1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# fm_radio app needes open read write on fm_radio_device
allow system_app fm_radio_device:chr_file r_file_perms;
r_dir_file(system_app, fm_data_file);
r_dir_file(system_app, bluetooth_data_file);
r_dir_file(system_app, bt_firmware_file);
allow system_app {
ctl_default_prop
fm_prop
usf_prop
}:property_service set;
allow system_app {
atfwd_service
dun_service
# access to color service SDK
color_service
}:service_manager add;
# access to perflock
allow system_app mpctl_socket:dir r_dir_perms;
unix_socket_send(system_app, mpctl, mpdecision)
unix_socket_connect(system_app, mpctl, mpdecision)
unix_socket_send(system_app, mpctl, perfd)
unix_socket_connect(system_app, mpctl, perfd)
# access to mm-pp-daemon
unix_socket_connect(system_app, pps, mm-pp-daemon)
userdebug_or_eng(`
#allow system_app debugfs:file r_file_perms;
allow system_app su:unix_dgram_socket sendto;
allow system_app persist_file:dir r_dir_perms;
allow system_app sensors_persist_file:dir r_dir_perms;
allow system_app sensors_persist_file:file rw_file_perms;
# access to firmware file
r_dir_file(system_app, firmware_file);
# Access to tombstone segfaults
allow system_app tombstone_data_file:dir r_dir_perms;
allow system_app tombstone_data_file:file r_file_perms;
diag_use(system_app)
')
allow system_app cnd_data_file:dir w_dir_perms;
allow system_app cnd_data_file:file create_file_perms;
allow system_app bluetooth:unix_stream_socket ioctl;
# access to tee domain
allow system_app tee:unix_dgram_socket sendto;
# system app to access DTS data files
r_dir_file(system_app, dts_data_file)
# access to time_daemon
allow system_app time_daemon:unix_stream_socket connectto;
# usf (ultrasound) apps need following permissions
allow system_app usf:unix_stream_socket connectto;
allow system_app usf_data_file:sock_file write;
allow system_app usf_data_file:dir rw_dir_perms;
allow system_app usf_data_file:{ file lnk_file } create_file_perms;
#access to wifi_ftmd
allow system_app wififtmd_prop:property_service set;
unix_socket_send(system_app, wififtmd, wifi_ftmd)
# allow system_app to interact with dtseagleservice
binder_call(system_app, dtseagleservice)
# allow system_app to interact with fido daemon
binder_call(system_app, fidodaemon)
# allow system_app to interact with secota daemon
binder_call(system_app, secotad)
# allow system_app to interact with imscm daemon
binder_call(system_app, imscm)
allow system_app imscm_service:service_manager find;
# access to seemp folder
allow system_app seemp_file:dir r_dir_perms;
allow system_app seemp_file:{ file fifo_file } rw_file_perms;
binder_call(system_app, seempd)
#allow access to qfp-daemon
allow system_app qfp-daemon_data_file:dir create_dir_perms;
allow system_app qfp-daemon_data_file:file create_file_perms;
binder_call(system_app, qfp-daemon)
# allow system_app to interact with fido daemon
binder_call(system_app, fidodaemon)
# allow system_app to interact with esepmdaemon
binder_call(system_app, esepmdaemon)
# allow system_app to interact with seemp health daemon
binder_call(system_app, seemp_health_daemon)
#allow access to RIDL
allow system_app RIDL_data_file:dir rw_dir_perms;
allow system_app RIDL_data_file:file create_file_perms;
allow system_app RIDL_data_file:lnk_file r_file_perms;
allow system_app RIDL_socket:dir r_dir_perms;
unix_socket_connect(system_app, RIDL, RIDL)
allow system_app RIDL_socket:sock_file r_file_perms;
# Allow access to qti_logkit
allow system_app qti_logkit_priv_data_file:dir create_dir_perms;
allow system_app qti_logkit_priv_data_file:file create_file_perms;
allow system_app qti_logkit_priv_socket:dir r_dir_perms;
unix_socket_connect(system_app, qti_logkit_priv, qti_logkit)
allow system_app qti_logkit_priv_socket:sock_file r_file_perms;
# iwconfig
allow system_app wcnss_service_exec:file rx_file_perms;
# bugreport
allow system_app ctl_dumpstate_prop:property_service set;
unix_socket_connect(system_app, dumpstate, dumpstate)
# allow gba auth service to add itself as system service
allow system_app gba_auth_service:service_manager add;
# allow gba auth service to find itself
allow system_app gba_auth_service:service_manager find;
# allow access to system_app for wbc_service
allow system_app wbc_service:service_manager add;
allow system_app self:netlink_kobject_uevent_socket { read bind setopt create };
# allow system_app to interact with mdtp daemon
binder_call(system_app, mdtpdaemon)
# allow access to system_app for audio pp files
r_dir_file(system_app, audio_pp_data_file);
# allow access to system app for radio files
allow system_app radio_data_file:dir rw_dir_perms;
allow system_app radio_data_file:file create_file_perms;
# DOLBY_START
set_prop(system_app, dolby_prop)
# DOLBY_END
# allow system_app to access netd
unix_socket_connect(system_app, netd, netd)
allow system_app persist_file:dir rw_dir_perms;
allow system_app persist_misc_file:dir rw_dir_perms;
allow system_app persist_misc_file:file create_file_perms;
# required for FM App to connectto wcnss_filter sockets
# serial device ttyHS0 (transport layer for FM)
allow system_app serial_device:chr_file rw_file_perms;
set_prop(system_app, bluetooth_prop)
# access unix sockets for fm application
unix_socket_connect(system_app,bluetooth, bluetooth)
# access wcnss_filter from fm app
allow system_app wcnss_filter:unix_stream_socket connectto;
# ANR
allow system_app anr_data_file:dir r_dir_perms;
allow system_app anr_data_file:file r_file_perms;
# detect /data/anr directory is created
allow system_app system_data_file:dir read;
# allow access to ims helper
unix_socket_connect(system_app, ims, ims)
# access to qseeproxy domain
allow system_app qseeproxy:unix_dgram_socket sendto;
|
