From 48441f44725e560b9f3a77b8370fe36cd8ca0038 Mon Sep 17 00:00:00 2001 From: Zohaib Alam Date: Thu, 13 Nov 2014 09:12:02 -0500 Subject: Seandroid: Add policies to enable all QDCM functionalities Address all SELinux denial messages related to QDCM tool functionality and the color service SDK application. Add policies to allow: 1- /persist/ read & write for display confid 2- /data/misc/display/ read & write 3- Allow access to colorservice for display sdk from android app. 4- Enable pp-daemon functionalities for the non user-debug and eng builds, since OEMs actively use QDCM tool, and they require full functionality. Change-Id: I43545eaf8e63f0e43f40197cd01cddc8c6a5351a --- common/mm-pp-daemon.te | 30 +++++++++++++++++------------- common/service.te | 1 + common/service_contexts | 1 + common/surfaceflinger.te | 5 +---- common/system_app.te | 3 +++ 5 files changed, 23 insertions(+), 17 deletions(-) (limited to 'common') diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te index 5a623349..6c9ad161 100755 --- a/common/mm-pp-daemon.te +++ b/common/mm-pp-daemon.te @@ -8,14 +8,17 @@ init_daemon_domain(mm-pp-daemon) allow mm-pp-daemon graphics_device:chr_file rw_file_perms; allow mm-pp-daemon graphics_device:dir search; -# Allow reading calibration data from persist -allow mm-pp-daemon persist_file:file r_file_perms; -allow mm-pp-daemon persist_file:dir search; +# Allow reading/writing to persist +# The color config file is dynamically created +allow mm-pp-daemon persist_file:dir rw_dir_perms; +allow mm-pp-daemon persist_file:file create_file_perms; + +# Allow reading/writing data config files +allow mm-pp-daemon display_config:dir create_dir_perms; +allow mm-pp-daemon display_config:file create_file_perms; -# Allow pp daemon to save settings to /data -allow mm-pp-daemon display_config:file rw_file_perms; allow mm-pp-daemon system_prop:property_service set; -#Calibration can only be done on userdebug or eng builds + userdebug_or_eng(` # Display calibration service opens /dev/diag in order to communicate with the # target device @@ -32,12 +35,13 @@ userdebug_or_eng(` allow mm-pp-daemon shell_exec:file rx_file_perms; allow mm-pp-daemon system_file:file execute_no_trans; allow mm-pp-daemon zygote_exec:file rx_file_perms; + allow mm-pp-daemon self:process ptrace; +') - # Allow writing to persist - allow mm-pp-daemon persist_file:file rw_file_perms; +# Allow mm-pp-daemon to change the brightness of the target during display +# calibration +allow mm-pp-daemon sysfs:file rw_file_perms; - # Allow mm-pp-daemon to change the brightness of the target during display - # calibration - allow mm-pp-daemon sysfs:file rw_file_perms; - unix_socket_connect(mm-pp-daemon, property, init) -') +# Allow socket calls in pp-daemon +unix_socket_connect(mm-pp-daemon, property, init) +unix_socket_connect(mm-pp-daemon, pps, init) diff --git a/common/service.te b/common/service.te index ec90dda1..e6625706 100644 --- a/common/service.te +++ b/common/service.te @@ -6,3 +6,4 @@ type wbc_service, service_manager_type; type dun_service, service_manager_type; type digitalpen_service, service_manager_type; type imscm_service, service_manager_type; +type color_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index b29e165e..eccd3fdb 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -7,3 +7,4 @@ wbc_service u:object_r:wbc_service:s0 dun u:object_r:dun_service:s0 DigitalPen u:object_r:digitalpen_service:s0 qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 +com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 9c984ace..854ff8c7 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -2,10 +2,7 @@ allow surfaceflinger sysfs_graphics:file rw_file_perms; allow surfaceflinger shell_data_file:dir search; # Allows pp-daemon to refresh the screen in calibration mode -userdebug_or_eng(` - allow surfaceflinger mm-pp-daemon:dir search; - allow surfaceflinger mm-pp-daemon:file r_file_perms; -') +r_dir_file(surfaceflinger, mm-pp-daemon) binder_call(surfaceflinger, location) binder_call(surfaceflinger, tee) diff --git a/common/system_app.te b/common/system_app.te index 3cb20080..02fb6038 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -29,3 +29,6 @@ allow system_app tee:unix_dgram_socket sendto; # access to time_daemon allow system_app time_daemon:unix_stream_socket connectto; + +# access to color service SDK +allow system_app color_service:service_manager add; -- cgit v1.2.3