From 0d3e3d89ebe40683a86e780fb424e00586b2e0ff Mon Sep 17 00:00:00 2001 From: Paras Nagda Date: Mon, 3 Oct 2016 18:39:53 +0530 Subject: Sepolicy: Allow mediaserver to access media_msm8956_version_prop mediaserver should be able to access media_msm8956_version_prop Change-Id: I9f68b416706b1c16d70cf73de6d4af03afbb455d --- msm8952/mediaserver.te | 1 + 1 file changed, 1 insertion(+) diff --git a/msm8952/mediaserver.te b/msm8952/mediaserver.te index 5bd54323..f642e817 100644 --- a/msm8952/mediaserver.te +++ b/msm8952/mediaserver.te @@ -30,3 +30,4 @@ allow mediaserver media_msm8956hw_prop:file r_file_perms; allow mediaserver media_settings_xml_prop:file r_file_perms; allow mediaserver seempd:unix_dgram_socket sendto; allow mediaserver seempdw_socket:sock_file write; +allow mediaserver media_msm8956_version_prop:file r_file_perms; -- cgit v1.2.3 From d79aea350e7caa0fc86b16c573f3abbf73b23e4c Mon Sep 17 00:00:00 2001 From: Clarence Wong Date: Fri, 7 Oct 2016 14:41:04 -0700 Subject: Add GOTA sepolicy access for RIDL/RIDL 2.0 For most recent OS, context for /cache/recovery has changed. RIDL/RIDL 2.0 need to read/write to this directory for GOTA. Change-Id: I9154b3726a182385744786b95a3d67488fd6e8e7 CRs-Fixed: 1075722 --- common/qti-logkit.te | 4 ++++ common/ridl.te | 2 ++ 2 files changed, 6 insertions(+) diff --git a/common/qti-logkit.te b/common/qti-logkit.te index b1f9d552..6e5e4288 100644 --- a/common/qti-logkit.te +++ b/common/qti-logkit.te @@ -75,3 +75,7 @@ binder_call(qti_logkit, system_server) # allow logcat access read_logd( qti_logkit ); + +# allow access to recovery directory +allow qti_logkit cache_recovery_file:dir rw_dir_perms; +allow qti_logkit cache_recovery_file:file create_file_perms; diff --git a/common/ridl.te b/common/ridl.te index 90f9d366..817c630e 100644 --- a/common/ridl.te +++ b/common/ridl.te @@ -71,6 +71,8 @@ binder_call(RIDL, system_server) # recovery allow RIDL cache_file:dir create_dir_perms; allow RIDL cache_file:file create_file_perms; +allow RIDL cache_recovery_file:dir rw_dir_perms; +allow RIDL cache_recovery_file:file create_file_perms; # reboot recovery allow RIDL powerctl_prop:property_service set; -- cgit v1.2.3 From 77593386ef64557ecd886c7eb53112604d6839a6 Mon Sep 17 00:00:00 2001 From: Nirmal Abraham Date: Fri, 14 Oct 2016 15:10:20 +0530 Subject: sepolicy : Allow mm-pp-daemon access to diag The access to diag was restricted as part of this commit 'sepolicy: Restrict diag access available to domains'. This prevents mm-pp-daemon from accessing diag which results in failure of QDCM PC tool connection with the device/pp-daemon. To resolve this, allow mm-pp-daemon r/w access to diag. CRs-Fixed: 1077354 Change-Id: I10388ef8cf5855d12a7053bbffffdb70a3ba162b --- common/mm-pp-daemon.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index 197ddaf4..e4e9343e 100644 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -46,6 +46,9 @@ userdebug_or_eng(` # This allows pp-daemon to set debug property allow mm-pp-daemon debug_prop:property_service set; + + # This allow pp-daemon access to diag + diag_use(mm-pp-daemon) ') # Allow mm-pp-daemon to change the brightness of the target during display -- cgit v1.2.3 From ec83f6b98a0ca719700017eabb49730dcf5c98cb Mon Sep 17 00:00:00 2001 From: Sashidhar Ganiga Date: Wed, 5 Oct 2016 19:06:29 +0530 Subject: sepolicy: allow writing firmware files in recovery mode. FOTA upgrading requires writing firmware images into vfat firmware partition in recovery mode. Change-Id: I0bd61196ea7acf00582e58980aaeb3cf5128aa7a --- common/recovery.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/recovery.te b/common/recovery.te index c83bc974..210c4050 100644 --- a/common/recovery.te +++ b/common/recovery.te @@ -3,7 +3,8 @@ recovery_only(` allow recovery sdcard_type:dir r_dir_perms; allow recovery sdcard_type:file r_file_perms; allow recovery vfat:dir r_dir_perms; - allow recovery vfat:file r_file_perms; + allow recovery vfat:file create_file_perms; + allow recovery vfat:file rw_file_perms; allow recovery system_data_file:file r_file_perms; allow recovery system_data_file:dir r_dir_perms; allow recovery RIDL_data_file:file r_file_perms; -- cgit v1.2.3 From 529ab5919fd5542fec0139fa67b658f41da0596d Mon Sep 17 00:00:00 2001 From: Kiran Kelageri Date: Fri, 14 Oct 2016 16:34:21 -0700 Subject: Bluetooth: Add permission for filter. Allow wcnss filter to access persist file. Change-Id: Iff58f7faab7ccf67b77f0360ad0b855826ad56fd --- common/wcnss_filter.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te index 7d84a76e..41045f60 100644 --- a/common/wcnss_filter.te +++ b/common/wcnss_filter.te @@ -50,6 +50,10 @@ r_dir_file(wcnss_filter, bt_firmware_file) allow wcnss_filter bluetooth_data_file:dir create_dir_perms; allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms; +allow wcnss_filter persist_bluetooth_file:dir r_dir_perms; +allow wcnss_filter persist_bluetooth_file:file r_file_perms; +allow wcnss_filter persist_file:dir r_dir_perms; + #diag userdebug_or_eng(` diag_use(wcnss_filter) -- cgit v1.2.3 From 4f2efc632b39e39e83b996eab7f7d7bb8fcf170c Mon Sep 17 00:00:00 2001 From: Shaheda Begum Date: Fri, 14 Oct 2016 15:09:22 +0530 Subject: Add SELinux support for factory reset protection Map factory reset protection into SELinux sepolicy/file_contexts Change-Id: Ibd3198cc38e0446e1862b178f8d4c5ae8f8dc0c9 CRs-Fixed: 1078078 --- msm8909/file_contexts | 1 + msm8916/file_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/msm8909/file_contexts b/msm8909/file_contexts index 424d82b1..642cfb5a 100644 --- a/msm8909/file_contexts +++ b/msm8909/file_contexts @@ -35,6 +35,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 diff --git a/msm8916/file_contexts b/msm8916/file_contexts index 31788b3b..c59fe8fb 100644 --- a/msm8916/file_contexts +++ b/msm8916/file_contexts @@ -36,6 +36,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 -- cgit v1.2.3 From de562c60d3094ff51e4a86524f5df46dccfbb477 Mon Sep 17 00:00:00 2001 From: Shahed Begum Date: Tue, 18 Oct 2016 18:51:34 +0530 Subject: Add SELinux support for factory reset protection Modified factory reset protection partition as per device specific Change-Id: I721f2d7deb4dbe89a8c3fb5ed8e9413cd58ce428 CRs-Fixed: 1078078 --- msm8992/file_contexts | 2 +- msm8994/file_contexts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/msm8992/file_contexts b/msm8992/file_contexts index a765bc11..f4957ddb 100644 --- a/msm8992/file_contexts +++ b/msm8992/file_contexts @@ -37,7 +37,7 @@ /dev/block/platform/soc.0/f9824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/f9824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 diff --git a/msm8994/file_contexts b/msm8994/file_contexts index 5697413a..4c073044 100644 --- a/msm8994/file_contexts +++ b/msm8994/file_contexts @@ -57,5 +57,5 @@ /dev/block/platform/soc.0/f9824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/f9824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 -- cgit v1.2.3 From 3a8c3c28cb209f2fae91aa331515a346f89533ed Mon Sep 17 00:00:00 2001 From: Divya Narayanan Poojary Date: Wed, 19 Oct 2016 13:00:49 +0530 Subject: sepolicy: per_mgr: Allow services to find peripheral_manager mediaserver and per_mgr_proxy can now correctly talk to service manager in order to get the information needed to initiate the binder call to peripheral manager. CRs-fixed: 1072628 Change-Id: I919827b1b4adcb2aaec9dc10eabae243fe003392 --- common/audioserver.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/audioserver.te b/common/audioserver.te index f55459a0..785da0a2 100644 --- a/common/audioserver.te +++ b/common/audioserver.te @@ -54,3 +54,6 @@ allow audioserver sysfs:file rw_file_perms; userdebug_or_eng(` diag_use(audioserver) ') + +#Rules for audioserver to talk to peripheral manager +use_per_mgr(audioserver); -- cgit v1.2.3 From 0c22d0ad2ab012ec6dd666eba22fb1f9505e3dfa Mon Sep 17 00:00:00 2001 From: Satish kumar sugasi Date: Tue, 4 Oct 2016 20:36:59 -0700 Subject: Add permissions to access bt device node This changes are added to remove net admin permission to FM process and do power ON/OFF chip using ioctl method on BT device node created. this includes providing required file context and permissions to btuart device created and control access only to required technologies. Change-Id: I39e451b6e7ec444605bc130bc74868afa383cc63 --- common/bluetooth.te | 1 + common/device.te | 3 +++ common/file_contexts | 1 + common/system_server.te | 2 ++ 4 files changed, 7 insertions(+) diff --git a/common/bluetooth.te b/common/bluetooth.te index ffe1ed90..2656f060 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -37,6 +37,7 @@ allow bluetooth { serial_device #BT needes read and write on smd device node smd_device + bt_device }:chr_file rw_file_perms; #Access to persist_file diff --git a/common/device.te b/common/device.te index 362be377..22179749 100644 --- a/common/device.te +++ b/common/device.te @@ -138,3 +138,6 @@ type avtimer_device, dev_type; #define AT device type at_device, dev_type; + +#define Bluetooth device +type bt_device, dev_type; diff --git a/common/file_contexts b/common/file_contexts index 54d1c0e4..684d3de8 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -24,6 +24,7 @@ /dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0 /dev/seemplog u:object_r:seemplog_device:s0 /dev/radio0 u:object_r:fm_radio_device:s0 +/dev/btpower u:object_r:bt_device:s0 /dev/rtc0 u:object_r:rtc_device:s0 /dev/sdsprpc-smd u:object_r:dsp_device:s0 /dev/sensors u:object_r:sensors_device:s0 diff --git a/common/system_server.te b/common/system_server.te index 0081be89..57578203 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -85,6 +85,8 @@ allow system_server { graphics_device audio_device tee_device + #allow access to power control ANT chip + bt_device }:chr_file rw_file_perms; #For firmware -- cgit v1.2.3 From 22cbbd8e94223fb1970bc88724682cc48e231942 Mon Sep 17 00:00:00 2001 From: Biswajit Paul Date: Wed, 21 Sep 2016 15:05:19 -0700 Subject: USB: dontaudit init to write to sysfs directory USB configuration are replaced by configfs on kernel v4.4. This causes denials for older version when init tries to write to sysfs directories. Add a dontaudit to init to avoid denial CRs-Fixed: 1069632 Change-Id: Idad0f1a6bc2b193f69cbc128c08eb20576897bd8 --- common/init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/init.te b/common/init.te index 6cde24b0..772e5fe4 100644 --- a/common/init.te +++ b/common/init.te @@ -31,3 +31,6 @@ allow init configfs:lnk_file create_file_perms; #Allow init to mount non-hlos partitions in A/B builds allow init firmware_file:dir { mounton }; allow init bt_firmware_file:dir { mounton }; + +#dontaudit non configfs usb denials +dontaudit init sysfs:dir write; -- cgit v1.2.3 From edbf13e0f173b94b606959e9fa7426da9004ece9 Mon Sep 17 00:00:00 2001 From: Andrey Markovytch Date: Sun, 23 Oct 2016 14:03:00 +0300 Subject: sepolicy: added policy fixes for FBE to work properly FBE needs changes in sepolicy CRs-Fixed: 1081232 Change-Id: I63095a37ce04b500a791a59002ae478d76e8218d --- msmcobalt/file_contexts | 4 ++++ msmcobalt/init-qcom-fbe-sh.te | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 msmcobalt/init-qcom-fbe-sh.te diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index 46ad29a2..eeda8924 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -60,3 +60,7 @@ # non-hlos mount points /firmware u:object_r:firmware_file:s0 /bt_firmware u:object_r:bt_firmware_file:s0 + +################################## +# FBE +/system/bin/init.qcom.qseecomd.sh u:object_r:init-qcom-fbe-sh_exec:s0 diff --git a/msmcobalt/init-qcom-fbe-sh.te b/msmcobalt/init-qcom-fbe-sh.te new file mode 100644 index 00000000..2eba9da1 --- /dev/null +++ b/msmcobalt/init-qcom-fbe-sh.te @@ -0,0 +1,36 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qcom-fbe-sh, domain; +type init-qcom-fbe-sh_exec, exec_type, file_type; + +init_daemon_domain(init-qcom-fbe-sh) + +allow init-qcom-fbe-sh shell_exec:file rx_file_perms; + +# execute toybox/toolbox +allow init-qcom-fbe-sh toolbox_exec:file rx_file_perms; -- cgit v1.2.3 From 719da800c0da7b3d73ff06adceda3cd492ae87cc Mon Sep 17 00:00:00 2001 From: Mohit Aggarwal Date: Mon, 24 Oct 2016 12:03:54 +0530 Subject: sepolicy: Add support to access sysfs entries Coresight sysfs entries are required to be accessed using diag QDSS commands. This patch adds rules to achieve the same. Change-Id: I85f9ccb34d7d6f65150bca88f5cbdd6c40fccfe0 --- common/qcomsysd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/qcomsysd.te b/common/qcomsysd.te index c1257cb8..ec9308dd 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -26,4 +26,5 @@ allow qcomsysd boot_mode_prop:property_service set; #diag userdebug_or_eng(` diag_use(qcomsysd) + allow qcomsysd sysfs:file w_file_perms; ') -- cgit v1.2.3 From 4e448b91cc11e80864b7c7b99ce1106e5a31affc Mon Sep 17 00:00:00 2001 From: Ameya Thakur Date: Mon, 24 Oct 2016 16:26:45 -0700 Subject: sepolicy: Set the context for the frp partition The frp partition is now correctly marked as a frp_block_device. This is required in order for systemserver to be able to access it. Change-Id: Ibc71411b0578c99b2071f24c66a0073a57b0ddba --- msmcobalt/file_contexts | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index 46ad29a2..55ff6bd2 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -28,10 +28,10 @@ # Dev block nodes # UFS Devices -/dev/block/platform/soc/1da4000.ufshc/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/boot u:object_r:boot_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/logdump u:object_r:logdump_partition:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -42,6 +42,7 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/frp u:object_r:frp_block_device:s0 #rawdump partition /dev/block/platform/soc/1da4000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0 -- cgit v1.2.3 From 4969f0cba6f21c7045ad83f4e3fff612736e53d6 Mon Sep 17 00:00:00 2001 From: Nikhilesh Reddy Date: Tue, 25 Oct 2016 10:44:32 +0530 Subject: sepolicy: Update the rmt_stroage and rfs_access policies The rmt_storage and rfs daemons no longer need sys_admin, dac_overide and net_raw as it now has net_bind_service capability to access ipcr/qmi sockets. CRs-Fixed: 1057865 Change-Id: If4acfc4a04ce6c937736e8eaf5cd3bd00591c300 --- common/rfs_access.te | 1 - common/rmt_storage.te | 2 -- 2 files changed, 3 deletions(-) diff --git a/common/rfs_access.te b/common/rfs_access.te index 318fffc1..629f9e46 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -54,7 +54,6 @@ allow rfs_access self:capability { setgid setpcap net_bind_service - net_raw }; # RFS UID and GIDs were changed and moved from old values to new ones OEM range. diff --git a/common/rmt_storage.te b/common/rmt_storage.te index f043becc..56f6f928 100644 --- a/common/rmt_storage.te +++ b/common/rmt_storage.te @@ -17,9 +17,7 @@ allow rmt_storage self:capability { setuid setgid sys_admin - dac_override net_bind_service - net_raw setpcap }; -- cgit v1.2.3 From 288107d3094d498aa2fa98bb6726ce92cee819e5 Mon Sep 17 00:00:00 2001 From: taozhang Date: Wed, 19 Oct 2016 17:18:10 +0800 Subject: common: Need SELinux policy to set FFBM mode Need modify SELinux policy for QRCT to set FFBM mode. CRs-Fixed: 1065075 Change-Id: I698e9629f60685effcba4f5f40977c91b8d28e66 --- common/qcomsysd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 common/qcomsysd.te diff --git a/common/qcomsysd.te b/common/qcomsysd.te old mode 100644 new mode 100755 index c1257cb8..fb80abd9 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -21,7 +21,7 @@ allow qcomsysd sysfs_socinfo:file w_file_perms; allow qcomsysd self:capability { dac_override sys_boot }; use_per_mgr(qcomsysd); #allow qcomsysd access boot mode switch -allow qcomsysd boot_mode_prop:property_service set; +set_prop(qcomsysd, boot_mode_prop); #diag userdebug_or_eng(` -- cgit v1.2.3 From 269e9474e0dd7f535184dd24eddabb15693996f2 Mon Sep 17 00:00:00 2001 From: Gao Jie Date: Mon, 19 Sep 2016 10:39:58 +0800 Subject: Merge DAX changes Conflicts: common/audioserver.te Change-Id: I278422370db53e1a52220222b26995318e19d90a (cherry picked from commit a1ad06f3c26be3249af4a600db8b78510a984468) --- common/audioserver.te | 29 +++++++++++++++++++++++++++++ common/mediacodec.te | 28 ++++++++++++++++++++++++++++ common/mediaserver.te | 28 ---------------------------- common/service_contexts | 27 +++++++++++++++++++++++++++ 4 files changed, 84 insertions(+), 28 deletions(-) diff --git a/common/audioserver.te b/common/audioserver.te index 785da0a2..48df422e 100644 --- a/common/audioserver.te +++ b/common/audioserver.te @@ -24,6 +24,30 @@ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #access to perflock allow audioserver mpctl_socket:dir r_dir_perms; @@ -57,3 +81,8 @@ userdebug_or_eng(` #Rules for audioserver to talk to peripheral manager use_per_mgr(audioserver); + +# DOLBY_START +allow audioserver activity_service:service_manager find; +set_prop(audioserver, dolby_prop) +# DOLBY_END diff --git a/common/mediacodec.te b/common/mediacodec.te index 701ac29a..e50a0f6a 100644 --- a/common/mediacodec.te +++ b/common/mediacodec.te @@ -24,6 +24,30 @@ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #mediacodec need intraction with audio device nodes allow mediacodec audio_device:chr_file rw_file_perms; @@ -42,3 +66,7 @@ allow mediacodec qdsp_device:chr_file r_file_perms; #Allow mediacodec to access service manager wfdservice allow mediacodec wfdservice_service:service_manager find; +# DOLBY_START +allow mediacodec audioserver_service:service_manager find; +set_prop(mediacodec, dolby_prop) +# DOLBY_END diff --git a/common/mediaserver.te b/common/mediaserver.te index 07d8494e..899f2ed2 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -1,27 +1,3 @@ -# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - # allow mediaserver to communicate with cnd unix_socket_connect(mediaserver, cnd, cnd) @@ -94,7 +70,3 @@ r_dir_file(mediaserver, adsprpcd_file); binder_call(mediaserver, bootanim); allow mediaserver surfaceflinger:unix_stream_socket rw_socket_perms; - -# DOLBY_START -set_prop(mediaserver, dolby_prop) -# DOLBY_END diff --git a/common/service_contexts b/common/service_contexts index 790c88c9..b9ed977a 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -1,3 +1,27 @@ +# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + android.apps.IQfpService u:object_r:iqfp_service:s0 AtCmdFwd u:object_r:atfwd_service:s0 dpmservice u:object_r:dpmservice:s0 @@ -32,3 +56,6 @@ uce u:object_r:uce_service:s0 eSEPowerManagerService u:object_r:esepmdaemon_service:s0 wigigp2p u:object_r:wigigp2p_service:s0 wigig u:object_r:wigig_service:s0 +# DOLBY_START +media.dolby_memoryservice u:object_r:audioserver_service:s0 +# DOLBY_END -- cgit v1.2.3 From 50a0560b411499f8fd9dfa874c55bc4ecbd56a70 Mon Sep 17 00:00:00 2001 From: Amir Kotzer Date: Thu, 3 Nov 2016 00:07:52 +0200 Subject: device: sepolicy: Fix MDTP device support for msmcobalt. Access via the bootdevice node is no longer supported, therefore updated the specific device path. CRs-Fixed: 1082124 Change-Id: Ic712c5e51f67ca035020420ae529beb9cf168672 --- msmcobalt/file_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index a63b3c3a..e7f2d8a4 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -43,6 +43,8 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/cache u:object_r:cache_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/mdtp u:object_r:mdtp_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/dip u:object_r:dip_device:s0 #rawdump partition /dev/block/platform/soc/1da4000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0 -- cgit v1.2.3 From ce0771623f916dda03b4c671f9d50df4c11ea2fe Mon Sep 17 00:00:00 2001 From: Dany Rybnikov Date: Mon, 14 Mar 2016 14:22:47 +0200 Subject: sepolicy: secure_touch: enable secure touch for qseecomd secure_touch sysfs need read/write access from secure UI listener which runs inside qseecom daemon. Add selinux policies to support scenario when secure touch state is updated from the listener. CRs-Fixed: 989495 Change-Id: Iabebff204aa57504bdd39a18f67c4065b8b4678d --- common/file.te | 3 +++ common/init_shell.te | 3 +++ common/qseecomd.te | 3 +++ msmcobalt/file_contexts | 5 +++++ 4 files changed, 14 insertions(+) diff --git a/common/file.te b/common/file.te index 2d31a6d4..b2290e7e 100644 --- a/common/file.te +++ b/common/file.te @@ -206,3 +206,6 @@ type persist_time_file, file_type; # kgsl file type for sysfs access type sysfs_kgsl, sysfs_type, fs_type; + +# secure touch files +type sysfs_securetouch, fs_type, sysfs_type; diff --git a/common/init_shell.te b/common/init_shell.te index 487caf05..22dc2769 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -160,6 +160,9 @@ allow qti_init_shell kernel:key search; # To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr }; +# To change owner/permissions of secure touch sysfs files +r_dir_file(qti_init_shell, sysfs_securetouch) + # core-ctl allow qti_init_shell cgroup:dir add_name; diff --git a/common/qseecomd.te b/common/qseecomd.te index a2118202..8e2f8955 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -47,6 +47,9 @@ allow tee time_daemon:unix_stream_socket connectto; allow tee graphics_device:dir r_dir_perms; allow tee graphics_device:chr_file r_file_perms; +#allow tee access for secure touch to work +allow tee sysfs_securetouch:file rw_file_perms; + allow tee surfaceflinger_service : service_manager find; binder_call(tee, surfaceflinger) diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index a63b3c3a..15aef93c 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -65,3 +65,8 @@ ################################## # FBE /system/bin/init.qcom.qseecomd.sh u:object_r:init-qcom-fbe-sh_exec:s0 + +################################### +# sysfs files +# +/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0 -- cgit v1.2.3 From 7b47a7558055e425cc6ba2143a1a491459ce0649 Mon Sep 17 00:00:00 2001 From: taozhang Date: Tue, 1 Nov 2016 18:17:28 +0800 Subject: common: Add policy for bluetooth on FFBM Add policy for bluetooth on FFBM. Because the application "bdt" has been modified, fastmmi need add new SELinux policy to call it. CRs-Fixed: 1084851 Change-Id: Iea63d584b4d0f0292bc2752a0a04a02eba40d59e --- common/mmi.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/mmi.te b/common/mmi.te index 3fedc290..417f6009 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -61,6 +61,8 @@ allow mmi bluetooth_data_file:dir rw_dir_perms; allow mmi bluetooth_data_file:file create_file_perms; allow mmi bluetooth_prop:property_service set; allow mmi smd_device:chr_file rw_file_perms; +allow mmi persist_bluetooth_file:file r_file_perms; +allow mmi wcnss_filter:unix_stream_socket connectto; #GPS case allow mmi location_data_file:fifo_file create_file_perms; -- cgit v1.2.3 From ddc833553694987293bb081c75f9ffab3e219293 Mon Sep 17 00:00:00 2001 From: Sathish Ambley Date: Thu, 3 Nov 2016 15:15:39 -0700 Subject: sepolicy: msmcobalt: Add policy for VR service Add policy for VR service. Change-Id: I760bcb2a721aab13c8370dcb74237794d0dc37f0 CRs-Fixed: 1075747 --- msmcobalt/app.te | 30 ++++++++++++++ msmcobalt/file.te | 6 ++- msmcobalt/file_contexts | 8 ++++ msmcobalt/init_shell.te | 3 ++ msmcobalt/mm-qcamerad.te | 29 +++++++++++++ msmcobalt/property.te | 29 +++++++++++++ msmcobalt/property_contexts | 28 +++++++++++++ msmcobalt/qvrd.te | 99 +++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 231 insertions(+), 1 deletion(-) create mode 100644 msmcobalt/app.te create mode 100644 msmcobalt/mm-qcamerad.te create mode 100644 msmcobalt/property.te create mode 100644 msmcobalt/property_contexts create mode 100644 msmcobalt/qvrd.te diff --git a/msmcobalt/app.te b/msmcobalt/app.te new file mode 100644 index 00000000..9893883f --- /dev/null +++ b/msmcobalt/app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Allow all apps to connect to VR service +allow appdomain qvrd:fd use; +unix_socket_connect(appdomain, qvrd, qvrd) diff --git a/msmcobalt/file.te b/msmcobalt/file.te index 7679b9d9..b6d287ab 100644 --- a/msmcobalt/file.te +++ b/msmcobalt/file.te @@ -29,4 +29,8 @@ type sysfs_emmc_dload, sysfs_type, fs_type; # Data type for QVOP -type qvop_data_file, file_type, data_file_type; \ No newline at end of file +type qvop_data_file, file_type, data_file_type; + +# Data type for qvrd +type qvrd_data_file, file_type, data_file_type; +type qvrd_socket, file_type, mlstrustedobject; diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index a3dde719..1f5a1116 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -50,14 +50,21 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0 /sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 +################################### +# Dev socket nodes +# +/dev/socket/qvrservice u:object_r:qvrd_socket:s0 + ################################### # System files # /system/bin/qvop-daemon u:object_r:qvop_exec:s0 + ################################### # data files # /data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 +/data/misc/qvr(/.*)? u:object_r:qvrd_data_file:s0 ################################## # non-hlos mount points @@ -72,3 +79,4 @@ # sysfs files # /sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0 +/sys/devices/virtual/graphics/fb([0-3])+/lineptr_value u:object_r:sysfs_graphics:s0 diff --git a/msmcobalt/init_shell.te b/msmcobalt/init_shell.te index 5f2ea564..ef747698 100644 --- a/msmcobalt/init_shell.te +++ b/msmcobalt/init_shell.te @@ -28,3 +28,6 @@ # For regionalization allow qti_init_shell regionalization_file:dir r_dir_perms; allow qti_init_shell regionalization_file:file create_file_perms; + +# For VR +allow qti_init_shell ctl_qvrd_prop:property_service set; diff --git a/msmcobalt/mm-qcamerad.te b/msmcobalt/mm-qcamerad.te new file mode 100644 index 00000000..5e3ff470 --- /dev/null +++ b/msmcobalt/mm-qcamerad.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Allow camera to work normally in VR mode +binder_call(mm-qcamerad, qvrd) diff --git a/msmcobalt/property.te b/msmcobalt/property.te new file mode 100644 index 00000000..e317966c --- /dev/null +++ b/msmcobalt/property.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#properties for qvrd +type ctl_qvrd_prop, property_type; diff --git a/msmcobalt/property_contexts b/msmcobalt/property_contexts new file mode 100644 index 00000000..9548ba89 --- /dev/null +++ b/msmcobalt/property_contexts @@ -0,0 +1,28 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +ctl.qvrd u:object_r:ctl_qvrd_prop:s0 diff --git a/msmcobalt/qvrd.te b/msmcobalt/qvrd.te new file mode 100644 index 00000000..778ae61e --- /dev/null +++ b/msmcobalt/qvrd.te @@ -0,0 +1,99 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type qvrd, domain, mlstrustedsubject; +type qvrd_exec, exec_type, file_type; + +init_daemon_domain(qvrd) + +# +# General +# + +# Allow interracting with qvrd directory +allow qvrd qvrd_data_file:dir create_dir_perms; +allow qvrd qvrd_data_file:file create_file_perms; + +# Allow access to our socket +allow qvrd qvrd_socket:sock_file rw_file_perms; + +# +# Sensors +# + +# Allow access to ADSP & SLPI +allow qvrd { ion_device qdsp_device dsp_device }:chr_file r_file_perms; + +# Allow access to adsprpcd +r_dir_file(qvrd, adsprpcd_file); +allow qvrd system_file:dir read; + +# +# Display +# + +# Allow access to /sys/devices/virtual/graphics/fb* for lineptr interrupts +allow qvrd sysfs_graphics:file rw_file_perms; + +# Allow access to /dev/graphics/fb0 for configuring vsync interrupts +allow qvrd graphics_device:dir r_dir_perms; +allow qvrd graphics_device:chr_file rw_file_perms; + +# +# Scheduler +# + +allow qvrd self:capability { sys_nice }; +userdebug_or_eng(` + allow qvrd su:process setsched; +') +allow qvrd appdomain:process setsched; + +# +# Camera +# + +# Allow access to camera HAL +allow qvrd { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms; +allow qvrd camera_data_file:dir rw_dir_perms; +allow qvrd camera_data_file:sock_file w_file_perms; +allow qvrd mm-qcamerad:unix_dgram_socket sendto; +binder_use(qvrd) +binder_call(qvrd, surfaceflinger); +allow qvrd surfaceflinger_service:service_manager find; +allow qvrd sysfs:file r_file_perms; + +# Allow access to /dev/video/* devices +allow qvrd video_device:dir r_dir_perms; + +unix_socket_connect(qvrd, mpctl, perfd) + +# Allow access to sensor1 API +allow qvrd self:socket create_socket_perms; +allow qvrd persist_file:dir r_dir_perms; +allow qvrd sensors_persist_file:dir r_dir_perms; +allow qvrd sensors_persist_file:file r_file_perms; -- cgit v1.2.3 From 9be77cd6055de049d283a26786b070f348674094 Mon Sep 17 00:00:00 2001 From: Deepak Kushwah Date: Thu, 18 Aug 2016 13:09:54 +0530 Subject: wfd: Add access to gpu device for wfdservice The encoder running in wfdservice context requires access to gpu device for retrieving YUV realated statistics CRs-Fixed: 1074975 Change-Id: I1c56f6c7e61de10999d15bb2abc80e337247588b --- common/wfdservice.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/wfdservice.te b/common/wfdservice.te index 276e2e15..1514e055 100644 --- a/common/wfdservice.te +++ b/common/wfdservice.te @@ -39,6 +39,9 @@ allow wfdservice audio_device:dir r_dir_perms; #Allow access to /dev/graphics/fb* for screen capture allow wfdservice graphics_device:chr_file rw_file_perms; +#Allow access to encoder for YUV statistics +allow wfdservice gpu_device:chr_file rw_file_perms; + #Allow communication with init over property server unix_socket_connect(wfdservice, property, init); -- cgit v1.2.3 From 2c31fddd18dd1116648f6c8b06e4d0f00d9eb4d3 Mon Sep 17 00:00:00 2001 From: Bhalchandra Gajare Date: Mon, 7 Nov 2016 13:47:24 -0800 Subject: common: Add wcd dsp device node to policy The wcd dsp device node is used by the audio HAL sotware to communicate with the codec DSP. Change adds this device node to security policy so that audioserver process can access this device node. CRs-Fixed: 1063084 Change-Id: I10693ecd23fbc989a3a7940cbf7190b7740a8e91 --- common/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/file_contexts b/common/file_contexts index b60d8432..82fe1e1d 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -9,6 +9,7 @@ /dev/mhi_pipe_.* u:object_r:mhi_device:s0 /dev/bhi u:object_r:bhi_device:s0 /dev/msm_.* u:object_r:audio_device:s0 +/dev/wcd_dsp0_control u:object_r:audio_device:s0 /dev/wcd-dsp-glink u:object_r:audio_device:s0 /dev/usf1 u:object_r:usf_device:s0 /dev/msm_dsps u:object_r:sensors_device:s0 -- cgit v1.2.3 From ffb2bda8c713b9e12f107468b4db583971569c7e Mon Sep 17 00:00:00 2001 From: Gurpreet Ghai Date: Fri, 28 Oct 2016 11:40:37 +0530 Subject: Bluetooth: Adding entry for Bluetooth Logger Process - It is a new process that will run along with Bluetooth to collect extensive logs from Bluetooth in error scenarios. - Adding entry here so that bt_logger can be started on the run by setting property. CRs-Fixed: 1085950 Change-Id: Ia1c88f6992e81d527e702654d34b8556d1184fc2 --- common/bluetooth.te | 4 ++++ common/file_contexts | 1 + 2 files changed, 5 insertions(+) diff --git a/common/bluetooth.te b/common/bluetooth.te index 2656f060..eef36b8d 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -11,6 +11,10 @@ type btsnoop, bluetoothdomain, domain_deprecated; type btsnoop_exec, exec_type, file_type; domain_auto_trans(init, btsnoop_exec, bluetooth) +type bt_logger, bluetoothdomain; +type bt_logger_exec, exec_type, file_type; +domain_auto_trans(init, bt_logger_exec, bluetooth) + type btnvtool, bluetoothdomain, domain_deprecated; type btnvtool_exec, exec_type, file_type; domain_auto_trans(init, btnvtool_exec, bluetooth) diff --git a/common/file_contexts b/common/file_contexts index b60d8432..bf3391d4 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -230,6 +230,7 @@ /system/bin/sapd u:object_r:sapd_exec:s0 /system/bin/btnvtool u:object_r:btnvtool_exec:s0 /system/bin/btsnoop u:object_r:btsnoop_exec:s0 +/system/bin/bt_logger u:object_r:bt_logger_exec:s0 /system/bin/dun-server u:object_r:dun-server_exec:s0 /system/bin/wfdservice u:object_r:wfdservice_exec:s0 /system/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0 -- cgit v1.2.3 From 2df0187961a91542f8245ae2e8907340b65f3b94 Mon Sep 17 00:00:00 2001 From: Devi Sandeep Endluri V V Date: Tue, 8 Nov 2016 19:36:53 +0530 Subject: sepolicy:allow dataservices to set dpm_persist_property Address avc denials to allow the dataservices app to set persist.dpm.feature system property CRs-Fixed: 1087199 Change-Id: I26fcdaad86e3b8b7e01c826b6157f319a3898355 --- common/dataservice_app.te | 1 + common/property.te | 2 ++ common/property_contexts | 1 + 3 files changed, 4 insertions(+) diff --git a/common/dataservice_app.te b/common/dataservice_app.te index 36056c17..140f0363 100644 --- a/common/dataservice_app.te +++ b/common/dataservice_app.te @@ -33,6 +33,7 @@ net_domain(dataservice_app) allow dataservice_app { qtitetherservice_service dpmservice cne_service } :service_manager { add find } ; allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find; +set_prop(dataservice_app, persist_dpm_prop) set_prop(dataservice_app, sys_usb_tethering_prop) diff --git a/common/property.te b/common/property.te index c3032b10..16b716a9 100755 --- a/common/property.te +++ b/common/property.te @@ -72,6 +72,8 @@ type sys_usb_configfs_prop, property_type; type sys_usb_tethering_prop, property_type; type coresight_prop, property_type, core_property_type; +type persist_dpm_prop, property_type, core_property_type; + type ctl_hbtp_prop, property_type; type alarm_boot_prop, property_type, core_property_type; diff --git a/common/property_contexts b/common/property_contexts index bbaf87b4..78d90a32 100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -68,6 +68,7 @@ qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0 ro.dbg.coresight.cfg_file u:object_r:coresight_prop:s0 ctl.hbtp u:object_r:ctl_hbtp_prop:s0 sys.audio.init u:object_r:audio_prop:s0 +persist.dpm.feature u:object_r:persist_dpm_prop:s0 ro.alarm_boot u:object_r:alarm_boot_prop:s0 debug.sf.nobootanimation u:object_r:boot_animation_prop:s0 debug.gralloc. u:object_r:debug_gralloc_prop:s0 -- cgit v1.2.3 From 7e2c81ae650c19a7a69b10b55d66e0aa2a414e8f Mon Sep 17 00:00:00 2001 From: Rohit Rangwani Date: Mon, 19 Sep 2016 12:52:54 +0530 Subject: Sepolicy:: Policies are added for nqnfcinfo daemon Allow nqnfcinfo daemon to access nfc nq dev node and grant permission to set property. Change-Id: I85e72ed412bc5d91634146b743d75face9bcedb0 CRs-Fixed: 1088226 --- common/file_contexts | 1 + common/nqnfcinfo.te | 39 +++++++++++++++++++++++++++++++++++++++ common/property.te | 2 ++ common/property_contexts | 2 ++ 4 files changed, 44 insertions(+) create mode 100644 common/nqnfcinfo.te diff --git a/common/file_contexts b/common/file_contexts index abfe3bcf..b24c4191 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -135,6 +135,7 @@ /system/bin/ATFWD-daemon u:object_r:atfwd_exec:s0 /system/bin/PktRspTest u:object_r:diag_exec:s0 /system/bin/audiod u:object_r:audiod_exec:s0 +/system/vendor/bin/nqnfcinfo u:object_r:nqnfcinfo_exec:s0 /system/bin/charger_monitor u:object_r:charger_monitor_exec:s0 /system/bin/hvdcp_opti u:object_r:hvdcp_exec:s0 /system/bin/cnd u:object_r:cnd_exec:s0 diff --git a/common/nqnfcinfo.te b/common/nqnfcinfo.te new file mode 100644 index 00000000..3efc94c3 --- /dev/null +++ b/common/nqnfcinfo.te @@ -0,0 +1,39 @@ +#Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +#Redistribution and use in source and binary forms, with or without +#modification, are permitted provided that the following conditions are +#met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type nqnfcinfo, domain; +type nqnfcinfo_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(nqnfcinfo) + +r_dir_file(nqnfcinfo, sysfs_socinfo); + +set_prop(nqnfcinfo, nfc_nq_prop); + +# Access device nodes inside /dev/nq-nci +allow nqnfcinfo nfc_device:chr_file rw_file_perms; diff --git a/common/property.te b/common/property.te index 16b716a9..5ae8f71e 100755 --- a/common/property.te +++ b/common/property.te @@ -97,3 +97,5 @@ type hwui_prop, property_type, core_property_type; type graphics_vulkan_prop, property_type, core_property_type; #boot mode property type boot_mode_prop, property_type; +#properties for nfc +type nfc_nq_prop, property_type, core_property_type; diff --git a/common/property_contexts b/common/property_contexts index 78d90a32..5d457153 100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -89,3 +89,5 @@ persist.graphics.vulkan.disable u:object_r:graphics_vulkan_prop:s0 sys.boot_mode u:object_r:boot_mode_prop:s0 # GPU ro.gpu.available_frequencies u:object_r:freq_prop:s0 +# NFC +sys.nfc.nq. u:object_r:nfc_nq_prop:s0 -- cgit v1.2.3 From 284de362e59b23b1988bb633c94c10b1628d87d8 Mon Sep 17 00:00:00 2001 From: Sathish Ambley Date: Fri, 11 Nov 2016 15:33:09 -0800 Subject: sepolicy: msmcobalt: add missing line for VR service A line was missing from the previous commit for the VR service. CRs-Fixed: 1075747 Change-Id: I733445e21264a188c24bf501ebc13fc082fb2e31 --- msmcobalt/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index 1f5a1116..ae7ea032 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -59,6 +59,7 @@ # System files # /system/bin/qvop-daemon u:object_r:qvop_exec:s0 +/system/vendor/bin/qvrservice u:object_r:qvrd_exec:s0 ################################### # data files -- cgit v1.2.3 From 62565277faf109b1aeae5c32992e6306bbb89081 Mon Sep 17 00:00:00 2001 From: Shahed Begum Date: Tue, 18 Oct 2016 18:51:34 +0530 Subject: Add SELinux support for factory reset protection Modified factory reset protection partition as per device specific Change-Id: I721f2d7deb4dbe89a8c3fb5ed8e9413cd58ce428 CRs-Fixed: 1078078 --- msm8992/file_contexts | 2 +- msm8994/file_contexts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/msm8992/file_contexts b/msm8992/file_contexts index a765bc11..f4957ddb 100644 --- a/msm8992/file_contexts +++ b/msm8992/file_contexts @@ -37,7 +37,7 @@ /dev/block/platform/soc.0/f9824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/f9824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 diff --git a/msm8994/file_contexts b/msm8994/file_contexts index 5697413a..4c073044 100644 --- a/msm8994/file_contexts +++ b/msm8994/file_contexts @@ -57,5 +57,5 @@ /dev/block/platform/soc.0/f9824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/f9824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 -- cgit v1.2.3 From 6ca8d882d4e3f11118aa1f838e41a0e1c4d87961 Mon Sep 17 00:00:00 2001 From: Sashidhar Ganiga Date: Wed, 5 Oct 2016 19:06:29 +0530 Subject: sepolicy: allow writing firmware files in recovery mode. FOTA upgrading requires writing firmware images into vfat firmware partition in recovery mode. Change-Id: I0bd61196ea7acf00582e58980aaeb3cf5128aa7a --- common/recovery.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/recovery.te b/common/recovery.te index c83bc974..210c4050 100644 --- a/common/recovery.te +++ b/common/recovery.te @@ -3,7 +3,8 @@ recovery_only(` allow recovery sdcard_type:dir r_dir_perms; allow recovery sdcard_type:file r_file_perms; allow recovery vfat:dir r_dir_perms; - allow recovery vfat:file r_file_perms; + allow recovery vfat:file create_file_perms; + allow recovery vfat:file rw_file_perms; allow recovery system_data_file:file r_file_perms; allow recovery system_data_file:dir r_dir_perms; allow recovery RIDL_data_file:file r_file_perms; -- cgit v1.2.3 From a5839aa81c6e17fda9ca37318c67f63bb2fc3992 Mon Sep 17 00:00:00 2001 From: Divya Narayanan Poojary Date: Tue, 15 Nov 2016 19:16:17 +0530 Subject: sepolicy: Added thermal engine access to audioserver audioserver needs to access thermal engine for speaker calibration. Change-Id: I141e8962b6e39ba8407b6e54710c31b9574a1b2b CRs-fixed: 1086008 --- common/audioserver.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/audioserver.te b/common/audioserver.te index 48df422e..df2d09ce 100644 --- a/common/audioserver.te +++ b/common/audioserver.te @@ -86,3 +86,6 @@ use_per_mgr(audioserver); allow audioserver activity_service:service_manager find; set_prop(audioserver, dolby_prop) # DOLBY_END + +# for thermal sock files +unix_socket_connect(audioserver, thermal, thermal-engine) -- cgit v1.2.3 From aca10f89bfbba036d3182e81363e40c1991afdf8 Mon Sep 17 00:00:00 2001 From: Shaheda Begum Date: Fri, 14 Oct 2016 15:09:22 +0530 Subject: Add SELinux support for factory reset protection Map factory reset protection into SELinux sepolicy/file_contexts Change-Id: Ibd3198cc38e0446e1862b178f8d4c5ae8f8dc0c9 CRs-Fixed: 1078078 --- msm8909/file_contexts | 1 + msm8916/file_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/msm8909/file_contexts b/msm8909/file_contexts index 424d82b1..642cfb5a 100644 --- a/msm8909/file_contexts +++ b/msm8909/file_contexts @@ -35,6 +35,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 diff --git a/msm8916/file_contexts b/msm8916/file_contexts index 31788b3b..c59fe8fb 100644 --- a/msm8916/file_contexts +++ b/msm8916/file_contexts @@ -36,6 +36,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 -- cgit v1.2.3 From 6741de8fc6b1cbc036610f12b3708a83a79b14e7 Mon Sep 17 00:00:00 2001 From: jinfaw Date: Wed, 9 Nov 2016 15:45:01 +0800 Subject: sepolicy:Add oemfs ruler for carrier switch 1.Carrier overlay apk could be found and loaded in oemfs 2.Carrier Link file could be found in oemfs,such as "lib.so.link" Change-Id: I9a32329e23363087b3a49baeeb3c3f8390a8116a CRs-Fixed: 1086459 --- msm8909/idmap.te | 30 ++++++++++++++++++++++++++++++ msm8909/platform_app.te | 29 +++++++++++++++++++++++++++++ msm8909/priv_app.te | 29 +++++++++++++++++++++++++++++ msm8909/system_app.te | 29 +++++++++++++++++++++++++++++ msm8909/untrusted_app.te | 30 ++++++++++++++++++++++++++++++ 5 files changed, 147 insertions(+) create mode 100644 msm8909/idmap.te create mode 100644 msm8909/platform_app.te create mode 100644 msm8909/priv_app.te create mode 100644 msm8909/system_app.te create mode 100644 msm8909/untrusted_app.te diff --git a/msm8909/idmap.te b/msm8909/idmap.te new file mode 100644 index 00000000..84b11e8f --- /dev/null +++ b/msm8909/idmap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow idmap oemfs:file r_file_perms; +allow idmap oemfs:dir r_dir_perms; diff --git a/msm8909/platform_app.te b/msm8909/platform_app.te new file mode 100644 index 00000000..919f16f5 --- /dev/null +++ b/msm8909/platform_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msm8909/priv_app.te b/msm8909/priv_app.te new file mode 100644 index 00000000..203ed549 --- /dev/null +++ b/msm8909/priv_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msm8909/system_app.te b/msm8909/system_app.te new file mode 100644 index 00000000..10c8adac --- /dev/null +++ b/msm8909/system_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow system_app oemfs:lnk_file { read getattr }; diff --git a/msm8909/untrusted_app.te b/msm8909/untrusted_app.te new file mode 100644 index 00000000..e8b029e1 --- /dev/null +++ b/msm8909/untrusted_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; -- cgit v1.2.3 From ccd3f23dfdeb7d77b6074bf49ea5a8cf66938127 Mon Sep 17 00:00:00 2001 From: Ameya Thakur Date: Fri, 18 Nov 2016 17:05:35 -0800 Subject: recovery: Allow recovery to set up adb in configfs based builds recovery now has the necessary permissions to configure adb for configfs based builds. Change-Id: Ida1aa1a7714201e151c9e93ccc174adba09baa95 --- common/recovery.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/common/recovery.te b/common/recovery.te index 210c4050..c5b2c0ec 100644 --- a/common/recovery.te +++ b/common/recovery.te @@ -17,4 +17,10 @@ recovery_only(` allow recovery sg_device:chr_file rw_file_perms; allow recovery self:capability sys_rawio; allow recovery sg_device:chr_file ioctl; + # Enable adb on configfs devices + allow recovery configfs:file rw_file_perms; + allow recovery configfs:dir rw_dir_perms; + set_prop(recovery, ffs_prop); + get_prop(recovery, sys_usb_controller_prop); + get_prop(recovery, boot_mode_prop); ') -- cgit v1.2.3 From bdf09baedf6654ec642055cf5b63e54e2525a36e Mon Sep 17 00:00:00 2001 From: Biswajit Paul Date: Thu, 17 Nov 2016 16:20:09 -0800 Subject: Rename msmcobalt to msm8998 Renaming the device name to support msm8998 Change-Id: I5fd75fa1f3e549ba2df11b48c59183681ee454bd --- msm8998/app.te | 30 +++++++++++++ msm8998/bootanim.te | 31 ++++++++++++++ msm8998/device.te | 29 +++++++++++++ msm8998/file.te | 36 ++++++++++++++++ msm8998/file_contexts | 83 ++++++++++++++++++++++++++++++++++++ msm8998/idmap.te | 30 +++++++++++++ msm8998/init-qcom-fbe-sh.te | 36 ++++++++++++++++ msm8998/init_shell.te | 33 +++++++++++++++ msm8998/mm-qcamerad.te | 29 +++++++++++++ msm8998/platform_app.te | 29 +++++++++++++ msm8998/priv_app.te | 29 +++++++++++++ msm8998/property.te | 29 +++++++++++++ msm8998/property_contexts | 28 ++++++++++++ msm8998/qseecomd.te | 30 +++++++++++++ msm8998/qti-logkit.te | 33 +++++++++++++++ msm8998/qvop.te | 46 ++++++++++++++++++++ msm8998/qvrd.te | 99 +++++++++++++++++++++++++++++++++++++++++++ msm8998/recovery.te | 30 +++++++++++++ msm8998/ridl.te | 33 +++++++++++++++ msm8998/service.te | 31 ++++++++++++++ msm8998/service_contexts | 31 ++++++++++++++ msm8998/surfaceflinger.te | 33 +++++++++++++++ msm8998/system_app.te | 30 +++++++++++++ msm8998/system_server.te | 33 +++++++++++++++ msm8998/untrusted_app.te | 30 +++++++++++++ msm8998/zygote.te | 33 +++++++++++++++ msmcobalt/app.te | 30 ------------- msmcobalt/bootanim.te | 31 -------------- msmcobalt/device.te | 29 ------------- msmcobalt/file.te | 36 ---------------- msmcobalt/file_contexts | 83 ------------------------------------ msmcobalt/idmap.te | 30 ------------- msmcobalt/init-qcom-fbe-sh.te | 36 ---------------- msmcobalt/init_shell.te | 33 --------------- msmcobalt/mm-qcamerad.te | 29 ------------- msmcobalt/platform_app.te | 29 ------------- msmcobalt/priv_app.te | 29 ------------- msmcobalt/property.te | 29 ------------- msmcobalt/property_contexts | 28 ------------ msmcobalt/qseecomd.te | 30 ------------- msmcobalt/qti-logkit.te | 33 --------------- msmcobalt/qvop.te | 46 -------------------- msmcobalt/qvrd.te | 99 ------------------------------------------- msmcobalt/recovery.te | 30 ------------- msmcobalt/ridl.te | 33 --------------- msmcobalt/service.te | 31 -------------- msmcobalt/service_contexts | 31 -------------- msmcobalt/surfaceflinger.te | 33 --------------- msmcobalt/system_app.te | 30 ------------- msmcobalt/system_server.te | 33 --------------- msmcobalt/untrusted_app.te | 30 ------------- msmcobalt/zygote.te | 33 --------------- 52 files changed, 944 insertions(+), 944 deletions(-) create mode 100644 msm8998/app.te create mode 100644 msm8998/bootanim.te create mode 100644 msm8998/device.te create mode 100644 msm8998/file.te create mode 100644 msm8998/file_contexts create mode 100644 msm8998/idmap.te create mode 100644 msm8998/init-qcom-fbe-sh.te create mode 100644 msm8998/init_shell.te create mode 100644 msm8998/mm-qcamerad.te create mode 100644 msm8998/platform_app.te create mode 100644 msm8998/priv_app.te create mode 100644 msm8998/property.te create mode 100644 msm8998/property_contexts create mode 100644 msm8998/qseecomd.te create mode 100644 msm8998/qti-logkit.te create mode 100644 msm8998/qvop.te create mode 100644 msm8998/qvrd.te create mode 100644 msm8998/recovery.te create mode 100644 msm8998/ridl.te create mode 100644 msm8998/service.te create mode 100644 msm8998/service_contexts create mode 100644 msm8998/surfaceflinger.te create mode 100644 msm8998/system_app.te create mode 100644 msm8998/system_server.te create mode 100644 msm8998/untrusted_app.te create mode 100644 msm8998/zygote.te delete mode 100644 msmcobalt/app.te delete mode 100644 msmcobalt/bootanim.te delete mode 100644 msmcobalt/device.te delete mode 100644 msmcobalt/file.te delete mode 100644 msmcobalt/file_contexts delete mode 100644 msmcobalt/idmap.te delete mode 100644 msmcobalt/init-qcom-fbe-sh.te delete mode 100644 msmcobalt/init_shell.te delete mode 100644 msmcobalt/mm-qcamerad.te delete mode 100644 msmcobalt/platform_app.te delete mode 100644 msmcobalt/priv_app.te delete mode 100644 msmcobalt/property.te delete mode 100644 msmcobalt/property_contexts delete mode 100644 msmcobalt/qseecomd.te delete mode 100644 msmcobalt/qti-logkit.te delete mode 100644 msmcobalt/qvop.te delete mode 100644 msmcobalt/qvrd.te delete mode 100644 msmcobalt/recovery.te delete mode 100644 msmcobalt/ridl.te delete mode 100644 msmcobalt/service.te delete mode 100644 msmcobalt/service_contexts delete mode 100644 msmcobalt/surfaceflinger.te delete mode 100644 msmcobalt/system_app.te delete mode 100644 msmcobalt/system_server.te delete mode 100644 msmcobalt/untrusted_app.te delete mode 100644 msmcobalt/zygote.te diff --git a/msm8998/app.te b/msm8998/app.te new file mode 100644 index 00000000..9893883f --- /dev/null +++ b/msm8998/app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Allow all apps to connect to VR service +allow appdomain qvrd:fd use; +unix_socket_connect(appdomain, qvrd, qvrd) diff --git a/msm8998/bootanim.te b/msm8998/bootanim.te new file mode 100644 index 00000000..51701259 --- /dev/null +++ b/msm8998/bootanim.te @@ -0,0 +1,31 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# For regionalization +allow bootanim persist_file:dir r_dir_perms; +allow bootanim regionalization_file:dir r_dir_perms; +allow bootanim regionalization_file:file r_file_perms; diff --git a/msm8998/device.te b/msm8998/device.te new file mode 100644 index 00000000..66dd4e50 --- /dev/null +++ b/msm8998/device.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Define rawdump block device +type rawdump_block_device, dev_type; diff --git a/msm8998/file.te b/msm8998/file.te new file mode 100644 index 00000000..b6d287ab --- /dev/null +++ b/msm8998/file.te @@ -0,0 +1,36 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#sysfs emmc dload type +type sysfs_emmc_dload, sysfs_type, fs_type; + +# Data type for QVOP +type qvop_data_file, file_type, data_file_type; + +# Data type for qvrd +type qvrd_data_file, file_type, data_file_type; +type qvrd_socket, file_type, mlstrustedobject; diff --git a/msm8998/file_contexts b/msm8998/file_contexts new file mode 100644 index 00000000..ae7ea032 --- /dev/null +++ b/msm8998/file_contexts @@ -0,0 +1,83 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +################################### +# Dev block nodes + +# UFS Devices +/dev/block/platform/soc/1da4000.ufshc/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/fsg u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/ssd u:object_r:ssd_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/rpm u:object_r:rpmb_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/mdtp u:object_r:mdtp_device:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/dip u:object_r:dip_device:s0 + +#rawdump partition +/dev/block/platform/soc/1da4000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0 +/sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 + +################################### +# Dev socket nodes +# +/dev/socket/qvrservice u:object_r:qvrd_socket:s0 + +################################### +# System files +# +/system/bin/qvop-daemon u:object_r:qvop_exec:s0 +/system/vendor/bin/qvrservice u:object_r:qvrd_exec:s0 + +################################### +# data files +# +/data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 +/data/misc/qvr(/.*)? u:object_r:qvrd_data_file:s0 + +################################## +# non-hlos mount points +/firmware u:object_r:firmware_file:s0 +/bt_firmware u:object_r:bt_firmware_file:s0 + +################################## +# FBE +/system/bin/init.qcom.qseecomd.sh u:object_r:init-qcom-fbe-sh_exec:s0 + +################################### +# sysfs files +# +/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0 +/sys/devices/virtual/graphics/fb([0-3])+/lineptr_value u:object_r:sysfs_graphics:s0 diff --git a/msm8998/idmap.te b/msm8998/idmap.te new file mode 100644 index 00000000..84b11e8f --- /dev/null +++ b/msm8998/idmap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow idmap oemfs:file r_file_perms; +allow idmap oemfs:dir r_dir_perms; diff --git a/msm8998/init-qcom-fbe-sh.te b/msm8998/init-qcom-fbe-sh.te new file mode 100644 index 00000000..2eba9da1 --- /dev/null +++ b/msm8998/init-qcom-fbe-sh.te @@ -0,0 +1,36 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qcom-fbe-sh, domain; +type init-qcom-fbe-sh_exec, exec_type, file_type; + +init_daemon_domain(init-qcom-fbe-sh) + +allow init-qcom-fbe-sh shell_exec:file rx_file_perms; + +# execute toybox/toolbox +allow init-qcom-fbe-sh toolbox_exec:file rx_file_perms; diff --git a/msm8998/init_shell.te b/msm8998/init_shell.te new file mode 100644 index 00000000..ef747698 --- /dev/null +++ b/msm8998/init_shell.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# For regionalization +allow qti_init_shell regionalization_file:dir r_dir_perms; +allow qti_init_shell regionalization_file:file create_file_perms; + +# For VR +allow qti_init_shell ctl_qvrd_prop:property_service set; diff --git a/msm8998/mm-qcamerad.te b/msm8998/mm-qcamerad.te new file mode 100644 index 00000000..5e3ff470 --- /dev/null +++ b/msm8998/mm-qcamerad.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Allow camera to work normally in VR mode +binder_call(mm-qcamerad, qvrd) diff --git a/msm8998/platform_app.te b/msm8998/platform_app.te new file mode 100644 index 00000000..919f16f5 --- /dev/null +++ b/msm8998/platform_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msm8998/priv_app.te b/msm8998/priv_app.te new file mode 100644 index 00000000..203ed549 --- /dev/null +++ b/msm8998/priv_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#for oemfs +allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msm8998/property.te b/msm8998/property.te new file mode 100644 index 00000000..e317966c --- /dev/null +++ b/msm8998/property.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#properties for qvrd +type ctl_qvrd_prop, property_type; diff --git a/msm8998/property_contexts b/msm8998/property_contexts new file mode 100644 index 00000000..9548ba89 --- /dev/null +++ b/msm8998/property_contexts @@ -0,0 +1,28 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +ctl.qvrd u:object_r:ctl_qvrd_prop:s0 diff --git a/msm8998/qseecomd.te b/msm8998/qseecomd.te new file mode 100644 index 00000000..0e940c59 --- /dev/null +++ b/msm8998/qseecomd.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Provide access to Q VoicePrint +allow tee qvop_data_file:dir create_dir_perms; +allow tee qvop_data_file:file create_file_perms; diff --git a/msm8998/qti-logkit.te b/msm8998/qti-logkit.te new file mode 100644 index 00000000..725cf476 --- /dev/null +++ b/msm8998/qti-logkit.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow qti_logkit for rawdump partition +allow qti_logkit block_device:dir r_dir_perms; +allow qti_logkit rawdump_block_device:blk_file rw_file_perms; + +# allow qti_logkit for sysfs emmc dload node +allow qti_logkit sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8998/qvop.te b/msm8998/qvop.te new file mode 100644 index 00000000..ce69fa4d --- /dev/null +++ b/msm8998/qvop.te @@ -0,0 +1,46 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type qvop, domain; +type qvop_exec, exec_type, file_type; + +init_daemon_domain(qvop) + +allow qvop qvop_data_file:dir create_dir_perms; +allow qvop qvop_data_file:file create_file_perms; + +binder_call(qvop, system_app) + +# Add IQvopService service +allow qvop iqvop_service:service_manager add; + +binder_use(qvop) + +allow qvop tee_device:chr_file rw_file_perms; +r_dir_file(qvop, firmware_file) + +allow qvop ion_device:chr_file r_file_perms; \ No newline at end of file diff --git a/msm8998/qvrd.te b/msm8998/qvrd.te new file mode 100644 index 00000000..778ae61e --- /dev/null +++ b/msm8998/qvrd.te @@ -0,0 +1,99 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type qvrd, domain, mlstrustedsubject; +type qvrd_exec, exec_type, file_type; + +init_daemon_domain(qvrd) + +# +# General +# + +# Allow interracting with qvrd directory +allow qvrd qvrd_data_file:dir create_dir_perms; +allow qvrd qvrd_data_file:file create_file_perms; + +# Allow access to our socket +allow qvrd qvrd_socket:sock_file rw_file_perms; + +# +# Sensors +# + +# Allow access to ADSP & SLPI +allow qvrd { ion_device qdsp_device dsp_device }:chr_file r_file_perms; + +# Allow access to adsprpcd +r_dir_file(qvrd, adsprpcd_file); +allow qvrd system_file:dir read; + +# +# Display +# + +# Allow access to /sys/devices/virtual/graphics/fb* for lineptr interrupts +allow qvrd sysfs_graphics:file rw_file_perms; + +# Allow access to /dev/graphics/fb0 for configuring vsync interrupts +allow qvrd graphics_device:dir r_dir_perms; +allow qvrd graphics_device:chr_file rw_file_perms; + +# +# Scheduler +# + +allow qvrd self:capability { sys_nice }; +userdebug_or_eng(` + allow qvrd su:process setsched; +') +allow qvrd appdomain:process setsched; + +# +# Camera +# + +# Allow access to camera HAL +allow qvrd { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms; +allow qvrd camera_data_file:dir rw_dir_perms; +allow qvrd camera_data_file:sock_file w_file_perms; +allow qvrd mm-qcamerad:unix_dgram_socket sendto; +binder_use(qvrd) +binder_call(qvrd, surfaceflinger); +allow qvrd surfaceflinger_service:service_manager find; +allow qvrd sysfs:file r_file_perms; + +# Allow access to /dev/video/* devices +allow qvrd video_device:dir r_dir_perms; + +unix_socket_connect(qvrd, mpctl, perfd) + +# Allow access to sensor1 API +allow qvrd self:socket create_socket_perms; +allow qvrd persist_file:dir r_dir_perms; +allow qvrd sensors_persist_file:dir r_dir_perms; +allow qvrd sensors_persist_file:file r_file_perms; diff --git a/msm8998/recovery.te b/msm8998/recovery.te new file mode 100644 index 00000000..ef6eb7b0 --- /dev/null +++ b/msm8998/recovery.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +recovery_only(` + allow recovery shell_exec:file x_file_perms; +') diff --git a/msm8998/ridl.te b/msm8998/ridl.te new file mode 100644 index 00000000..0147c26c --- /dev/null +++ b/msm8998/ridl.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow RIDL for rawdump partition +allow RIDL block_device:dir r_dir_perms; +allow RIDL rawdump_block_device:blk_file rw_file_perms; + +# allow RIDL for enable sysfs node +allow RIDL sysfs_emmc_dload:file rw_file_perms; diff --git a/msm8998/service.te b/msm8998/service.te new file mode 100644 index 00000000..ad41b5fa --- /dev/null +++ b/msm8998/service.te @@ -0,0 +1,31 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# regionalization service +type regionalization_service, system_api_service, service_manager_type; + +type iqvop_service, service_manager_type; \ No newline at end of file diff --git a/msm8998/service_contexts b/msm8998/service_contexts new file mode 100644 index 00000000..20ab6358 --- /dev/null +++ b/msm8998/service_contexts @@ -0,0 +1,31 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Regionalization service +regionalization u:object_r:regionalization_service:s0 + +android.apps.IQvopService u:object_r:iqvop_service:s0 \ No newline at end of file diff --git a/msm8998/surfaceflinger.te b/msm8998/surfaceflinger.te new file mode 100644 index 00000000..ff6ea3d3 --- /dev/null +++ b/msm8998/surfaceflinger.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +################################### + +#TODO:Remove after bringup: msmcobalt specific +userdebug_or_eng(` +allow surfaceflinger self:process execmem; +allow surfaceflinger ashmem_device:chr_file execute; +') diff --git a/msm8998/system_app.te b/msm8998/system_app.te new file mode 100644 index 00000000..d11659b6 --- /dev/null +++ b/msm8998/system_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +binder_call(system_app, qvop) +#for oemfs +allow system_app oemfs:lnk_file { read getattr }; diff --git a/msm8998/system_server.te b/msm8998/system_server.te new file mode 100644 index 00000000..54c7faa6 --- /dev/null +++ b/msm8998/system_server.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# For Regionalization service +allow system_server regionalization_service:service_manager { add find }; +allow system_server regionalization_file:file rw_file_perms; +allow system_server regionalization_file:dir r_dir_perms; +allow system_server resourcecache_data_file:dir create_dir_perms; +allow system_server resourcecache_data_file:file create_file_perms; diff --git a/msm8998/untrusted_app.te b/msm8998/untrusted_app.te new file mode 100644 index 00000000..e8b029e1 --- /dev/null +++ b/msm8998/untrusted_app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# for oemfs +allow untrusted_app oemfs:lnk_file { read getattr }; diff --git a/msm8998/zygote.te b/msm8998/zygote.te new file mode 100644 index 00000000..c8d772e4 --- /dev/null +++ b/msm8998/zygote.te @@ -0,0 +1,33 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# For regionalization +allow zygote persist_file:dir r_dir_perms; +allow zygote regionalization_file:dir r_dir_perms; +allow zygote regionalization_file:file r_file_perms; +allow zygote oemfs:dir r_dir_perms; +allow zygote oemfs:file r_file_perms; diff --git a/msmcobalt/app.te b/msmcobalt/app.te deleted file mode 100644 index 9893883f..00000000 --- a/msmcobalt/app.te +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# Allow all apps to connect to VR service -allow appdomain qvrd:fd use; -unix_socket_connect(appdomain, qvrd, qvrd) diff --git a/msmcobalt/bootanim.te b/msmcobalt/bootanim.te deleted file mode 100644 index 51701259..00000000 --- a/msmcobalt/bootanim.te +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# For regionalization -allow bootanim persist_file:dir r_dir_perms; -allow bootanim regionalization_file:dir r_dir_perms; -allow bootanim regionalization_file:file r_file_perms; diff --git a/msmcobalt/device.te b/msmcobalt/device.te deleted file mode 100644 index 66dd4e50..00000000 --- a/msmcobalt/device.te +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#Define rawdump block device -type rawdump_block_device, dev_type; diff --git a/msmcobalt/file.te b/msmcobalt/file.te deleted file mode 100644 index b6d287ab..00000000 --- a/msmcobalt/file.te +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#sysfs emmc dload type -type sysfs_emmc_dload, sysfs_type, fs_type; - -# Data type for QVOP -type qvop_data_file, file_type, data_file_type; - -# Data type for qvrd -type qvrd_data_file, file_type, data_file_type; -type qvrd_socket, file_type, mlstrustedobject; diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts deleted file mode 100644 index ae7ea032..00000000 --- a/msmcobalt/file_contexts +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -################################### -# Dev block nodes - -# UFS Devices -/dev/block/platform/soc/1da4000.ufshc/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/boot u:object_r:boot_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/logdump u:object_r:logdump_partition:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/fsg u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/ssd u:object_r:ssd_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/rpm u:object_r:rpmb_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/mdtp u:object_r:mdtp_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/dip u:object_r:dip_device:s0 - -#rawdump partition -/dev/block/platform/soc/1da4000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0 -/sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0 - -################################### -# Dev socket nodes -# -/dev/socket/qvrservice u:object_r:qvrd_socket:s0 - -################################### -# System files -# -/system/bin/qvop-daemon u:object_r:qvop_exec:s0 -/system/vendor/bin/qvrservice u:object_r:qvrd_exec:s0 - -################################### -# data files -# -/data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 -/data/misc/qvr(/.*)? u:object_r:qvrd_data_file:s0 - -################################## -# non-hlos mount points -/firmware u:object_r:firmware_file:s0 -/bt_firmware u:object_r:bt_firmware_file:s0 - -################################## -# FBE -/system/bin/init.qcom.qseecomd.sh u:object_r:init-qcom-fbe-sh_exec:s0 - -################################### -# sysfs files -# -/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0 -/sys/devices/virtual/graphics/fb([0-3])+/lineptr_value u:object_r:sysfs_graphics:s0 diff --git a/msmcobalt/idmap.te b/msmcobalt/idmap.te deleted file mode 100644 index 84b11e8f..00000000 --- a/msmcobalt/idmap.te +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#for oemfs -allow idmap oemfs:file r_file_perms; -allow idmap oemfs:dir r_dir_perms; diff --git a/msmcobalt/init-qcom-fbe-sh.te b/msmcobalt/init-qcom-fbe-sh.te deleted file mode 100644 index 2eba9da1..00000000 --- a/msmcobalt/init-qcom-fbe-sh.te +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -type init-qcom-fbe-sh, domain; -type init-qcom-fbe-sh_exec, exec_type, file_type; - -init_daemon_domain(init-qcom-fbe-sh) - -allow init-qcom-fbe-sh shell_exec:file rx_file_perms; - -# execute toybox/toolbox -allow init-qcom-fbe-sh toolbox_exec:file rx_file_perms; diff --git a/msmcobalt/init_shell.te b/msmcobalt/init_shell.te deleted file mode 100644 index ef747698..00000000 --- a/msmcobalt/init_shell.te +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# For regionalization -allow qti_init_shell regionalization_file:dir r_dir_perms; -allow qti_init_shell regionalization_file:file create_file_perms; - -# For VR -allow qti_init_shell ctl_qvrd_prop:property_service set; diff --git a/msmcobalt/mm-qcamerad.te b/msmcobalt/mm-qcamerad.te deleted file mode 100644 index 5e3ff470..00000000 --- a/msmcobalt/mm-qcamerad.te +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#Allow camera to work normally in VR mode -binder_call(mm-qcamerad, qvrd) diff --git a/msmcobalt/platform_app.te b/msmcobalt/platform_app.te deleted file mode 100644 index 919f16f5..00000000 --- a/msmcobalt/platform_app.te +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#for oemfs -allow platform_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/priv_app.te b/msmcobalt/priv_app.te deleted file mode 100644 index 203ed549..00000000 --- a/msmcobalt/priv_app.te +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#for oemfs -allow priv_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/property.te b/msmcobalt/property.te deleted file mode 100644 index e317966c..00000000 --- a/msmcobalt/property.te +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#properties for qvrd -type ctl_qvrd_prop, property_type; diff --git a/msmcobalt/property_contexts b/msmcobalt/property_contexts deleted file mode 100644 index 9548ba89..00000000 --- a/msmcobalt/property_contexts +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -ctl.qvrd u:object_r:ctl_qvrd_prop:s0 diff --git a/msmcobalt/qseecomd.te b/msmcobalt/qseecomd.te deleted file mode 100644 index 0e940c59..00000000 --- a/msmcobalt/qseecomd.te +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# Provide access to Q VoicePrint -allow tee qvop_data_file:dir create_dir_perms; -allow tee qvop_data_file:file create_file_perms; diff --git a/msmcobalt/qti-logkit.te b/msmcobalt/qti-logkit.te deleted file mode 100644 index 725cf476..00000000 --- a/msmcobalt/qti-logkit.te +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# allow qti_logkit for rawdump partition -allow qti_logkit block_device:dir r_dir_perms; -allow qti_logkit rawdump_block_device:blk_file rw_file_perms; - -# allow qti_logkit for sysfs emmc dload node -allow qti_logkit sysfs_emmc_dload:file rw_file_perms; diff --git a/msmcobalt/qvop.te b/msmcobalt/qvop.te deleted file mode 100644 index ce69fa4d..00000000 --- a/msmcobalt/qvop.te +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -type qvop, domain; -type qvop_exec, exec_type, file_type; - -init_daemon_domain(qvop) - -allow qvop qvop_data_file:dir create_dir_perms; -allow qvop qvop_data_file:file create_file_perms; - -binder_call(qvop, system_app) - -# Add IQvopService service -allow qvop iqvop_service:service_manager add; - -binder_use(qvop) - -allow qvop tee_device:chr_file rw_file_perms; -r_dir_file(qvop, firmware_file) - -allow qvop ion_device:chr_file r_file_perms; \ No newline at end of file diff --git a/msmcobalt/qvrd.te b/msmcobalt/qvrd.te deleted file mode 100644 index 778ae61e..00000000 --- a/msmcobalt/qvrd.te +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -type qvrd, domain, mlstrustedsubject; -type qvrd_exec, exec_type, file_type; - -init_daemon_domain(qvrd) - -# -# General -# - -# Allow interracting with qvrd directory -allow qvrd qvrd_data_file:dir create_dir_perms; -allow qvrd qvrd_data_file:file create_file_perms; - -# Allow access to our socket -allow qvrd qvrd_socket:sock_file rw_file_perms; - -# -# Sensors -# - -# Allow access to ADSP & SLPI -allow qvrd { ion_device qdsp_device dsp_device }:chr_file r_file_perms; - -# Allow access to adsprpcd -r_dir_file(qvrd, adsprpcd_file); -allow qvrd system_file:dir read; - -# -# Display -# - -# Allow access to /sys/devices/virtual/graphics/fb* for lineptr interrupts -allow qvrd sysfs_graphics:file rw_file_perms; - -# Allow access to /dev/graphics/fb0 for configuring vsync interrupts -allow qvrd graphics_device:dir r_dir_perms; -allow qvrd graphics_device:chr_file rw_file_perms; - -# -# Scheduler -# - -allow qvrd self:capability { sys_nice }; -userdebug_or_eng(` - allow qvrd su:process setsched; -') -allow qvrd appdomain:process setsched; - -# -# Camera -# - -# Allow access to camera HAL -allow qvrd { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms; -allow qvrd camera_data_file:dir rw_dir_perms; -allow qvrd camera_data_file:sock_file w_file_perms; -allow qvrd mm-qcamerad:unix_dgram_socket sendto; -binder_use(qvrd) -binder_call(qvrd, surfaceflinger); -allow qvrd surfaceflinger_service:service_manager find; -allow qvrd sysfs:file r_file_perms; - -# Allow access to /dev/video/* devices -allow qvrd video_device:dir r_dir_perms; - -unix_socket_connect(qvrd, mpctl, perfd) - -# Allow access to sensor1 API -allow qvrd self:socket create_socket_perms; -allow qvrd persist_file:dir r_dir_perms; -allow qvrd sensors_persist_file:dir r_dir_perms; -allow qvrd sensors_persist_file:file r_file_perms; diff --git a/msmcobalt/recovery.te b/msmcobalt/recovery.te deleted file mode 100644 index ef6eb7b0..00000000 --- a/msmcobalt/recovery.te +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -recovery_only(` - allow recovery shell_exec:file x_file_perms; -') diff --git a/msmcobalt/ridl.te b/msmcobalt/ridl.te deleted file mode 100644 index 0147c26c..00000000 --- a/msmcobalt/ridl.te +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# allow RIDL for rawdump partition -allow RIDL block_device:dir r_dir_perms; -allow RIDL rawdump_block_device:blk_file rw_file_perms; - -# allow RIDL for enable sysfs node -allow RIDL sysfs_emmc_dload:file rw_file_perms; diff --git a/msmcobalt/service.te b/msmcobalt/service.te deleted file mode 100644 index ad41b5fa..00000000 --- a/msmcobalt/service.te +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# regionalization service -type regionalization_service, system_api_service, service_manager_type; - -type iqvop_service, service_manager_type; \ No newline at end of file diff --git a/msmcobalt/service_contexts b/msmcobalt/service_contexts deleted file mode 100644 index 20ab6358..00000000 --- a/msmcobalt/service_contexts +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# Regionalization service -regionalization u:object_r:regionalization_service:s0 - -android.apps.IQvopService u:object_r:iqvop_service:s0 \ No newline at end of file diff --git a/msmcobalt/surfaceflinger.te b/msmcobalt/surfaceflinger.te deleted file mode 100644 index ff6ea3d3..00000000 --- a/msmcobalt/surfaceflinger.te +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -################################### - -#TODO:Remove after bringup: msmcobalt specific -userdebug_or_eng(` -allow surfaceflinger self:process execmem; -allow surfaceflinger ashmem_device:chr_file execute; -') diff --git a/msmcobalt/system_app.te b/msmcobalt/system_app.te deleted file mode 100644 index d11659b6..00000000 --- a/msmcobalt/system_app.te +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -binder_call(system_app, qvop) -#for oemfs -allow system_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/system_server.te b/msmcobalt/system_server.te deleted file mode 100644 index 54c7faa6..00000000 --- a/msmcobalt/system_server.te +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# For Regionalization service -allow system_server regionalization_service:service_manager { add find }; -allow system_server regionalization_file:file rw_file_perms; -allow system_server regionalization_file:dir r_dir_perms; -allow system_server resourcecache_data_file:dir create_dir_perms; -allow system_server resourcecache_data_file:file create_file_perms; diff --git a/msmcobalt/untrusted_app.te b/msmcobalt/untrusted_app.te deleted file mode 100644 index e8b029e1..00000000 --- a/msmcobalt/untrusted_app.te +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -# for oemfs -allow untrusted_app oemfs:lnk_file { read getattr }; diff --git a/msmcobalt/zygote.te b/msmcobalt/zygote.te deleted file mode 100644 index c8d772e4..00000000 --- a/msmcobalt/zygote.te +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright (c) 2016, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# For regionalization -allow zygote persist_file:dir r_dir_perms; -allow zygote regionalization_file:dir r_dir_perms; -allow zygote regionalization_file:file r_file_perms; -allow zygote oemfs:dir r_dir_perms; -allow zygote oemfs:file r_file_perms; -- cgit v1.2.3