From 0d3e3d89ebe40683a86e780fb424e00586b2e0ff Mon Sep 17 00:00:00 2001 From: Paras Nagda Date: Mon, 3 Oct 2016 18:39:53 +0530 Subject: Sepolicy: Allow mediaserver to access media_msm8956_version_prop mediaserver should be able to access media_msm8956_version_prop Change-Id: I9f68b416706b1c16d70cf73de6d4af03afbb455d --- msm8952/mediaserver.te | 1 + 1 file changed, 1 insertion(+) diff --git a/msm8952/mediaserver.te b/msm8952/mediaserver.te index 5bd54323..f642e817 100644 --- a/msm8952/mediaserver.te +++ b/msm8952/mediaserver.te @@ -30,3 +30,4 @@ allow mediaserver media_msm8956hw_prop:file r_file_perms; allow mediaserver media_settings_xml_prop:file r_file_perms; allow mediaserver seempd:unix_dgram_socket sendto; allow mediaserver seempdw_socket:sock_file write; +allow mediaserver media_msm8956_version_prop:file r_file_perms; -- cgit v1.2.3 From d79aea350e7caa0fc86b16c573f3abbf73b23e4c Mon Sep 17 00:00:00 2001 From: Clarence Wong Date: Fri, 7 Oct 2016 14:41:04 -0700 Subject: Add GOTA sepolicy access for RIDL/RIDL 2.0 For most recent OS, context for /cache/recovery has changed. RIDL/RIDL 2.0 need to read/write to this directory for GOTA. Change-Id: I9154b3726a182385744786b95a3d67488fd6e8e7 CRs-Fixed: 1075722 --- common/qti-logkit.te | 4 ++++ common/ridl.te | 2 ++ 2 files changed, 6 insertions(+) diff --git a/common/qti-logkit.te b/common/qti-logkit.te index b1f9d552..6e5e4288 100644 --- a/common/qti-logkit.te +++ b/common/qti-logkit.te @@ -75,3 +75,7 @@ binder_call(qti_logkit, system_server) # allow logcat access read_logd( qti_logkit ); + +# allow access to recovery directory +allow qti_logkit cache_recovery_file:dir rw_dir_perms; +allow qti_logkit cache_recovery_file:file create_file_perms; diff --git a/common/ridl.te b/common/ridl.te index 90f9d366..817c630e 100644 --- a/common/ridl.te +++ b/common/ridl.te @@ -71,6 +71,8 @@ binder_call(RIDL, system_server) # recovery allow RIDL cache_file:dir create_dir_perms; allow RIDL cache_file:file create_file_perms; +allow RIDL cache_recovery_file:dir rw_dir_perms; +allow RIDL cache_recovery_file:file create_file_perms; # reboot recovery allow RIDL powerctl_prop:property_service set; -- cgit v1.2.3 From 77593386ef64557ecd886c7eb53112604d6839a6 Mon Sep 17 00:00:00 2001 From: Nirmal Abraham Date: Fri, 14 Oct 2016 15:10:20 +0530 Subject: sepolicy : Allow mm-pp-daemon access to diag The access to diag was restricted as part of this commit 'sepolicy: Restrict diag access available to domains'. This prevents mm-pp-daemon from accessing diag which results in failure of QDCM PC tool connection with the device/pp-daemon. To resolve this, allow mm-pp-daemon r/w access to diag. CRs-Fixed: 1077354 Change-Id: I10388ef8cf5855d12a7053bbffffdb70a3ba162b --- common/mm-pp-daemon.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index 197ddaf4..e4e9343e 100644 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -46,6 +46,9 @@ userdebug_or_eng(` # This allows pp-daemon to set debug property allow mm-pp-daemon debug_prop:property_service set; + + # This allow pp-daemon access to diag + diag_use(mm-pp-daemon) ') # Allow mm-pp-daemon to change the brightness of the target during display -- cgit v1.2.3 From ec83f6b98a0ca719700017eabb49730dcf5c98cb Mon Sep 17 00:00:00 2001 From: Sashidhar Ganiga Date: Wed, 5 Oct 2016 19:06:29 +0530 Subject: sepolicy: allow writing firmware files in recovery mode. FOTA upgrading requires writing firmware images into vfat firmware partition in recovery mode. Change-Id: I0bd61196ea7acf00582e58980aaeb3cf5128aa7a --- common/recovery.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/recovery.te b/common/recovery.te index c83bc974..210c4050 100644 --- a/common/recovery.te +++ b/common/recovery.te @@ -3,7 +3,8 @@ recovery_only(` allow recovery sdcard_type:dir r_dir_perms; allow recovery sdcard_type:file r_file_perms; allow recovery vfat:dir r_dir_perms; - allow recovery vfat:file r_file_perms; + allow recovery vfat:file create_file_perms; + allow recovery vfat:file rw_file_perms; allow recovery system_data_file:file r_file_perms; allow recovery system_data_file:dir r_dir_perms; allow recovery RIDL_data_file:file r_file_perms; -- cgit v1.2.3 From 529ab5919fd5542fec0139fa67b658f41da0596d Mon Sep 17 00:00:00 2001 From: Kiran Kelageri Date: Fri, 14 Oct 2016 16:34:21 -0700 Subject: Bluetooth: Add permission for filter. Allow wcnss filter to access persist file. Change-Id: Iff58f7faab7ccf67b77f0360ad0b855826ad56fd --- common/wcnss_filter.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te index 7d84a76e..41045f60 100644 --- a/common/wcnss_filter.te +++ b/common/wcnss_filter.te @@ -50,6 +50,10 @@ r_dir_file(wcnss_filter, bt_firmware_file) allow wcnss_filter bluetooth_data_file:dir create_dir_perms; allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms; +allow wcnss_filter persist_bluetooth_file:dir r_dir_perms; +allow wcnss_filter persist_bluetooth_file:file r_file_perms; +allow wcnss_filter persist_file:dir r_dir_perms; + #diag userdebug_or_eng(` diag_use(wcnss_filter) -- cgit v1.2.3 From 4f2efc632b39e39e83b996eab7f7d7bb8fcf170c Mon Sep 17 00:00:00 2001 From: Shaheda Begum Date: Fri, 14 Oct 2016 15:09:22 +0530 Subject: Add SELinux support for factory reset protection Map factory reset protection into SELinux sepolicy/file_contexts Change-Id: Ibd3198cc38e0446e1862b178f8d4c5ae8f8dc0c9 CRs-Fixed: 1078078 --- msm8909/file_contexts | 1 + msm8916/file_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/msm8909/file_contexts b/msm8909/file_contexts index 424d82b1..642cfb5a 100644 --- a/msm8909/file_contexts +++ b/msm8909/file_contexts @@ -35,6 +35,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 diff --git a/msm8916/file_contexts b/msm8916/file_contexts index 31788b3b..c59fe8fb 100644 --- a/msm8916/file_contexts +++ b/msm8916/file_contexts @@ -36,6 +36,7 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 -- cgit v1.2.3 From de562c60d3094ff51e4a86524f5df46dccfbb477 Mon Sep 17 00:00:00 2001 From: Shahed Begum Date: Tue, 18 Oct 2016 18:51:34 +0530 Subject: Add SELinux support for factory reset protection Modified factory reset protection partition as per device specific Change-Id: I721f2d7deb4dbe89a8c3fb5ed8e9413cd58ce428 CRs-Fixed: 1078078 --- msm8992/file_contexts | 2 +- msm8994/file_contexts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/msm8992/file_contexts b/msm8992/file_contexts index a765bc11..f4957ddb 100644 --- a/msm8992/file_contexts +++ b/msm8992/file_contexts @@ -37,7 +37,7 @@ /dev/block/platform/soc.0/f9824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/f9824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 diff --git a/msm8994/file_contexts b/msm8994/file_contexts index 5697413a..4c073044 100644 --- a/msm8994/file_contexts +++ b/msm8994/file_contexts @@ -57,5 +57,5 @@ /dev/block/platform/soc.0/f9824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/f9824900.sdhci/by-name/config u:object_r:frp_block_device:s0 /dev/block/platform/soc.0/f9824900.sdhci/by-name/logdump u:object_r:logdump_partition:s0 -- cgit v1.2.3 From 3a8c3c28cb209f2fae91aa331515a346f89533ed Mon Sep 17 00:00:00 2001 From: Divya Narayanan Poojary Date: Wed, 19 Oct 2016 13:00:49 +0530 Subject: sepolicy: per_mgr: Allow services to find peripheral_manager mediaserver and per_mgr_proxy can now correctly talk to service manager in order to get the information needed to initiate the binder call to peripheral manager. CRs-fixed: 1072628 Change-Id: I919827b1b4adcb2aaec9dc10eabae243fe003392 --- common/audioserver.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/audioserver.te b/common/audioserver.te index f55459a0..785da0a2 100644 --- a/common/audioserver.te +++ b/common/audioserver.te @@ -54,3 +54,6 @@ allow audioserver sysfs:file rw_file_perms; userdebug_or_eng(` diag_use(audioserver) ') + +#Rules for audioserver to talk to peripheral manager +use_per_mgr(audioserver); -- cgit v1.2.3 From 22cbbd8e94223fb1970bc88724682cc48e231942 Mon Sep 17 00:00:00 2001 From: Biswajit Paul Date: Wed, 21 Sep 2016 15:05:19 -0700 Subject: USB: dontaudit init to write to sysfs directory USB configuration are replaced by configfs on kernel v4.4. This causes denials for older version when init tries to write to sysfs directories. Add a dontaudit to init to avoid denial CRs-Fixed: 1069632 Change-Id: Idad0f1a6bc2b193f69cbc128c08eb20576897bd8 --- common/init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/init.te b/common/init.te index 6cde24b0..772e5fe4 100644 --- a/common/init.te +++ b/common/init.te @@ -31,3 +31,6 @@ allow init configfs:lnk_file create_file_perms; #Allow init to mount non-hlos partitions in A/B builds allow init firmware_file:dir { mounton }; allow init bt_firmware_file:dir { mounton }; + +#dontaudit non configfs usb denials +dontaudit init sysfs:dir write; -- cgit v1.2.3