start imsdata_daemon and ims_rtp_daemon +allow ims qcom_ims_prop:property_service set; diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index 49838d83..0fb8750b 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -35,3 +35,6 @@ allow mm-qcamerad system_data_file:file create_file_perms; #Remove GL fine reference allow mm-qcamerad shell_data_file:dir search; + +# IMS use camera daemon to make VT call +allow mm-qcamerad port:tcp_socket name_bind; diff --git a/common/property.te b/common/property.te index 1e54640c..ea480c76 100644 --- a/common/property.te +++ b/common/property.te @@ -1,2 +1,3 @@ # property for uicc_daemon type uicc_prop, property_type; +type qcom_ims_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index fd1f7161..1c4c7a46 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -1,2 +1,3 @@ wc_transport. u:object_r:bluetooth_prop:s0 usb_uicc. u:object_r:uicc_prop:s0 +sys.ims. u:object_r:qcom_ims_prop:s0 diff --git a/common/radio.te b/common/radio.te index c117da17..2b854f5a 100644 --- a/common/radio.te +++ b/common/radio.te @@ -8,3 +8,6 @@ allow radio shell_data_file:dir search; #Need permission to execute dpmd talk to radio layer unix_socket_connect(radio, dpmd, dpmd) + +# IMS needs permission to use unix domain socket +allow radio ims:unix_stream_socket connectto; diff --git a/msm8994/ims.te b/msm8994/ims.te deleted file mode 100644 index 69bd1f3b..00000000 --- a/msm8994/ims.te +++ /dev/null @@ -1,2 +0,0 @@ -allow ims self:capability net_raw; -allow ims self:socket { read bind create write ioctl }; -- cgit v1.2.3 From c242f59bd319331d8e0e5e12929618a7ff8ecda7 Mon Sep 17 00:00:00 2001 From: Samir Mehta Date: Wed, 5 Nov 2014 22:02:11 +0530 Subject: SEAndroid: Fixing few denials This fixes the below issues 1. 744304 - SELinux Surf port Enumeration issue Files changed - mdm_helper.te - rild.te - file_contexts - file.te - rmt_storage.te - device.te 2. 751137 - WIFI is not turning ON Files Changed - wpa.te - system_server.te 3. Issues related to CTS testInitDomain and boot up denials for other domains. CRs-fixed: 744304 751137 Change-Id: I2785e85592a10468a667be363e6115e27b76707f --- common/mpdecision.te | 1 - msm8960/device.te | 2 ++ msm8960/file.te | 2 ++ msm8960/file_contexts | 17 +++++++++++++++++ msm8960/mdm_helper.te | 8 ++++++++ msm8960/mm-pp-daemon.te | 4 ++++ msm8960/mpdecision.te | 3 +++ msm8960/rild.te | 2 ++ msm8960/rmt_storage.te | 5 +++++ msm8960/ssr_diag.te | 3 +++ msm8960/system_server.te | 2 ++ msm8960/thermal-engine.te | 2 ++ msm8960/wpa.te | 2 ++ 13 files changed, 52 insertions(+), 1 deletion(-) create mode 100755 msm8960/device.te create mode 100644 msm8960/file.te create mode 100755 msm8960/mdm_helper.te create mode 100644 msm8960/mm-pp-daemon.te create mode 100644 msm8960/mpdecision.te create mode 100644 msm8960/rild.te create mode 100644 msm8960/rmt_storage.te create mode 100644 msm8960/ssr_diag.te create mode 100644 msm8960/system_server.te create mode 100644 msm8960/thermal-engine.te create mode 100644 msm8960/wpa.te diff --git a/common/mpdecision.te b/common/mpdecision.te index 94d9cd88..510fd08c 100644 --- a/common/mpdecision.te +++ b/common/mpdecision.te @@ -15,7 +15,6 @@ allow mpdecision self:socket create_socket_perms; allow mpdecision device_latency:chr_file w_file_perms; allow mpdecision sysfs_rqstats:dir search; -allow mpdecision socket_device:dir w_file_perms; allow mpdecision sysfs_thermal:dir search; #policies for mpctl diff --git a/msm8960/device.te b/msm8960/device.te new file mode 100755 index 00000000..24d277a0 --- /dev/null +++ b/msm8960/device.te @@ -0,0 +1,2 @@ +#mdm helper device +type mdm_device, dev_type; diff --git a/msm8960/file.te b/msm8960/file.te new file mode 100644 index 00000000..e5cea972 --- /dev/null +++ b/msm8960/file.te @@ -0,0 +1,2 @@ +#efs file types +type efs_data_file, file_type, data_file_type; diff --git a/msm8960/file_contexts b/msm8960/file_contexts index 0afaeb4f..7e514561 100755 --- a/msm8960/file_contexts +++ b/msm8960/file_contexts @@ -3,3 +3,20 @@ # /dev/msm_camera(/.*)? u:object_r:camera_device:s0 /dev/msm_rotator u:object_r:graphics_device:s0 +/dev/mdm u:object_r:mdm_device:s0 +/dev/block/bootdevice/by-name/m9kefs1 u:object_r:efs_boot_dev:s0 +/dev/block/bootdevice/by-name/m9kefs2 u:object_r:efs_boot_dev:s0 +/dev/block/bootdevice/by-name/m9kefs3 u:object_r:efs_boot_dev:s0 +/dev/block/bootdevice/by-name/m9kefsc u:object_r:efs_boot_dev:s0 + +################################### +# System files +# +/system/bin/thermald u:object_r:thermal-engine_exec:s0 +/system/bin/qcks u:object_r:mdm_helper_exec:s0 +/system/bin/efks u:object_r:mdm_helper_exec:s0 + +################################### +# Data files +# +/data/qcks(/.*)? u:object_r:efs_data_file:s0 diff --git a/msm8960/mdm_helper.te b/msm8960/mdm_helper.te new file mode 100755 index 00000000..5fe3608a --- /dev/null +++ b/msm8960/mdm_helper.te @@ -0,0 +1,8 @@ +#Needed in order to access the data partition bin files +type_transition mdm_helper system_data_file:{ file } efs_data_file; + +allow mdm_helper mdm_device:file rw_file_perms; +allow mdm_helper mdm_device:chr_file rw_file_perms; +allow mdm_helper self:capability { dac_read_search dac_override }; +allow mdm_helper efs_data_file:file create_file_perms; +allow mdm_helper efs_data_file:dir create_dir_perms; diff --git a/msm8960/mm-pp-daemon.te b/msm8960/mm-pp-daemon.te new file mode 100644 index 00000000..cbaafcf5 --- /dev/null +++ b/msm8960/mm-pp-daemon.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + #Allow pp-daemon to access stream socket + allow mm-pp-daemon init:unix_stream_socket { read write }; +') diff --git a/msm8960/mpdecision.te b/msm8960/mpdecision.te new file mode 100644 index 00000000..f9adcee0 --- /dev/null +++ b/msm8960/mpdecision.te @@ -0,0 +1,3 @@ +allow mpdecision socket_device:dir w_dir_perms; +allow mpdecision socket_device:sock_file create; +allow mpdecision self:capability sys_nice; diff --git a/msm8960/rild.te b/msm8960/rild.te new file mode 100644 index 00000000..81cafff7 --- /dev/null +++ b/msm8960/rild.te @@ -0,0 +1,2 @@ +#allow rild to access smd_cmx_qmi device; +allow rild smd_device:chr_file rw_file_perms; diff --git a/msm8960/rmt_storage.te b/msm8960/rmt_storage.te new file mode 100644 index 00000000..3b3bbb29 --- /dev/null +++ b/msm8960/rmt_storage.te @@ -0,0 +1,5 @@ +# rmt_storage - rmt_storage daemon +allow rmt_storage rpmb_device:blk_file { open read }; +allow rmt_storage ssd_device:blk_file { open read write }; +unix_socket_connect(rmt_storage, property, init) +allow rmt_storage ctl_default_prop:property_service set; diff --git a/msm8960/ssr_diag.te b/msm8960/ssr_diag.te new file mode 100644 index 00000000..6b170b03 --- /dev/null +++ b/msm8960/ssr_diag.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow ssr_diag self:netlink_kobject_uevent_socket create; +') diff --git a/msm8960/system_server.te b/msm8960/system_server.te new file mode 100644 index 00000000..1ac7260e --- /dev/null +++ b/msm8960/system_server.te @@ -0,0 +1,2 @@ +# WifiStateMachine to access wpa_wlan0 socket +allow system_server init:unix_dgram_socket sendto; diff --git a/msm8960/thermal-engine.te b/msm8960/thermal-engine.te new file mode 100644 index 00000000..707717df --- /dev/null +++ b/msm8960/thermal-engine.te @@ -0,0 +1,2 @@ +allow thermal-engine self:netlink_kobject_uevent_socket create; +allow thermal-engine socket_device:dir w_dir_perms; diff --git a/msm8960/wpa.te b/msm8960/wpa.te new file mode 100644 index 00000000..24ce72f1 --- /dev/null +++ b/msm8960/wpa.te @@ -0,0 +1,2 @@ +allow wpa devpts:chr_file rw_file_perms; +allow wpa init:unix_dgram_socket { read write }; -- cgit v1.2.3 From a86fd523d62beb6f596218f144f151bf3a4272d4 Mon Sep 17 00:00:00 2001 From: Kurva Harish Date: Wed, 19 Nov 2014 17:06:16 -0800 Subject: Seandroid: Added rules to thermal-engine Added rules to thermal-engine for access to thermal-sockets which is needed for mediaserver ,camera and couple of other services. Change-Id: I7f5f89c112357ee595f275b20325fede40439924 --- common/mediaserver.te | 3 +++ common/system_server.te | 3 +++ common/thermal-engine.te | 12 ++++++------ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/common/mediaserver.te b/common/mediaserver.te index dbd59da8..273890c1 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -30,3 +30,6 @@ unix_socket_connect(mediaserver, mpctl, mpdecision) allow mediaserver mpctl_socket:dir r_dir_perms; unix_socket_send(mediaserver, mpctl, perfd) unix_socket_connect(mediaserver, mpctl, perfd) + +# for thermal sock files +unix_socket_connect(mediaserver, thermal, thermal-engine) diff --git a/common/system_server.te b/common/system_server.te index 9a1c7db5..803ab081 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -42,3 +42,6 @@ allow system_server digitalpen_service:service_manager add; #For ssr allow system_server ssr_device:chr_file { read open }; + +allow system_server fuse:dir search; +allow system_server persist_file:dir search; diff --git a/common/thermal-engine.te b/common/thermal-engine.te index e42e9b2f..053ca847 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -7,17 +7,17 @@ init_daemon_domain(thermal-engine) #============= thermal-engine ============== #This is to access thermal query device -allow thermal-engine thermal_device:chr_file { read write ioctl open }; +allow thermal-engine thermal_device:chr_file rw_file_perms; #This is required to access smem log device -allow thermal-engine smem_log_device:chr_file { read write ioctl open }; +allow thermal-engine smem_log_device:chr_file rw_file_perms; allow thermal-engine self:capability { dac_read_search dac_override fsetid }; -allow thermal-engine self:socket { create ioctl read }; +allow thermal-engine self:socket create_socket_perms; #This is required to access thermal sockets -allow thermal-engine thermal_socket:dir { write add_name }; +allow thermal-engine thermal_socket:dir w_dir_perms; allow thermal-engine thermal_socket:sock_file { create setattr open read write }; #This is required for thermal sysfs access -allow thermal-engine sysfs_thermal:dir { read search open }; -allow thermal-engine sysfs_thermal:file { read write getattr open }; +allow thermal-engine sysfs_thermal:dir r_dir_perms; +allow thermal-engine sysfs_thermal:file rw_file_perms; allow thermal-engine sysfs_thermal:lnk_file read; #This is required for qmi access qmux_socket(thermal-engine); -- cgit v1.2.3 From 73d6ec17275db2ee4d63f1a1609545724ba7f9e5 Mon Sep 17 00:00:00 2001 From: Satya Durga Srinivasu Prabhala Date: Tue, 25 Nov 2014 12:30:04 -0800 Subject: sepolicy: allow system apps to access sensors settings file system apps need to access sensors settings file in persist partition to enable or disable sensors in debug & eng builds. Change-Id: I2cd7ddface6cf7f21cd8b0294c71740945977cd9 --- common/system_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/system_app.te b/common/system_app.te index 3cb20080..9005543e 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -19,6 +19,9 @@ allow system_app cne_service:service_manager add; userdebug_or_eng(` allow system_app debugfs:file r_file_perms; allow system_app su:unix_dgram_socket sendto; + allow system_app persist_file:dir r_dir_perms; + allow system_app sensors_persist_file:dir r_dir_perms; + allow system_app sensors_persist_file:file rw_file_perms; ') allow system_app cnd_data_file:dir w_dir_perms; allow system_app cnd_data_file:file create_file_perms; -- cgit v1.2.3 From b4053efffcf864e3f7453637577c85e25bf71307 Mon Sep 17 00:00:00 2001 From: Mohan Pallaka Date: Tue, 25 Nov 2014 14:01:29 -0800 Subject: Update secure policies for hbtp Add policies to allow access for sockets, binder and system data files. Change-Id: I04082a54cf8d0d5ca7b9dd60fcf018ec3cf970fc --- common/file.te | 4 ++++ common/file_contexts | 6 ++++++ common/hbtp.te | 9 +++++++++ 3 files changed, 19 insertions(+) diff --git a/common/file.te b/common/file.te index 93c6089a..2c62bc55 100755 --- a/common/file.te +++ b/common/file.te @@ -107,3 +107,7 @@ type mmi_data_file, file_type, data_file_type; #needed by vold type proc_dirty_ratio, fs_type; + +# hbtp config file +type hbtp_cfg_file, file_type; +type hbtp_log_file, file_type; diff --git a/common/file_contexts b/common/file_contexts index 131eb45f..18ba48d1 100755 --- a/common/file_contexts +++ b/common/file_contexts @@ -215,6 +215,7 @@ /data/misc/qsee(/.*)? u:object_r:data_qsee_file:s0 /data/misc/location(/.*)? u:object_r:location_data_file:s0 /data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0 +/data/misc/hbtp(/.*)? u:object_r:hbtp_log_file:s0 ################################### # persist files @@ -229,3 +230,8 @@ # oem files # /oem(/.*)? u:object_r:system_file:s0 + +################################### +# etc files +# +/etc/firmware/hbtp/* u:object_r:hbtp_cfg_file:s0 diff --git a/common/hbtp.te b/common/hbtp.te index 08f5901f..2d7db0e2 100644 --- a/common/hbtp.te +++ b/common/hbtp.te @@ -8,3 +8,12 @@ init_daemon_domain(hbtp) allow hbtp hbtp_device:chr_file rw_file_perms; allow hbtp bu21150_device:chr_file rw_file_perms; +allow hbtp hbtp_cfg_file:dir rw_dir_perms; +allow hbtp hbtp_cfg_file:file create_file_perms; + +allow hbtp hbtp_log_file:dir rw_dir_perms; +allow hbtp hbtp_log_file:file create_file_perms; + +allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind }; + +binder_use(hbtp); -- cgit v1.2.3 From 8678c7502ae6a2b6e00cc16e35000bd1b9197f87 Mon Sep 17 00:00:00 2001 From: Hemant Gupta Date: Sun, 30 Nov 2014 11:04:02 +0530 Subject: System_server: Add support for accessing SMD Device Access This patch allows system server from accesing smd device. Without this patch applications were not able to access smd device resulting in failure for ANT related test cases. Also some system_server permissions wrt Bluetooth have been moved from bluetooth.te to system_server.te Change-Id: Id66e82702ee2a3b3a0599d3733c7bfea221041e4 CRs-Fixed: 763090 --- common/bluetooth.te | 4 ---- common/system_server.te | 5 +++++ 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/common/bluetooth.te b/common/bluetooth.te index 4f1d579b..9d806203 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -15,7 +15,3 @@ allow bluetooth input_device:chr_file { open read write ioctl }; allow bluetooth persist_file:dir search; allow bluetooth persist_file:file rw_file_perms; - -#For ANT tty communication and to set wc_transport prop -allow system_server bluetooth_prop:property_service set; -allow system_server serial_device:chr_file rw_file_perms; diff --git a/common/system_server.te b/common/system_server.te index 803ab081..4f9e89cf 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -45,3 +45,8 @@ allow system_server ssr_device:chr_file { read open }; allow system_server fuse:dir search; allow system_server persist_file:dir search; + +#For ANT tty communication and to set wc_transport prop +allow system_server bluetooth_prop:property_service set; +allow system_server serial_device:chr_file rw_file_perms; +allow system_server smd_device:chr_file rw_file_perms; -- cgit v1.2.3 From 7ca611a3a47a007284d2002b672e223bb60a35d2 Mon Sep 17 00:00:00 2001 From: Samir Mehta Date: Mon, 1 Dec 2014 14:51:34 +0530 Subject: SELinux: Denials related to mpdecision Fixed denials related to mpdecision found during PDT tests. Change-Id: I4734e14eeef78411f7c43c63c69654cb90dc4446 --- common/mpdecision.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/mpdecision.te b/common/mpdecision.te index 510fd08c..96f44840 100644 --- a/common/mpdecision.te +++ b/common/mpdecision.te @@ -19,7 +19,7 @@ allow mpdecision sysfs_thermal:dir search; #policies for mpctl #mpctl socket -allow mpdecision self:capability { net_admin chown dac_override fsetid }; +allow mpdecision self:capability { net_admin chown dac_override fsetid sys_nice }; allow mpdecision mpctl_socket:dir rw_dir_perms; allow mpdecision mpctl_socket:sock_file { create_file_perms unlink }; -- cgit v1.2.3 From 48441f44725e560b9f3a77b8370fe36cd8ca0038 Mon Sep 17 00:00:00 2001 From: Zohaib Alam Date: Thu, 13 Nov 2014 09:12:02 -0500 Subject: Seandroid: Add policies to enable all QDCM functionalities Address all SELinux denial messages related to QDCM tool functionality and the color service SDK application. Add policies to allow: 1- /persist/ read & write for display confid 2- /data/misc/display/ read & write 3- Allow access to colorservice for display sdk from android app. 4- Enable pp-daemon functionalities for the non user-debug and eng builds, since OEMs actively use QDCM tool, and they require full functionality. Change-Id: I43545eaf8e63f0e43f40197cd01cddc8c6a5351a --- common/mm-pp-daemon.te | 30 +++++++++++++++++------------- common/service.te | 1 + common/service_contexts | 1 + common/surfaceflinger.te | 5 +---- common/system_app.te | 3 +++ 5 files changed, 23 insertions(+), 17 deletions(-) diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index 5a623349..6c9ad161 100755 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -8,14 +8,17 @@ init_daemon_domain(mm-pp-daemon) allow mm-pp-daemon graphics_device:chr_file rw_file_perms; allow mm-pp-daemon graphics_device:dir search; -# Allow reading calibration data from persist -allow mm-pp-daemon persist_file:file r_file_perms; -allow mm-pp-daemon persist_file:dir search; +# Allow reading/writing to persist +# The color config file is dynamically created +allow mm-pp-daemon persist_file:dir rw_dir_perms; +allow mm-pp-daemon persist_file:file create_file_perms; + +# Allow reading/writing data config files +allow mm-pp-daemon display_config:dir create_dir_perms; +allow mm-pp-daemon display_config:file create_file_perms; -# Allow pp daemon to save settings to /data -allow mm-pp-daemon display_config:file rw_file_perms; allow mm-pp-daemon system_prop:property_service set; -#Calibration can only be done on userdebug or eng builds + userdebug_or_eng(` # Display calibration service opens /dev/diag in order to communicate with the # target device @@ -32,12 +35,13 @@ userdebug_or_eng(` allow mm-pp-daemon shell_exec:file rx_file_perms; allow mm-pp-daemon system_file:file execute_no_trans; allow mm-pp-daemon zygote_exec:file rx_file_perms; + allow mm-pp-daemon self:process ptrace; +') - # Allow writing to persist - allow mm-pp-daemon persist_file:file rw_file_perms; +# Allow mm-pp-daemon to change the brightness of the target during display +# calibration +allow mm-pp-daemon sysfs:file rw_file_perms; - # Allow mm-pp-daemon to change the brightness of the target during display - # calibration - allow mm-pp-daemon sysfs:file rw_file_perms; - unix_socket_connect(mm-pp-daemon, property, init) -') +# Allow socket calls in pp-daemon +unix_socket_connect(mm-pp-daemon, property, init) +unix_socket_connect(mm-pp-daemon, pps, init) diff --git a/common/service.te b/common/service.te index ec90dda1..e6625706 100644 --- a/common/service.te +++ b/common/service.te @@ -6,3 +6,4 @@ type wbc_service, service_manager_type; type dun_service, service_manager_type; type digitalpen_service, service_manager_type; type imscm_service, service_manager_type; +type color_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index b29e165e..eccd3fdb 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -7,3 +7,4 @@ wbc_service u:object_r:wbc_service:s0 dun u:object_r:dun_service:s0 DigitalPen u:object_r:digitalpen_service:s0 qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 +com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 9c984ace..854ff8c7 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -2,10 +2,7 @@ allow surfaceflinger sysfs_graphics:file rw_file_perms; allow surfaceflinger shell_data_file:dir search; # Allows pp-daemon to refresh the screen in calibration mode -userdebug_or_eng(` - allow surfaceflinger mm-pp-daemon:dir search; - allow surfaceflinger mm-pp-daemon:file r_file_perms; -') +r_dir_file(surfaceflinger, mm-pp-daemon) binder_call(surfaceflinger, location) binder_call(surfaceflinger, tee) diff --git a/common/system_app.te b/common/system_app.te index 3cb20080..02fb6038 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -29,3 +29,6 @@ allow system_app tee:unix_dgram_socket sendto; # access to time_daemon allow system_app time_daemon:unix_stream_socket connectto; + +# access to color service SDK +allow system_app color_service:service_manager add; -- cgit v1.2.3 From b41c5c597d6520418549aa2540070e40a751a15c Mon Sep 17 00:00:00 2001 From: Avijit Kanti Das Date: Mon, 1 Dec 2014 10:28:56 -0800 Subject: Seandroid: Adding policy for imscm Adding policy for IMSCM Change-Id: I9a552dc5240f0120181aa037061c9bc55f8ef316 --- Android.mk | 1 + common/file_contexts | 2 +- common/imscm.te | 25 +++++++++++++++++++++++++ common/untrusted_app.te | 6 ++++++ 4 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 common/imscm.te diff --git a/Android.mk b/Android.mk index 4751e663..4601d706 100755 --- a/Android.mk +++ b/Android.mk @@ -60,6 +60,7 @@ BOARD_SEPOLICY_UNION := \ mcStarter.te \ keystore.te \ ims.te \ + imscm.te \ healthd.te \ charger_monitor.te \ surfaceflinger.te \ diff --git a/common/file_contexts b/common/file_contexts index 18ba48d1..29bb0303 100755 --- a/common/file_contexts +++ b/common/file_contexts @@ -107,7 +107,7 @@ /system/bin/imsdatadaemon u:object_r:ims_exec:s0 /system/bin/imsqmidaemon u:object_r:ims_exec:s0 /system/bin/ims_rtp_daemon u:object_r:ims_exec:s0 -/system/bin/imscmservice u:object_r:ims_exec:s0 +/system/bin/imscmservice u:object_r:imscm_exec:s0 /system/bin/netmgrd u:object_r:netmgrd_exec:s0 /system/bin/qmuxd u:object_r:qmuxd_exec:s0 /system/bin/port-bridge u:object_r:port-bridge_exec:s0 diff --git a/common/imscm.te b/common/imscm.te new file mode 100644 index 00000000..22a514dd --- /dev/null +++ b/common/imscm.te @@ -0,0 +1,25 @@ +#integrated sensor process +type imscm, domain; +type imscm_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(imscm) +net_domain(imscm) + +# To make VT call +binder_use(imscm) + +#Add connectionmanager service +allow imscm imscm_service:service_manager add; + +#allow imscm ims_socket:sock_file write; +#allow imscm ims:unix_stream_socket connectto; +unix_socket_connect(imscm, ims, ims) +allow imscm self:capability net_raw; +#allow imscm untrusted_app:binder call; + +# imscm needs to communicate with test app +# using binder call +userdebug_or_eng(` + binder_call(imscm, untrusted_app) +') diff --git a/common/untrusted_app.te b/common/untrusted_app.te index 17857e6c..07910098 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -4,3 +4,9 @@ unix_socket_send(untrusted_app, mpctl, perfd) unix_socket_connect(untrusted_app, mpctl, perfd) unix_socket_send(untrusted_app, mpctl, mpdecision) unix_socket_connect(untrusted_app, mpctl, mpdecision) + +# test apps needs to communicate with imscm +# using binder call +userdebug_or_eng(` + binder_call(untrusted_app, imscm) +') -- cgit v1.2.3 From abc321e7cf90591a0cbb490861cd7c800d6ca0e4 Mon Sep 17 00:00:00 2001 From: Shiju Mathew Date: Mon, 1 Dec 2014 21:02:36 -0500 Subject: sepolicy: Update thermal policy to enable graphics mitigation Update thermal policy so that thermal-engine will be able to access graphics sysfs nodes to do graphics mitigation. Change-Id: I13cef8e82b60382e2ac55966ba72053e1c6cd478 --- common/thermal-engine.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/thermal-engine.te b/common/thermal-engine.te index 053ca847..158f6a93 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -19,6 +19,7 @@ allow thermal-engine thermal_socket:sock_file { create setattr open read write } allow thermal-engine sysfs_thermal:dir r_dir_perms; allow thermal-engine sysfs_thermal:file rw_file_perms; allow thermal-engine sysfs_thermal:lnk_file read; +allow thermal-engine sysfs:file write; #This is required for qmi access qmux_socket(thermal-engine); allow thermal-engine sysfs_mpdecision:file rw_file_perms; -- cgit v1.2.3 From 3480506729a6b8fc8dab5c8bd827cd4e1c8318f0 Mon Sep 17 00:00:00 2001 From: Nirmal Abraham Date: Mon, 1 Dec 2014 17:20:56 +0530 Subject: Seandroid: Allow mm-pp-deamon access to sensor device files Modify mm-pp-deaemon policy file to enable access to sensors to support features like AD (Assertive Display). 1. Allow read access to sensor_device. 2. Allow read/write access to sensor_socket. 3. Allow 'connecto' socket call to sensors stream socket. Change-Id: I343776eb788f39f95f1202463b5d801fb9103571 --- common/mm-pp-daemon.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index 6c9ad161..f8edeb54 100755 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -17,6 +17,11 @@ allow mm-pp-daemon persist_file:file create_file_perms; allow mm-pp-daemon display_config:dir create_dir_perms; allow mm-pp-daemon display_config:file create_file_perms; +# Allow read to sensor device and read/write to sensor socket +allow mm-pp-daemon sensors_device:chr_file r_file_perms; +allow mm-pp-daemon sensors_socket:sock_file rw_file_perms; +allow mm-pp-daemon sensors:unix_stream_socket connectto; + allow mm-pp-daemon system_prop:property_service set; userdebug_or_eng(` -- cgit v1.2.3 From 6637604235ead431046b2fae1724fb9027b43f52 Mon Sep 17 00:00:00 2001 From: Avijit Kanti Das Date: Mon, 1 Dec 2014 11:21:16 -0800 Subject: Seandroid: IMS interaction with WPA Adding policy needed for interaction between IMS and WPA Change-Id: I2f287244c3545058acd62177c2921ef84e50de35 --- common/ims.te | 10 ++++++++++ common/wpa.te | 3 +++ 2 files changed, 13 insertions(+) diff --git a/common/ims.te b/common/ims.te index fff18700..2d81d70f 100644 --- a/common/ims.te +++ b/common/ims.te @@ -42,3 +42,13 @@ allow ims imscm_service:service_manager add; # Set property to start imsdata_daemon and ims_rtp_daemon allow ims qcom_ims_prop:property_service set; + +# permissions needed for IMS to connect and interact with WPA supplicant +allow ims wpa:unix_dgram_socket sendto; +allow ims wpa_exec:file rx_file_perms; +allow ims wpa_socket:dir w_dir_perms; +allow ims wpa_socket:sock_file { write create unlink setattr }; +allow ims wifi_data_file:dir r_dir_perms; + +# permissions for communication with CNE in LBO use case +unix_socket_connect(ims, cnd, cnd) diff --git a/common/wpa.te b/common/wpa.te index d5f775b8..15a01643 100644 --- a/common/wpa.te +++ b/common/wpa.te @@ -7,3 +7,6 @@ allow wpa proc_net:file write; # allow wpa_supplicant to send back wifi information to cnd allow wpa cnd:unix_dgram_socket sendto; + +# permission for wpa socket which IMS use to communicate +allow wpa ims:unix_dgram_socket sendto; -- cgit v1.2.3 From e1dd1869b937dcd835d30542f52a0bb4110cebe1 Mon Sep 17 00:00:00 2001 From: Avijit Kanti Das Date: Wed, 3 Dec 2014 10:39:35 -0800 Subject: Seandroid: Adding policies for IMS IMS needs read, write access to voice_svc dev node Change-Id: I4059457b4f920198bb4c42cc12fc720cbbc3d60d --- common/device.te | 3 +++ common/file_contexts | 1 + common/ims.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/common/device.te b/common/device.te index 927cf276..2fdd2927 100755 --- a/common/device.te +++ b/common/device.te @@ -82,3 +82,6 @@ type gadget_serial_device, dev_type; #Added for hbtp type bu21150_device, dev_type; type hbtp_device, dev_type; + +#added for voice device +type voice_device, dev_type; diff --git a/common/file_contexts b/common/file_contexts index 18ba48d1..0a9f269c 100755 --- a/common/file_contexts +++ b/common/file_contexts @@ -54,6 +54,7 @@ /dev/wcnss_wlan u:object_r:wcnss_device:s0 /dev/hbtp_input u:object_r:hbtp_device:s0 /dev/jdi-bu21150 u:object_r:bu21150_device:s0 +/dev/voice_svc u:object_r:voice_device:s0 ################################### # Dev socket nodes diff --git a/common/ims.te b/common/ims.te index 2d81d70f..5a104780 100644 --- a/common/ims.te +++ b/common/ims.te @@ -52,3 +52,6 @@ allow ims wifi_data_file:dir r_dir_perms; # permissions for communication with CNE in LBO use case unix_socket_connect(ims, cnd, cnd) + +#Communication with voice_svc device for audio on APP +allow ims voice_device:chr_file rw_file_perms; -- cgit v1.2.3 From 8d099a3ce02c3ebca5d3f93ea3db112892e10662 Mon Sep 17 00:00:00 2001 From: jinwu Date: Tue, 25 Nov 2014 16:35:47 +0800 Subject: Sepolicy : Add policies for qlogd Qlogd need to collect rpm log, qdss log, tcpdump, subsystem restart dump, add more policies for this. Change-Id: Ieb9384fc22cbf0cf9fad5b36c17cd9bc84121306 --- common/device.te | 3 +++ common/file.te | 2 +- common/file_contexts | 5 +++++ common/qlogd.te | 44 ++++++++++++++++++++++++++++++++------------ 4 files changed, 41 insertions(+), 13 deletions(-) diff --git a/common/device.te b/common/device.te index 2fdd2927..a4ec98cf 100755 --- a/common/device.te +++ b/common/device.te @@ -76,6 +76,9 @@ type wcnss_device, dev_type; type mmc_block_device, dev_type; +# Define QDSS devices +type qdss_device, dev_type; + #Define Gadget serial device type gadget_serial_device, dev_type; diff --git a/common/file.te b/common/file.te index 2c62bc55..c0cf3a77 100755 --- a/common/file.te +++ b/common/file.te @@ -94,7 +94,7 @@ type sysfs_socinfo, fs_type, sysfs_type; type sysfs_usb_uicc, sysfs_type, fs_type; type qlogd_socket, file_type; - +type qlogd_data_file, file_type; #Define the files written during the operation of mm-pp-daemon type display_config, file_type, data_file_type; diff --git a/common/file_contexts b/common/file_contexts index ac3b7303..91cfdbda 100755 --- a/common/file_contexts +++ b/common/file_contexts @@ -55,6 +55,10 @@ /dev/hbtp_input u:object_r:hbtp_device:s0 /dev/jdi-bu21150 u:object_r:bu21150_device:s0 /dev/voice_svc u:object_r:voice_device:s0 +/dev/coresight-stm u:object_r:qdss_device:s0 +/dev/coresight-tmc-etf u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr u:object_r:qdss_device:s0 +/dev/coresight-tmc-etr-stream u:object_r:qdss_device:s0 ################################### # Dev socket nodes @@ -217,6 +221,7 @@ /data/misc/location(/.*)? u:object_r:location_data_file:s0 /data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0 /data/misc/hbtp(/.*)? u:object_r:hbtp_log_file:s0 +/data/misc/qlogd(/.*)? u:object_r:qlogd_data_file:s0 ################################### # persist files diff --git a/common/qlogd.te b/common/qlogd.te index 74e154fe..dd525d9d 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -6,31 +6,51 @@ type qlogd_exec, exec_type, file_type; init_daemon_domain(qlogd) # need to access sharemem log device for smem logs -allow qlogd smem_log_device:chr_file { open read write ioctl }; +allow qlogd smem_log_device:chr_file rw_file_perms; # need to add more capabilities for qlogd -allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin }; -allow qlogd self:capability2 syslog; +allow qlogd self:capability { setuid setgid dac_override dac_read_search + sys_admin net_raw net_admin fowner fsetid kill sys_module }; +allow qlogd self:capability2 { block_suspend syslog }; +allow qlogd self:packet_socket { create ioctl bind getopt setopt }; # need to access system_data partitions for configration files -allow qlogd system_data_file:dir { write add_name }; -allow qlogd system_data_file:file { open read write create }; +allow qlogd qlogd_data_file:dir rw_dir_perms; +allow qlogd qlogd_data_file:file create_file_perms; allow qlogd system_file:file execute_no_trans; # need to create and listen socket -allow qlogd socket_device:sock_file { create setattr }; -allow qlogd qlogd_socket:sock_file { create read write setattr }; +allow qlogd qlogd_socket:sock_file create_file_perms; # need to start shell execute files allow qlogd shell_exec:file { execute read open execute_no_trans }; # need to create and write files in fuse partition -allow qlogd fuse:dir { search read write add_name create open }; -allow qlogd fuse:file { create read write append open getattr }; +allow qlogd fuse:dir create_dir_perms; +allow qlogd fuse:file create_file_perms; -#need to capture kmsg +# need to capture kmsg allow qlogd kernel:system syslog_mod; +# need for qdss log +userdebug_or_eng(` + allow qlogd debugfs:file read; + allow qlogd sysfs:file write; + allow qlogd qdss_device:chr_file { open read }; +') + # need for capture adb logs -allow qlogd logdr_socket:sock_file write; -allow qlogd logd:unix_stream_socket connectto; +unix_socket_connect(qlogd, logdr, logd) + +# need for subsystem ramdump +allow qlogd device:dir r_dir_perms; +allow qlogd ramdump_device:chr_file { setattr rw_file_perms }; + +# need for qxdm log +allow qlogd diag_exec:file rx_file_perms; +allow qlogd sysfs_wake_lock:file ra_file_perms; + +# need for tcpdump +userdebug_or_eng(` + allow qlogd kernel:system module_request; +') -- cgit v1.2.3 From 56f17b696c7281c2161a2820f984e558aa7ae715 Mon Sep 17 00:00:00 2001 From: Susheel Yadagiri Date: Fri, 5 Dec 2014 11:05:45 -0800 Subject: sepolicy: add getattr attribute rule for appdomain in dpmd added rule for getattr for dpmd Change-Id: I23516a8f96751ef7556673d52fc23feb63f40489 --- common/dpmd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/dpmd.te b/common/dpmd.te index a393a89e..054a61b4 100644 --- a/common/dpmd.te +++ b/common/dpmd.te @@ -35,4 +35,4 @@ allow dpmd kernel:system module_request; #appdomain allow dpmd appdomain:fd use; -allow dpmd appdomain:tcp_socket { read write getopt }; +allow dpmd appdomain:tcp_socket { read write getopt getattr }; -- cgit v1.2.3 From 93241e5253df5e58322729ceba368dba3d5b0dc7 Mon Sep 17 00:00:00 2001 From: Nikhilesh Reddy Date: Wed, 3 Dec 2014 18:44:07 -0800 Subject: sepolicy: Update the sepolicy for RFS and RMTS Update the sepolicy for RFS and RMTS to include all new permissions required and add the tftp_server to the RFS domain Change-Id: I1dc0c062ef21cf9eca1f365291ec7ff5733c7c8e --- common/file.te | 1 + common/file_contexts | 2 ++ common/rfs_access.te | 43 ++++++++++++++++++++++++------------------- common/rmt_storage.te | 22 ++++++++++++---------- 4 files changed, 39 insertions(+), 29 deletions(-) mode change 100755 => 100644 common/file.te mode change 100755 => 100644 common/file_contexts diff --git a/common/file.te b/common/file.te old mode 100755 new mode 100644 index 2c62bc55..c7a36d74 --- a/common/file.te +++ b/common/file.te @@ -48,6 +48,7 @@ type sysfs_msmuart_file, sysfs_type, fs_type; # Storage RFS file types type rfs_data_file, file_type; type rfs_system_file, file_type; +type rfs_shared_hlos_file, file_type; #mm-pp-daemon file type for sysfs access type sysfs_leds, fs_type, sysfs_type; diff --git a/common/file_contexts b/common/file_contexts old mode 100755 new mode 100644 index ac3b7303..8e558276 --- a/common/file_contexts +++ b/common/file_contexts @@ -122,6 +122,7 @@ /system/bin/time_daemon u:object_r:time_daemon_exec:s0 /system/bin/rmt_storage u:object_r:rmt_storage_exec:s0 /system/bin/rfs_access u:object_r:rfs_access_exec:s0 +/system/bin/tftp_server u:object_r:rfs_access_exec:s0 /system/bin/hvdcp u:object_r:hvdcp_exec:s0 /system/bin/qseecomd u:object_r:tee_exec:s0 /system/bin/hostapd_cli u:object_r:hostapd_exec:s0 @@ -204,6 +205,7 @@ /data/diag_log(/.*)? u:object_r:diag_data_file:s0 /data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0 /data/rfs.* u:object_r:rfs_data_file:s0 +/data/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0 /data/camera(/.*)? u:object_r:camera_socket:s0 /data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 /data/time/* u:object_r:time_data_file:s0 diff --git a/common/rfs_access.te b/common/rfs_access.te index ec946c27..e4dc3a55 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -5,39 +5,44 @@ init_daemon_domain(rfs_access) #The files created by rfs_access process in the /data folder will have type rfs_data_file type_transition rfs_access system_data_file:{ dir file } rfs_data_file; +type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs"; #To read the uio char device -allow rfs_access uio_device:chr_file { read write open }; +allow rfs_access uio_device:chr_file rw_file_perms; -#For QMI sockets -allow rfs_access self:socket { create_socket_perms }; +#For QMI sockets and IPCR Sockets +allow rfs_access self:socket create_socket_perms; +allow rfs_access smem_log_device:chr_file rw_file_perms; #For Wakelocks allow rfs_access self:capability2 block_suspend; -allow rfs_access sysfs_wake_lock:file { open write append }; +allow rfs_access sysfs_wake_lock:file w_file_perms; -#To create the /data/rfs -allow rfs_access system_data_file:dir { write add_name }; +#To create the folders in /data +allow rfs_access system_data_file:dir create_dir_perms; #For system folder entries -allow rfs_access rfs_system_file:dir search; -allow rfs_access rfs_system_file:lnk_file read; +allow rfs_access rfs_system_file:dir r_dir_perms; +allow rfs_access rfs_system_file:lnk_file r_file_perms; #For data folder entries -allow rfs_access rfs_data_file:dir { write search create add_name }; -allow rfs_access rfs_data_file:file { open read write create append getattr }; +allow rfs_access rfs_data_file:dir create_dir_perms; +allow rfs_access rfs_data_file:file create_file_perms; + +allow rfs_access rfs_shared_hlos_file:dir create_dir_perms; +allow rfs_access rfs_shared_hlos_file:file create_file_perms; #For ramdump entries in /data/tombstones. -allow rfs_access tombstone_data_file:dir { write search create add_name }; -allow rfs_access tombstone_data_file:file { open read write create append getattr }; +allow rfs_access tombstone_data_file:dir create_dir_perms; +allow rfs_access tombstone_data_file:file create_file_perms; #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes). -allow rfs_access firmware_file:dir { search }; -allow rfs_access firmware_file:file { open read getattr }; +allow rfs_access firmware_file:dir r_dir_perms; +allow rfs_access firmware_file:file r_file_perms; -#Prevent other domains from accessing RFS data files. -neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name }; -neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr }; +#For dropping permisions from root and wakelock +allow rfs_access self:capability { setuid setgid setpcap net_raw }; -allow rfs_access self:capability { setuid setpcap net_raw }; -allow rfs_access smem_log_device:chr_file rw_file_perms; +#Prevent other domains from accessing RFS data files. +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir create_dir_perms; +neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file create_file_perms; diff --git a/common/rmt_storage.te b/common/rmt_storage.te index 04a96ef1..19aea1d0 100644 --- a/common/rmt_storage.te +++ b/common/rmt_storage.te @@ -3,14 +3,16 @@ type rmt_storage, domain; type rmt_storage_exec, exec_type, file_type; init_daemon_domain(rmt_storage) -allow rmt_storage modem_efs_partition_device:blk_file { read write open }; -allow rmt_storage block_device:dir search; -allow rmt_storage cgroup:dir { create add_name }; -allow rmt_storage smem_log_device:chr_file { read write ioctl open }; -allow rmt_storage self:capability { setuid setgid sys_admin dac_override }; +allow rmt_storage modem_efs_partition_device:blk_file rw_file_perms; +allow rmt_storage block_device:dir r_dir_perms; +allow rmt_storage cgroup:dir create_dir_perms; +allow rmt_storage smem_log_device:chr_file rw_file_perms; + +# sys_admin is needed for ioprio_set +allow rmt_storage self:capability { setuid setgid sys_admin dac_override net_raw setpcap }; + allow rmt_storage self:capability2 block_suspend; -allow rmt_storage self:socket { create_socket_perms }; -allow rmt_storage sysfs_wake_lock:file { open write append }; -allow rmt_storage uio_device:chr_file { read write open }; -allow rmt_storage mmc_block_device:blk_file r_file_perms; -allow rmt_storage self:capability { net_raw setpcap }; +allow rmt_storage self:socket create_socket_perms; +allow rmt_storage sysfs_wake_lock:file w_file_perms; +allow rmt_storage uio_device:chr_file rw_file_perms; +allow rmt_storage mmc_block_device:blk_file r_file_perms; \ No newline at end of file -- cgit v1.2.3 From ba4eed9d9ae2af776e9f8b0b5105b52b561125e7 Mon Sep 17 00:00:00 2001 From: Kevin Tang Date: Mon, 8 Dec 2014 22:31:43 -0800 Subject: sepolicy: allow location apps to access sensor services Added rules for accessing sensor manager services from location applications. CRs-Fixed: 764189 Change-Id: I1e98ed907c70a78198ef35cb70fddfbe48dcb82d --- common/location.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/location.te b/common/location.te index 5edf1326..1698fd46 100644 --- a/common/location.te +++ b/common/location.te @@ -11,6 +11,7 @@ type_transition location location_data_file:sock_file location_socket; qmux_socket(location) binder_use(location) +binder_call(location, system_server) allow location location_data_file:dir rw_dir_perms; allow location location_data_file:fifo_file create_file_perms; @@ -23,6 +24,7 @@ allow location sensors:unix_stream_socket connectto; allow location sensors_device:chr_file r_file_perms; allow location sensors_socket:sock_file w_file_perms; allow location self:netlink_socket create_socket_perms; +allow location system_server:unix_stream_socket { read write }; dontaudit location domain:dir r_dir_perms; r_dir_file(location, netmgrd) -- cgit v1.2.3 From d5210e91a9005faa9ddf24d414b236689cfd4812 Mon Sep 17 00:00:00 2001 From: Satya Durga Srinivasu Prabhala Date: Tue, 9 Dec 2014 10:24:54 -0800 Subject: sepolicy: sensors: allow access to execmem Allow sensor daemon to access execmem to supress denial for execmem. Change-Id: I535996736e94eb6d323de28c38b1bb70b0fd3a05 --- common/sensors.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/sensors.te b/common/sensors.te index f71c4444..60f889df 100644 --- a/common/sensors.te +++ b/common/sensors.te @@ -35,6 +35,9 @@ allow sensors persist_file:dir r_dir_perms; allow sensors sensors_persist_file:dir create_dir_perms; allow sensors sensors_persist_file:file create_file_perms; +# Access to execmem +allow sensors self:process execmem; + # Wake lock access wakelock_use(sensors) -- cgit v1.2.3 From f9eefc62c46e01b1f2901ccf5dc3fbc215269f40 Mon Sep 17 00:00:00 2001 From: Ravi Kumar Siddojigari Date: Wed, 3 Dec 2014 17:13:31 +0530 Subject: sepolicy : added all bt related services under bluetooth domain. - Added all bt related services (sapd, dun-server, btsnoop) under bluetooth domain. - Added required permission for each service. CRs-Fixed: 762431 Change-Id: I7b762e299f9e3e63daf12f6d7ef0dff543b04bbf --- common/bluetooth.te | 24 ++++++++++++++++++++++++ common/file_contexts | 3 +++ 2 files changed, 27 insertions(+) diff --git a/common/bluetooth.te b/common/bluetooth.te index 9d806203..17817b8a 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -1,3 +1,16 @@ +#Adding all bt related service to bt domains +type sapd, bluetoothdomain; +type sapd_exec, exec_type, file_type; +domain_auto_trans(init, sapd_exec, bluetooth) + +type dun-server, bluetoothdomain; +type dun-server_exec, exec_type, file_type; +domain_auto_trans(init, dun-server_exec, bluetooth) + +type btsnoop, bluetoothdomain; +type btsnoop_exec, exec_type, file_type; +domain_auto_trans(init, btsnoop_exec, bluetooth) + #BT needes read and write on smd device node allow bluetooth smd_device:chr_file rw_file_perms; @@ -15,3 +28,14 @@ allow bluetooth input_device:chr_file { open read write ioctl }; allow bluetooth persist_file:dir search; allow bluetooth persist_file:file rw_file_perms; + +#dun-server requires interaction with net_domain socket +net_domain(bluetooth); + +#dun-server requires binding with system_app and servicemanager +binder_use(bluetooth); +binder_call(bluetooth, system_app); +binder_call(bluetooth, servicemanager); + +#sapd requires interaction with qmux sockets +qmux_socket(bluetooth); diff --git a/common/file_contexts b/common/file_contexts index 6e021120..329a4461 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -161,6 +161,9 @@ /system/vendor/bin/qti u:object_r:qti_exec:s0 /system/bin/wcnss_service u:object_r:wcnss_service_exec:s0 /system/vendor/bin/hbtp_daemon u:object_r:hbtp_exec:s0 +/system/bin/sapd u:object_r:sapd_exec:s0 +/system/bin/btsnoop u:object_r:btsnoop_exec:s0 +/system/bin/dun-server u:object_r:dun-server_exec:s0 ################################### # sysfs files -- cgit v1.2.3 From 7a0d84966fc783d32853343ba8e0d36c5461eb91 Mon Sep 17 00:00:00 2001 From: Karthikeyan Ramasubramanian Date: Thu, 17 Jul 2014 12:08:50 -0600 Subject: sepolicy: Add system health monitor device contexts and rules Add the context for the system health monitor device and add rules to allow the qmi_test_service_tests to access the system health monitor device. CRs-Fixed: 770415 Change-Id: I741bb2fca9df6e09e048ed2b3b9445dd7dbe395e --- common/device.te | 3 +++ common/file_contexts | 1 + test/qmi_test_service.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/common/device.te b/common/device.te index a4ec98cf..081b8adc 100755 --- a/common/device.te +++ b/common/device.te @@ -88,3 +88,6 @@ type hbtp_device, dev_type; #added for voice device type voice_device, dev_type; + +#Define system health monitor devices +type system_health_monitor_device, dev_type; diff --git a/common/file_contexts b/common/file_contexts index 6e021120..55f9a51e 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -59,6 +59,7 @@ /dev/coresight-tmc-etf u:object_r:qdss_device:s0 /dev/coresight-tmc-etr u:object_r:qdss_device:s0 /dev/coresight-tmc-etr-stream u:object_r:qdss_device:s0 +/dev/system_health_monitor u:object_r:system_health_monitor_device:s0 ################################### # Dev socket nodes diff --git a/test/qmi_test_service.te b/test/qmi_test_service.te index ed97c2ec..11ada33b 100644 --- a/test/qmi_test_service.te +++ b/test/qmi_test_service.te @@ -20,4 +20,7 @@ userdebug_or_eng(` allow qmi_test_service qmi_test_service:capability {dac_override dac_read_search setgid setuid fsetid}; #QCCI calls qmuxd API. The API will internally require this qmux_socket(qmi_test_service); + #enable accessing the system health monitor to check the system health, + #if a request times out + allow qmi_test_service system_health_monitor_device:chr_file rw_file_perms; ') -- cgit v1.2.3 From c30fd144078edfd26618c15ae3304904fa0db3e6 Mon Sep 17 00:00:00 2001 From: Karthikeyan Ramasubramanian Date: Wed, 3 Dec 2014 16:48:44 -0700 Subject: sepolicy: Allow QMI test to access 64 bit loader Add SEAndroid policies that enables QMI tests to access 64 bit loader. CRs-Fixed: 770415 Change-Id: I62c84207627555257ba15e7e4814e545977045ba --- test/qmi_test_service.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/qmi_test_service.te b/test/qmi_test_service.te index 11ada33b..55066bbe 100644 --- a/test/qmi_test_service.te +++ b/test/qmi_test_service.te @@ -5,6 +5,8 @@ userdebug_or_eng(` type qmi_test_service, domain; domain_auto_trans(shell, qmi_test_service_exec, qmi_test_service) domain_auto_trans(adbd, qmi_test_service_exec, qmi_test_service) + #enable access to loader in 64 bit system + allow qmi_test_service shell:fd use; #test is launched from pseudo terminal so output goes there allow qmi_test_service devpts:chr_file {read write getattr ioctl}; #to access smem log -- cgit v1.2.3 From 10bbf3b2b7f3e4012a0bd2d6a92f8bb3cd656123 Mon Sep 17 00:00:00 2001 From: Avijit Kanti Das Date: Mon, 1 Dec 2014 15:44:19 -0800 Subject: Seandroid: Adding policy for atfwd Provide atfwd write access to property_socket Change-Id: I8afee52ca6c9db2c6ce1dcc37ded24d3bec74687 --- common/atfwd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/atfwd.te b/common/atfwd.te index 4c295b68..f3d84a80 100644 --- a/common/atfwd.te +++ b/common/atfwd.te @@ -14,3 +14,4 @@ binder_call(atfwd, servicemanager); r_dir_file(atfwd, sysfs_ssr); allow atfwd self:udp_socket create; +unix_socket_connect(atfwd, property, init); -- cgit v1.2.3 From b66cdd6bbbede58653614623b2b23cf617961160 Mon Sep 17 00:00:00 2001 From: Sachin Shah Date: Tue, 16 Dec 2014 12:52:51 -0800 Subject: WFD: Add directory search permissions for video device This permission is needed for WFD to use OMX HAL interface as opposed to V4L2 driver layer. Change-Id: Ib888c88d860ce86f4965de109d297787ddb5ee4b --- common/wfd_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/wfd_app.te b/common/wfd_app.te index f9b17339..e9d3dec8 100644 --- a/common/wfd_app.te +++ b/common/wfd_app.te @@ -13,6 +13,7 @@ allow wfd_app video_device:chr_file rw_file_perms; allow wfd_app audio_device:dir r_dir_perms; allow wfd_app audio_device:chr_file rw_file_perms; allow wfd_app fwmarkd_socket:sock_file write; +allow wfd_app mpctl_socket:dir r_dir_perms; allow wfd_app netd:unix_stream_socket connectto; allow wfd_app firmware_file:dir r_dir_perms; allow wfd_app firmware_file:file r_file_perms; -- cgit v1.2.3 From c6e7cf6273f7af0d9a29057213f9177ceeacacd5 Mon Sep 17 00:00:00 2001 From: Boxiang Pan Date: Mon, 6 Oct 2014 12:00:15 -0700 Subject: Sepolicy: allow cnd to access ipa_dev. adding rules to allow cnd to access ipa_dev for tethering and data path offload Change-Id: I571c9e627be89c1baa3c4ae28f9fde1304ebf75b --- common/cnd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/cnd.te b/common/cnd.te index 86ab50a9..0d8f11bb 100644 --- a/common/cnd.te +++ b/common/cnd.te @@ -66,3 +66,5 @@ allow cnd mediaserver:fd use; allow cnd mediaserver:tcp_socket { read write bind getattr shutdown getopt }; allow cnd mediaserver:file { open read }; +# allow cnd to access ipa_dev +allow cnd ipa_dev:chr_file r_file_perms; -- cgit v1.2.3 From 318808113e38963de653419087af645069f18c8a Mon Sep 17 00:00:00 2001 From: Richard LIU Date: Wed, 17 Dec 2014 11:44:06 +0800 Subject: Sepolicy: allow RILD to access health monitor device Assign read permission on system health monitor device to RILD Change-Id: I1691c8354d55f0caea7cf7d85847a15e5e6a344c --- common/rild.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/rild.te b/common/rild.te index 54f2dd98..be35748d 100644 --- a/common/rild.te +++ b/common/rild.te @@ -15,6 +15,7 @@ allow rild mediaserver:binder { transfer call }; #allow rild diag_device:chr_file { open read write }; allow rild rild_socket:chr_file { open read write }; +allow rild system_health_monitor_device:chr_file r_file_perms; allow rild sysfs_ssr:dir r_dir_perms; allow rild sysfs_ssr:lnk_file read; -- cgit v1.2.3 From 56154038a8bdc31536d084dbfea6dfd0e477a9b9 Mon Sep 17 00:00:00 2001 From: Pavan Chikkala Date: Mon, 29 Dec 2014 15:01:48 +0530 Subject: sepolicy: Add dolby.audio policy to property service - New property dolby.audio added Change-Id: I8229190b9f41dc4fb2adf01800bf84d04561093e --- common/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/property_contexts b/common/property_contexts index 1c4c7a46..224dbda8 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -1,3 +1,4 @@ wc_transport. u:object_r:bluetooth_prop:s0 usb_uicc. u:object_r:uicc_prop:s0 sys.ims. u:object_r:qcom_ims_prop:s0 +dolby.audio. u:object_r:audio_prop:s0 -- cgit v1.2.3 From 5d7e4048ff882c7718e3c486d192b3a25aad73a0 Mon Sep 17 00:00:00 2001 From: Mohit Aggarwal Date: Fri, 26 Dec 2014 13:00:43 +0530 Subject: sepolicy : Moving mdlog services/domain to the qlogd domain mdlog share same allow rule and fall under similar group as that of qlogd. Change-Id: Ia7f235fdf246fd248961580714f218088efda416 --- common/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/file_contexts b/common/file_contexts index a11b4061..efb25aab 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -99,7 +99,7 @@ /system/bin/diag_callback_client u:object_r:diag_exec:s0 /system/bin/diag_dci_sample u:object_r:diag_exec:s0 /system/bin/diag_klog u:object_r:diag_exec:s0 -/system/bin/diag_mdlog u:object_r:diag_exec:s0 +/system/bin/diag_mdlog u:object_r:qlogd_exec:s0 /system/bin/diag_qshrink4_daemon u:object_r:diag_exec:s0 /system/bin/diag_socket_log u:object_r:diag_exec:s0 /system/bin/diag_uart_log u:object_r:diag_exec:s0 -- cgit v1.2.3 From 38480e65ab892742e87580a33886ce3b99dd9261 Mon Sep 17 00:00:00 2001 From: Susheel Yadagiri Date: Tue, 30 Dec 2014 12:22:42 -0800 Subject: sepolicy: Added rule to enable unlink of dpmwrapper socket when dpmd process is restarted dpmwrapper socket needs to be unlinked and started again. Unlink fails because permission is denied. Change-Id: Ie3059785bb7aae940559623e59476d7f15f2730d --- common/dpmd.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/dpmd.te b/common/dpmd.te index 054a61b4..61e6919c 100644 --- a/common/dpmd.te +++ b/common/dpmd.te @@ -36,3 +36,6 @@ allow dpmd kernel:system module_request; #appdomain allow dpmd appdomain:fd use; allow dpmd appdomain:tcp_socket { read write getopt getattr }; + +#permission to unlink dpmwrapper socket +allow dpmd socket_device:dir remove_name; -- cgit v1.2.3 From a24957dd0015e475aaa2e6e582575f3d78dae384 Mon Sep 17 00:00:00 2001 From: Tarun Gupta Date: Tue, 9 Dec 2014 23:21:50 +0530 Subject: sepolicy: Update property_context for UICC UICC properties has been changed to start with sys.usb_uicc instead of usb_uicc to better align naming with android properties. Update the sepolicy to reflect this change. Change-Id: Ib0f3239c8a7cad5bb844b101e59080d7f7e62730 --- common/init_shell.te | 3 +++ common/property_contexts | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/common/init_shell.te b/common/init_shell.te index f452ae90..34b8f897 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -24,3 +24,6 @@ allow init_shell efs_boot_dev:blk_file r_file_perms; allow init_shell ctl_default_prop:property_service set; allow init_shell ctl_rildaemon_prop:property_service set; + +#for access to UICC property +allow init_shell uicc_prop:property_service set; diff --git a/common/property_contexts b/common/property_contexts index 1c4c7a46..e794f8c3 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -1,3 +1,3 @@ wc_transport. u:object_r:bluetooth_prop:s0 -usb_uicc. u:object_r:uicc_prop:s0 +sys.usb_uicc. u:object_r:uicc_prop:s0 sys.ims. u:object_r:qcom_ims_prop:s0 -- cgit v1.2.3 From 022788c7235d70158a71f609234cf18b76a70c18 Mon Sep 17 00:00:00 2001 From: Mohit Aggarwal Date: Mon, 22 Dec 2014 10:09:27 +0530 Subject: sepolicy: Correct the context used by time_daemon This patch modifies file_contexts for /data/time in order to match the context used by time_daemon. Change-Id: I1e3858fc2467772e3961a9bd70e3b07009d476bb --- common/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/file_contexts b/common/file_contexts index efb25aab..85c7efb0 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -216,7 +216,7 @@ /data/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0 /data/camera(/.*)? u:object_r:camera_socket:s0 /data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 -/data/time/* u:object_r:time_data_file:s0 +/data/time(/.*)? u:object_r:time_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/system/perfd(/.*)? u:object_r:mpctl_data_file:s0 /data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0 -- cgit v1.2.3 From d177d2fd07e1f62c962c1b4220bc557be558b579 Mon Sep 17 00:00:00 2001 From: Justin Philip Date: Mon, 5 Jan 2015 12:05:43 +0530 Subject: Seandroid: Allow mm-pp-deamon access to unix socket Modify mm-pp-deaemon policy file to enable access to listen and accept unix socket calls from init to enable CABL. Change-Id: If8621d31d8ae07d17803bb2d152bebf5fffdc51e --- common/mm-pp-daemon.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index f8edeb54..a6a06478 100755 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -50,3 +50,5 @@ allow mm-pp-daemon sysfs:file rw_file_perms; # Allow socket calls in pp-daemon unix_socket_connect(mm-pp-daemon, property, init) unix_socket_connect(mm-pp-daemon, pps, init) +allow mm-pp-daemon init:unix_stream_socket listen; +allow mm-pp-daemon init:unix_stream_socket accept; -- cgit v1.2.3 From 695cae67e4949bec42bc4c57237833b2aa674c25 Mon Sep 17 00:00:00 2001 From: Boxiang Pan Date: Tue, 23 Dec 2014 12:05:45 -0800 Subject: Sepolicy: add rule to support ATP feature adding policy to support CNE ATP feature. Change-Id: I1cdd2839c090019c18b576b281e3a77619994adb CR-Fixed: 767622 --- common/cnd.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/cnd.te b/common/cnd.te index 0d8f11bb..5e419e87 100644 --- a/common/cnd.te +++ b/common/cnd.te @@ -68,3 +68,6 @@ allow cnd mediaserver:file { open read }; # allow cnd to access ipa_dev allow cnd ipa_dev:chr_file r_file_perms; + +# allow cnd to perform socket operation on itself +allow cnd self:socket create_socket_perms; -- cgit v1.2.3 From 787e3b8a981b4392f4b8eb03ee0694b169dd1d8e Mon Sep 17 00:00:00 2001 From: Satya Durga Srinivasu Prabhala Date: Thu, 8 Jan 2015 20:58:02 -0800 Subject: sepolicy: sensors: update policy to support test application update sensors sepolicy to allow system app to access sensor test binaries. Change-Id: I042466e2bb67c6855ae7a655fd8541dd1c605c05 --- test/sensors_test.te | 1 + 1 file changed, 1 insertion(+) diff --git a/test/sensors_test.te b/test/sensors_test.te index 92872b50..2d8d2229 100644 --- a/test/sensors_test.te +++ b/test/sensors_test.te @@ -13,4 +13,5 @@ userdebug_or_eng(` allow sensors_test sensors_socket:sock_file rw_file_perms; allow sensors_test smd_device:chr_file rw_file_perms; allow sensors_test socket_device:dir r_dir_perms; + allow system_app sensors_test_exec:file rx_file_perms; ') -- cgit v1.2.3 From 35353513abc0e09cd61eb621e3848eca1ee6f104 Mon Sep 17 00:00:00 2001 From: Nikhilesh Reddy Date: Mon, 12 Jan 2015 17:27:35 -0800 Subject: sepolicy: Update the sepolicy for RFS with new permissions Update the sepolicy for RFS to allow reads to the rfs system files. Change-Id: I6cc93971b2e5d7c411df7e9a062d589992f64b49 --- common/rfs_access.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/rfs_access.te b/common/rfs_access.te index e4dc3a55..27d426ea 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -24,6 +24,7 @@ allow rfs_access system_data_file:dir create_dir_perms; #For system folder entries allow rfs_access rfs_system_file:dir r_dir_perms; allow rfs_access rfs_system_file:lnk_file r_file_perms; +allow rfs_access rfs_system_file:file r_file_perms; #For data folder entries allow rfs_access rfs_data_file:dir create_dir_perms; -- cgit v1.2.3 From c716af458d7dfe76a47e5aaa3785d4b933768f22 Mon Sep 17 00:00:00 2001 From: Samir Mehta Date: Tue, 13 Jan 2015 12:17:23 +0530 Subject: SEPOLICY: Add new context for drm Add a new context for drm related failures reported in IFR for ISDBTmm tests Change-Id: I88586d4f566ce9ce250e03718a9561d09000711b --- common/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/file_contexts b/common/file_contexts index 85c7efb0..87f2e767 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -233,6 +233,7 @@ # persist files # /persist(/.*)? u:object_r:persist_file:s0 +/persist/drm(/.*)? u:object_r:persist_drm_file:s0 /persist/sensors(/.*)? u:object_r:sensors_persist_file:s0 /persist/data(/.*)? u:object_r:persist_drm_file:s0 /persist/data/tz(/.*)? u:object_r:persist_drm_file:s0 -- cgit v1.2.3 From dfd0d6cb2fdf02c8cf7139a20b64668101dd6bbf Mon Sep 17 00:00:00 2001 From: Praveen Chavan Date: Thu, 8 Jan 2015 15:00:42 -0800 Subject: sepolicy: Allow socket connectto permission to timedaemon Allow mediaserver process socket permissions to connect to timedaemon domain Change-Id: I90a9ecd336465e18b6e32ed9aeae09b890f07305 --- common/mediaserver.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/mediaserver.te b/common/mediaserver.te index 273890c1..49713053 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -33,3 +33,6 @@ unix_socket_connect(mediaserver, mpctl, perfd) # for thermal sock files unix_socket_connect(mediaserver, thermal, thermal-engine) + +#allow mediaserver to communicate with timedaemon +allow mediaserver time_daemon:unix_stream_socket connectto; -- cgit v1.2.3 From af89dd800a1843a678d7e0806935570072acbcf4 Mon Sep 17 00:00:00 2001 From: Avijit Kanti Das Date: Thu, 18 Dec 2014 17:02:15 -0800 Subject: sepolicy: policy for imscm to app binder call Allow appdomain talk to imscm services and vice versa using binder. Change-Id: Ia69fd7d659f94ed51b1972f6c9b9a768479b7321 --- common/app.te | 6 ++++++ common/imscm.te | 2 +- common/untrusted_app.te | 6 ------ 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/common/app.te b/common/app.te index ac49f975..d389c49e 100644 --- a/common/app.te +++ b/common/app.te @@ -7,3 +7,9 @@ unix_socket_connect(appdomain, dpmwrapper, dpmd) unix_socket_connect(appdomain, qlogd, qlogd) #Allow all apps to open and send ioctl to qdsp device allow appdomain qdsp_device:chr_file r_file_perms; + +# test apps needs to communicate with imscm +# using binder call +userdebug_or_eng(` + binder_call(appdomain, imscm) +') diff --git a/common/imscm.te b/common/imscm.te index 22a514dd..118a6cdd 100644 --- a/common/imscm.te +++ b/common/imscm.te @@ -21,5 +21,5 @@ allow imscm self:capability net_raw; # imscm needs to communicate with test app # using binder call userdebug_or_eng(` - binder_call(imscm, untrusted_app) + binder_call(imscm, appdomain) ') diff --git a/common/untrusted_app.te b/common/untrusted_app.te index 07910098..17857e6c 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -4,9 +4,3 @@ unix_socket_send(untrusted_app, mpctl, perfd) unix_socket_connect(untrusted_app, mpctl, perfd) unix_socket_send(untrusted_app, mpctl, mpdecision) unix_socket_connect(untrusted_app, mpctl, mpdecision) - -# test apps needs to communicate with imscm -# using binder call -userdebug_or_eng(` - binder_call(untrusted_app, imscm) -') -- cgit v1.2.3