From ffaed57632175bd4eb59628a5612ce3ee2312964 Mon Sep 17 00:00:00 2001 From: Vince Leung Date: Mon, 29 Feb 2016 18:08:55 -0800 Subject: [PATCH 01/42] sepolicy: update perfd socket path Perfd socket path has been changed from /data/misc/perfd/mpctl to /dev/socket/perfd. Remove socket dir create policies from perfd.te and replace with rw socket file permissions. Change-Id: I98364d42e32a2d4358fddbdc4801fd27bc04e11a --- common/file_contexts | 3 +-- common/perfd.te | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/common/file_contexts b/common/file_contexts index 1f01146..e716056 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -95,7 +95,7 @@ /dev/socket/ims_qmid u:object_r:ims_socket:s0 /dev/socket/ims_datad u:object_r:ims_socket:s0 /dev/socket/ims_rtpd u:object_r:ims_socket:s0 -/dev/socket/perfd(/.*)? u:object_r:mpctl_socket:s0 +/dev/socket/perfd u:object_r:mpctl_socket:s0 /dev/socket/qlogd u:object_r:qlogd_socket:s0 /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 /dev/socket/dpmd u:object_r:dpmd_socket:s0 @@ -281,7 +281,6 @@ /data/time(/.*)? u:object_r:time_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/system/perfd(/.*)? u:object_r:mpctl_data_file:s0 -/data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0 /data/misc/iop(/.*)? u:object_r:iop_data_file:s0 /data/misc/iop/iop u:object_r:iop_socket:s0 /data/misc/display(/.*)? u:object_r:display_misc_file:s0 diff --git a/common/perfd.te b/common/perfd.te index f5bda91..9b112ac 100644 --- a/common/perfd.te +++ b/common/perfd.te @@ -14,8 +14,7 @@ allow perfd { allow perfd self:{ netlink_kobject_uevent_socket socket} create_socket_perms; # mpctl socket -allow perfd mpctl_socket:dir rw_dir_perms; -allow perfd mpctl_socket:sock_file create_file_perms; +allow perfd mpctl_socket:sock_file rw_file_perms; # default_values file allow perfd mpctl_data_file:dir rw_dir_perms; From ba9d8ed1f5711517904ae7f028a99bc1919865f0 Mon Sep 17 00:00:00 2001 From: Amit Blay Date: Thu, 14 Jan 2016 17:07:10 +0200 Subject: [PATCH 02/42] sepolicy: Add support for new mdtpd MDTP daemon (mdtpd) was created. All MDTP threads were removed from QSEECOM. This change moves all MDTP specific rules from the qseecomd domain to the mdtp domain. Change-Id: I12f624c89f6fe43b09a7c748c2b0b26dc8c0a0ee --- common/file_contexts | 2 +- common/mdtp.te | 32 ++++++++++++++++++++++++++++++++ common/qseecomd.te | 22 ---------------------- 3 files changed, 33 insertions(+), 23 deletions(-) diff --git a/common/file_contexts b/common/file_contexts index e716056..042c8fd 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -220,7 +220,7 @@ /system/bin/tbaseLoader u:object_r:tbaseLoader_exec:s0 /system/bin/mcStarter u:object_r:mcStarter_exec:s0 /system/bin/fstman u:object_r:fstman_exec:s0 -/system/vendor/bin/mdtp_service u:object_r:mdtpdaemon_exec:s0 +/system/vendor/bin/mdtpd u:object_r:mdtpdaemon_exec:s0 ################################### # sysfs files diff --git a/common/mdtp.te b/common/mdtp.te index f69456c..ee09f77 100644 --- a/common/mdtp.te +++ b/common/mdtp.te @@ -28,6 +28,17 @@ type mdtpdaemon, domain; type mdtpdaemon_exec, exec_type, file_type; +allow mdtpdaemon self:capability { + setuid + setgid +}; + +userdebug_or_eng(` + #Needed for kill(pid, 0) existance test + allow mdtpdaemon su:process signull; + allow mdtpdaemon self:capability kill; +') + #Allow for transition from init domain to mdtpdaemon init_daemon_domain(mdtpdaemon) @@ -48,9 +59,30 @@ r_dir_file(mdtpdaemon, firmware_file) #Allow access to qsee directories allow mdtpdaemon data_qsee_file:dir create_dir_perms; +allow mdtpdaemon data_qsee_file:file create_file_perms; #Allow access to qsee fifos allow mdtpdaemon data_qsee_file:fifo_file create_file_perms; #Allow access to tee device allow mdtpdaemon tee_device:chr_file rw_file_perms; + +# Provide access to block devices +allow mdtpdaemon block_device:dir r_dir_perms; +allow mdtpdaemon mdtp_device:blk_file rw_file_perms; +allow mdtpdaemon dip_device:blk_file rw_file_perms; +allow mdtpdaemon system_block_device:blk_file r_file_perms; + +# Provide access to QTI Crypto driver for MDTP +# allow mdtpdaemon qce_device:chr_file rw_file_perms; + +# Provide read access to all /system files for MDTP file-to-block-mapping +r_dir_file(mdtpdaemon, exec_type) +r_dir_file(mdtpdaemon, system_file) + +# Provide mdtpd ability to access QMUXD/IPCRouter for QMI +qmux_socket(mdtpdaemon); +allow mdtpdaemon self:socket create_socket_perms; + +# Provide tee ability to run executables in rootfs for MDTP +allow mdtpdaemon rootfs:file x_file_perms; diff --git a/common/qseecomd.te b/common/qseecomd.te index f97849d..2140c58 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -75,25 +75,3 @@ allow tee qfp-daemon_data_file:file create_file_perms; allow tee fingerprintd_data_file:dir create_dir_perms; allow tee fingerprintd_data_file:file create_file_perms; -# Provide access to block devices for MDTP -allow tee mdtp_device:blk_file rw_file_perms; -allow tee dip_device:blk_file rw_file_perms; -allow tee system_block_device:blk_file r_file_perms; - -# Provide access to QC Crypto driver for MDTP -allow tee qce_device:chr_file rw_file_perms; - -# Provide access to /data/misc/qsee/mdtp for MDTP temp files -allow tee data_qsee_file:dir create_dir_perms; -allow tee data_qsee_file:{ file fifo_file } create_file_perms; - -# Provide read access to all /system files for MDTP file-to-block-mapping -r_dir_file(tee, exec_type) -r_dir_file(tee, system_file) - -# Provide tee ability to access QMUXD/IPCRouter for QMI -qmux_socket(tee); -allow tee self:socket create_socket_perms; - -# Provide tee ability to run executables in rootfs for MDTP -allow tee rootfs:file x_file_perms; From 95bb89308ee29f4b4821e7fd670c4af894bd201d Mon Sep 17 00:00:00 2001 From: Himanshu Aggarwal Date: Thu, 21 Jan 2016 22:19:02 -0800 Subject: [PATCH 03/42] sepolicy: Add improveTouch gesture manager permission Add improveTouch gesture manager permission Change-Id: I641821406135ebb95524aefc7afaf9de66f4f29b --- common/service_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/service_contexts b/common/service_contexts index c57eab7..776f8c9 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -14,6 +14,7 @@ qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 improveTouch.TouchService u:object_r:improve_touch_service:s0 improveTouch.TouchManagerService u:object_r:improve_touch_service:s0 +improveTouch.GestureManagerService u:object_r:improve_touch_service:s0 wfdservice u:object_r:wfdservice_service:s0 DigitalPen u:object_r:usf_service:s0 dts_eagle_service u:object_r:dtseagleservice_service:s0 From cd43ce5b83cccfbc19d1f40689a14e5ff7ea6478 Mon Sep 17 00:00:00 2001 From: Abinaya P Date: Fri, 11 Mar 2016 15:37:04 -0800 Subject: [PATCH 04/42] sepolicy: Add hand biometrics manager permission Add hand biometrics manager permission Change-Id: I3d0b1c456b6a7d2d24abfb407d3a70c16cd82396 --- common/service_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/service_contexts b/common/service_contexts index 776f8c9..3e495ec 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -15,6 +15,7 @@ com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 improveTouch.TouchService u:object_r:improve_touch_service:s0 improveTouch.TouchManagerService u:object_r:improve_touch_service:s0 improveTouch.GestureManagerService u:object_r:improve_touch_service:s0 +improveTouch.HandBiometricManagerService u:object_r:improve_touch_service:s0 wfdservice u:object_r:wfdservice_service:s0 DigitalPen u:object_r:usf_service:s0 dts_eagle_service u:object_r:dtseagleservice_service:s0 From 8968e670177ce578fb548abf7ee45d7984117018 Mon Sep 17 00:00:00 2001 From: Ramakant Singh Date: Thu, 14 Jan 2016 14:13:11 +0530 Subject: [PATCH 05/42] sepolicy : Add new properties for ubwc support Adding new properties to enable the ubwc support based on hardware capability. Change-Id: Ie0e406360f5a9ceb0a6daaa4d1f7755ce8168fb4 --- common/init_shell.te | 1 + common/property.te | 3 +++ common/property_contexts | 1 + 3 files changed, 5 insertions(+) diff --git a/common/init_shell.te b/common/init_shell.te index 36e1846..ab2aa9f 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -80,6 +80,7 @@ allow qti_init_shell { qemu_hw_mainkeys_prop alarm_boot_prop boot_animation_prop + debug_gralloc_prop # Needed for starting console in userdebug mode userdebug_or_eng(`ctl_console_prop coresight_prop') rmnet_mux_prop diff --git a/common/property.te b/common/property.te index 996c61e..c1a5967 100644 --- a/common/property.te +++ b/common/property.te @@ -22,6 +22,9 @@ type opengles_prop, property_type; type mdm_helper_prop, property_type; type mpdecision_prop, property_type; +#Needed for ubwc support +type debug_gralloc_prop, property_type; + type fm_prop, property_type; type chgdiabled_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index f3e41fa..537e100 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -41,3 +41,4 @@ sys.audio.init u:object_r:audio_prop:s0 alarm_boot u:object_r:alarm_boot_prop:s0 debug.sf.nobootanimation u:object_r:boot_animation_prop:s0 radio.noril u:object_r:radio_noril_prop:s0 +debug.gralloc. u:object_r:debug_gralloc_prop:s0 From a216713fdf4a43b1e7f21bacc042cf604df29d47 Mon Sep 17 00:00:00 2001 From: Chitti Babu Theegala Date: Thu, 18 Feb 2016 16:29:38 +0530 Subject: [PATCH 06/42] sepolicy: Add zram, swap disks creation permission Add policies to permit zram & swap disks creation Change-Id: Ibf79c60901cb2b8ccf62ad98f3a331481119892c --- common/file.te | 3 +++ common/file_contexts | 1 + common/init_shell.te | 9 +++++++++ 3 files changed, 13 insertions(+) diff --git a/common/file.te b/common/file.te index 4c1469b..8515796 100644 --- a/common/file.te +++ b/common/file.te @@ -174,3 +174,6 @@ type qtitetherservice_app_data_file, file_type, data_file_type; # Boot KPI Marker files type sys_bootkpi, sysfs_type, file_type; + +# /data/system/swap/swapfile - swapfile +type swap_data_file, file_type, data_file_type; diff --git a/common/file_contexts b/common/file_contexts index 042c8fd..9d9bd46 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -303,6 +303,7 @@ /data/misc/audio_pp(/.*)? u:object_r:audio_pp_data_file:s0 /data/ramdump(/.*)? u:object_r:ssr_ramdump_data_file:s0 /data/misc/SelfHost/socket(/.*)? u:object_r:RIDL_socket:s0 +/data/system/swap(/.*)? u:object_r:swap_data_file:s0 ################################### # persist files diff --git a/common/init_shell.te b/common/init_shell.te index ab2aa9f..21c8b34 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -45,6 +45,7 @@ allow qti_init_shell self:capability { fsetid dac_override dac_read_search + sys_admin }; # For property starting with hw @@ -154,3 +155,11 @@ allow qti_init_shell cgroup:dir add_name; # To allow copy for mbn files r_dir_file(qti_init_shell, firmware_file) + +# /dev/block/zram0 +allow qti_init_shell block_device:dir r_dir_perms; +allow qti_init_shell swap_block_device:blk_file rw_file_perms; + +# /data/system/swap/swapfile +allow qti_init_shell swap_data_file:dir rw_dir_perms; +allow qti_init_shell swap_data_file:file create_file_perms; From 9fa6cb76fe79a07f8aae3aa4b28384bebe3789a9 Mon Sep 17 00:00:00 2001 From: Subash Abhinov Kasiviswanathan Date: Thu, 4 Feb 2016 17:22:18 -0700 Subject: [PATCH 07/42] netmgrd: Allow netmgrd to set xlat property Fix the following denial init: avc: denied { set } for property=persist.net.doxlat scontext=u:r:netmgrd:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service CRs-Fixed: 978703 Change-Id: Ifa91d92ee82a29fa3a4a47a6e94dd9152b47e0e5 --- common/netmgrd.te | 2 ++ common/property.te | 2 ++ common/property_contexts | 1 + 3 files changed, 5 insertions(+) diff --git a/common/netmgrd.te b/common/netmgrd.te index 5428193..92c69de 100644 --- a/common/netmgrd.te +++ b/common/netmgrd.te @@ -45,6 +45,8 @@ allow netmgrd { proc_net sysfs }:file w_file_perms; #Allow setting of DNS and GW Android properties allow netmgrd { system_prop net_radio_prop }:property_service set; +allow netmgrd xlat_prop:property_service set; + #Allow execution of commands in shell allow netmgrd system_file:file x_file_perms; diff --git a/common/property.te b/common/property.te index c1a5967..f8b78f1 100644 --- a/common/property.te +++ b/common/property.te @@ -31,6 +31,8 @@ type chgdiabled_prop, property_type; #properites for netd type netd_prop, property_type; +type xlat_prop, property_type; + # property for location type location_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index 537e100..085aee8 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -42,3 +42,4 @@ alarm_boot u:object_r:alarm_boot_prop:s0 debug.sf.nobootanimation u:object_r:boot_animation_prop:s0 radio.noril u:object_r:radio_noril_prop:s0 debug.gralloc. u:object_r:debug_gralloc_prop:s0 +persist.net.doxlat u:object_r:xlat_prop:s0 From 9290aa99049b9b046e1602108b0e07fb65e3dbc1 Mon Sep 17 00:00:00 2001 From: Puneet Mishra Date: Wed, 2 Dec 2015 13:16:18 +0000 Subject: [PATCH 08/42] sepolicy: Policy for FIDO Secure UI Add policy to allow FIDO access to Secure UI and Secure Touch with sysfs files and unix_dgram_socket sendto permissions. Add policy to all FIDO daemons to allow service_manager find. Change-Id: Iea84c17b8959ace58749b5721abdba64e665baf3 --- common/qsee_svc_app.te | 4 ++++ common/qseeproxy.te | 6 ++++++ common/system_app.te | 3 +++ test/fidotest.te | 3 +++ test/qseeproxysample.te | 3 +++ 5 files changed, 19 insertions(+) diff --git a/common/qsee_svc_app.te b/common/qsee_svc_app.te index fd57768..4ff94df 100644 --- a/common/qsee_svc_app.te +++ b/common/qsee_svc_app.te @@ -35,3 +35,7 @@ binder_call(qsee_svc_app, qseeproxy) # file permission allow qsee_svc_app qsee_svc_app_data_file:dir create_dir_perms; allow qsee_svc_app qsee_svc_app_data_file:file create_file_perms; + +# allow service manager find +allow qsee_svc_app { app_api_service system_api_service + fidodaemon_service qseeproxy_service }:service_manager find; diff --git a/common/qseeproxy.te b/common/qseeproxy.te index 826f25c..f3385bf 100644 --- a/common/qseeproxy.te +++ b/common/qseeproxy.te @@ -59,3 +59,9 @@ allow qseeproxy firmware_file:file r_file_perms; #Allow access to session files allow qseeproxy data_qsee_file:dir create_dir_perms; allow qseeproxy data_qsee_file:file create_file_perms ; + +#Allow access to system_app domain +allow qseeproxy system_app:unix_dgram_socket sendto; + +#Allow access to sysfs files +allow qseeproxy sysfs:file w_file_perms; diff --git a/common/system_app.te b/common/system_app.te index 8673d1e..f8eef95 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -109,3 +109,6 @@ r_dir_file(system_app, audio_pp_data_file); # allow access to system app for radio files allow system_app radio_data_file:dir rw_dir_perms; allow system_app radio_data_file:file create_file_perms; + +# access to qseeproxy domain +allow system_app qseeproxy:unix_dgram_socket sendto; diff --git a/test/fidotest.te b/test/fidotest.te index e601d6d..ed6226d 100644 --- a/test/fidotest.te +++ b/test/fidotest.te @@ -26,4 +26,7 @@ userdebug_or_eng(` # Allow access to firmware allow fidotest firmware_file:dir r_dir_perms; allow fidotest firmware_file:file r_file_perms; + + # Allow service manager to find + allow qsee_svc_app fidotest_service:service_manager find; ') diff --git a/test/qseeproxysample.te b/test/qseeproxysample.te index 6b59bd1..9bddd75 100644 --- a/test/qseeproxysample.te +++ b/test/qseeproxysample.te @@ -54,4 +54,7 @@ userdebug_or_eng(` # Allow access to firmware allow qseeproxysample firmware_file:dir r_dir_perms; allow qseeproxysample firmware_file:file r_file_perms; + + #Allow service manager to find + allow qsee_svc_app qseeproxysample_service:service_manager find; ') From d90354a1352025e627b79db8d8cacff072c3c951 Mon Sep 17 00:00:00 2001 From: Prasanth Kamuju Date: Sat, 6 Feb 2016 15:27:33 +0530 Subject: [PATCH 09/42] sepolicy: add selinux polices for gamed gamed need permissions to communicate with other daemons/process through sockets CRs-Fixed:987464 Change-Id: Iba51e0a06f01340a9b82fc6214b1bcfb9b81d29d --- common/file.te | 3 +++ common/file_contexts | 2 ++ common/gamed.te | 35 +++++++++++++++++++++++++++++++++++ common/init_shell.te | 1 + common/property.te | 1 + common/property_contexts | 1 + common/system_server.te | 3 +++ 7 files changed, 46 insertions(+) create mode 100755 common/gamed.te diff --git a/common/file.te b/common/file.te index 8515796..acb1344 100644 --- a/common/file.te +++ b/common/file.te @@ -79,6 +79,9 @@ type sysfs_cpu_online, fs_type, sysfs_type; type mpctl_socket, file_type, mlstrustedobject; type mpctl_data_file, file_type, data_file_type; +#define the files writer during the operation of app state changes +type gamed_socket, file_type; + #define the files writter during the operatio of iop type iop_socket, file_type; type iop_data_file, file_type, data_file_type; diff --git a/common/file_contexts b/common/file_contexts index 9d9bd46..a5925ce 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -96,6 +96,7 @@ /dev/socket/ims_datad u:object_r:ims_socket:s0 /dev/socket/ims_rtpd u:object_r:ims_socket:s0 /dev/socket/perfd u:object_r:mpctl_socket:s0 +/dev/socket/gamed u:object_r:gamed_socket:s0 /dev/socket/qlogd u:object_r:qlogd_socket:s0 /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 /dev/socket/dpmd u:object_r:dpmd_socket:s0 @@ -136,6 +137,7 @@ /system/bin/mmi u:object_r:mmi_exec:s0 /system/bin/mpdecision u:object_r:mpdecision_exec:s0 /system/vendor/bin/perfd u:object_r:perfd_exec:s0 +/system/vendor/bin/gamed u:object_r:gamed_exec:s0 /system/bin/iop u:object_r:dumpstate_exec:s0 /system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0 /system/bin/imsdatadaemon u:object_r:ims_exec:s0 diff --git a/common/gamed.te b/common/gamed.te new file mode 100755 index 0000000..2d2cac6 --- /dev/null +++ b/common/gamed.te @@ -0,0 +1,35 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# GAMED + +type gamed, domain; +type gamed_exec, exec_type, file_type; + +init_daemon_domain(gamed) + +unix_socket_connect(gamed, mpctl, perfd) diff --git a/common/init_shell.te b/common/init_shell.te index 21c8b34..ca8bcbd 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -60,6 +60,7 @@ allow qti_init_shell { system_prop freq_prop perfd_prop + gamed_prop mpdecision_prop bluetooth_prop config_prop diff --git a/common/property.te b/common/property.te index f8b78f1..d89ea77 100644 --- a/common/property.te +++ b/common/property.te @@ -21,6 +21,7 @@ type sf_lcd_density_prop, property_type; type opengles_prop, property_type; type mdm_helper_prop, property_type; type mpdecision_prop, property_type; +type gamed_prop, property_type; #Needed for ubwc support type debug_gralloc_prop, property_type; diff --git a/common/property_contexts b/common/property_contexts index 085aee8..b33b0a7 100644 --- a/common/property_contexts +++ b/common/property_contexts @@ -13,6 +13,7 @@ ctl.port-bridge u:object_r:ctl_port-bridge_prop:s0 min_freq_0 u:object_r:freq_prop:s0 min_freq_4 u:object_r:freq_prop:s0 ctl.perfd u:object_r:perfd_prop:s0 +ctl.gamed u:object_r:gamed_prop:s0 ctl.iop u:object_r:perfd_prop:s0 ctl.vm_bms u:object_r:vm_bms_prop:s0 qualcomm.bluetooth. u:object_r:bluetooth_prop:s0 diff --git a/common/system_server.te b/common/system_server.te index 4aca89f..569e1ab 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -19,6 +19,9 @@ allow system_server mpctl_socket:dir r_dir_perms; unix_socket_send(system_server, mpctl, mpdecision) unix_socket_connect(system_server, mpctl, mpdecision) +#access to gamed +unix_socket_connect(system_server, gamed, gamed) + allow system_server { # For wifistatemachine wbc_service From 0c40651937b51de6a37b518362fe27df9304a21a Mon Sep 17 00:00:00 2001 From: Baji Patthan Date: Tue, 8 Dec 2015 12:57:52 -0800 Subject: [PATCH 10/42] "sepolicy:common: QFP daemon read permissions to qc_senseid" QFP daemon needs to read calibration data from /persist/data/qc_senseid CRs-Fixed: 952095 Change-Id: I09233b1eedb5f438accc6ca3a22d0db2390ead54 --- common/file.te | 1 + common/file_contexts | 1 + common/qfp-daemon.te | 4 ++++ common/qseecomd.te | 2 ++ 4 files changed, 8 insertions(+) diff --git a/common/file.te b/common/file.te index acb1344..ff65b5b 100644 --- a/common/file.te +++ b/common/file.te @@ -146,6 +146,7 @@ type persist_usf_file, file_type; #qfp-daemon type qfp-daemon_data_file, file_type, data_file_type; +type persist_qc_senseid_file, file_type; # dts notifier files type dts_data_file, file_type, data_file_type; diff --git a/common/file_contexts b/common/file_contexts index a5925ce..7002550 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -317,6 +317,7 @@ /persist/data(/.*)? u:object_r:persist_drm_file:s0 /persist/data/tz(/.*)? u:object_r:persist_drm_file:s0 /persist/data/sfs(/.*)? u:object_r:persist_drm_file:s0 +/persist/qc_senseid(/.*)? u:object_r:persist_qc_senseid_file:s0 /persist/usf(/.*)? u:object_r:persist_usf_file:s0 /persist/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0 /persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/common/qfp-daemon.te b/common/qfp-daemon.te index 5d2d7a4..b154c54 100644 --- a/common/qfp-daemon.te +++ b/common/qfp-daemon.te @@ -55,6 +55,10 @@ allow qfp-daemon qbt1000_device:chr_file rw_file_perms; # R dir perms for firmware dir r_dir_file(qfp-daemon, firmware_file) +# R dir perms for persist qc_senseid dir +r_dir_file(qfp-daemon, persist_file) +r_dir_file(qfp-daemon, persist_qc_senseid_file) + # Allow qfp daemon access to system server binder_call(qfp-daemon, system_server); diff --git a/common/qseecomd.te b/common/qseecomd.te index 2140c58..d09057a 100644 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -70,6 +70,8 @@ allow tee system_prop:property_service set; #allow access to qfp-daemon allow tee qfp-daemon_data_file:dir create_dir_perms; allow tee qfp-daemon_data_file:file create_file_perms; +allow tee persist_qc_senseid_file:dir create_dir_perms; +allow tee persist_qc_senseid_file:file create_file_perms; #allow access to fingerprintd data file allow tee fingerprintd_data_file:dir create_dir_perms; From 23f3b4c1d4f3dc3136e55cdc50f3a21058b5b296 Mon Sep 17 00:00:00 2001 From: Neelansh Mittal Date: Fri, 6 Nov 2015 15:21:41 +0530 Subject: [PATCH 11/42] Seandroid: Tidy up policy for WLAN. Adding SEL policies for netd and hostapd. These policies will allow the netd to bind to the hostapd as monitor and listen to messages from the hostapd.Also, these will allow the supplicant to access the wpa_socket directory if it's created by netd. Change-Id: I321195379146b0b4cd0e5f8946549ceadb224015 CRs-Fixed: 756001 --- common/hostapd.te | 2 ++ common/net.te | 9 +++++++++ common/netd.te | 10 ---------- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/common/hostapd.te b/common/hostapd.te index a627250..f23418b 100644 --- a/common/hostapd.te +++ b/common/hostapd.te @@ -43,3 +43,5 @@ allow hostapd cnd:fifo_file r_file_perms; allow hostapd smem_log_device:chr_file rw_file_perms; allow hostapd fstman:unix_dgram_socket sendto; unix_socket_send(hostapd, wpa, netd) +allow hostapd netd:unix_dgram_socket sendto; +allow hostapd wpa_socket:sock_file write; diff --git a/common/net.te b/common/net.te index e5e3df0..fc39608 100644 --- a/common/net.te +++ b/common/net.te @@ -4,3 +4,12 @@ unix_socket_connect(netdomain, cnd, cnd) # allow netdomain access to dpmd unix_socket_connect(netdomain, dpmwrapper, dpmd) +allow netd self:capability fsetid; +allow netd hostapd:unix_dgram_socket sendto; + +# Allow netd to chmod dir /data/misc/dhcp +allow netd dhcp_data_file:dir create_dir_perms; + +type_transition netd wifi_data_file:dir wpa_socket "sockets"; +allow netd wpa_socket:dir create_dir_perms; +allow netd wpa_socket:sock_file create_file_perms; diff --git a/common/netd.te b/common/netd.te index 9e067dd..680d499 100644 --- a/common/netd.te +++ b/common/netd.te @@ -19,13 +19,3 @@ allow netd ipacm_data_file:file r_file_perms; # needed for netd to start FST Manager via system property allow netd netd_prop:property_service set; allow netd qtitetherservices_service:service_manager find; - -allow netd self:capability fsetid; -allow netd hostapd:unix_dgram_socket sendto; - -# Allow netd to chmod dir /data/misc/dhcp -allow netd dhcp_data_file:dir create_dir_perms; - -type_transition netd wifi_data_file:dir wpa_socket "sockets"; -allow netd wpa_socket:dir create_dir_perms; -allow netd wpa_socket:sock_file create_file_perms; From a4d6e1962f3a8c260e787513670c421de038f720 Mon Sep 17 00:00:00 2001 From: Vince Leung Date: Wed, 9 Dec 2015 18:32:00 -0800 Subject: [PATCH 12/42] sepolicy: add kill permissions to perfd Add permissions to allow perfd kill permissions to send signull to processes Change-Id: Id4ea3b93a2de4eb46c45cbb3c4c93f5fdfeca1ef --- common/perfd.te | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/common/perfd.te b/common/perfd.te index 9b112ac..b21b4a6 100644 --- a/common/perfd.te +++ b/common/perfd.te @@ -38,3 +38,14 @@ unix_socket_connect(perfd, thermal, thermal-engine); # Access device nodes inside /dev/cpuctl allow perfd cpuctl_device:chr_file rw_file_perms; + +# Allow perfd to send signull +allow perfd { + system_server + system_app + wfdservice + mediaserver + thermal-engine + surfaceflinger + appdomain +}:process signull; From 0d563b07c62111fefc8a7928f5024425b7e709b3 Mon Sep 17 00:00:00 2001 From: yongga Date: Fri, 15 Jan 2016 16:09:03 +0800 Subject: [PATCH 13/42] SELINUX: Add BootUp Music Permission Add the bootup music permissoin Change-Id: Ia4200c06f88d7abaf1b19a4aa9fbe51930a101da CRs-Fixed: 943280 --- common/bootanim.te | 29 +++++++++++++++++++++++++++++ common/mediaserver.te | 3 +++ 2 files changed, 32 insertions(+) create mode 100644 common/bootanim.te diff --git a/common/bootanim.te b/common/bootanim.te new file mode 100644 index 0000000..be7b9ed --- /dev/null +++ b/common/bootanim.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# allow bootanim to binder mediaserver +binder_call(bootanim, mediaserver); diff --git a/common/mediaserver.te b/common/mediaserver.te index 442edc4..6eae758 100644 --- a/common/mediaserver.te +++ b/common/mediaserver.te @@ -68,6 +68,9 @@ r_dir_file(mediaserver, adsprpcd_file); #Allow mediaserver to connect to unix sockets for staproxy service allow mediaserver system_app:unix_stream_socket { connectto read write setopt }; +# allow mediaserver to communicate with bootanim +binder_call(mediaserver, bootanim); + #Allow mediaserver to access service manager STAProxyService #Allow mediaserver to access service manager wfdservice allow mediaserver { STAProxyService wfdservice_service }:service_manager find; From 166013560dd852e88ba161d94da1842d2c57cfa5 Mon Sep 17 00:00:00 2001 From: c_yongga Date: Mon, 25 Jan 2016 09:22:46 +0800 Subject: [PATCH 14/42] SELINUX: Add BootUp Music Permission Add the bootup music permissoin CRs-Fixed: 965131 Change-Id: I7e17142ec9362824eff9d2687c1ca9bc5a65febd --- common/bootanim.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/bootanim.te b/common/bootanim.te index be7b9ed..9a6355a 100644 --- a/common/bootanim.te +++ b/common/bootanim.te @@ -27,3 +27,4 @@ # allow bootanim to binder mediaserver binder_call(bootanim, mediaserver); +allow bootanim mediaserver_service:service_manager find; From a2a468187585a9a4aed1212a9119ebf62d186182 Mon Sep 17 00:00:00 2001 From: Ramesh V Date: Tue, 29 Sep 2015 19:43:02 +0530 Subject: [PATCH 15/42] mm-camera2: mct: Add missing permission for graphics fd Add permission for graphics fd. we need this to Query display size from display driver and use that info as one of the parameters for filtering preview parameters. Change-Id: I249e33489a174a1a2cb1bac190de81531a39e7db --- common/mm-qcamerad.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index e7d2737..7bc5dfe 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -60,6 +60,8 @@ allow mm-qcamerad graphics_device:dir r_dir_perms; type_transition mm-qcamerad system_data_file:file camera_data_file "fdAlbum"; allow mm-qcamerad camera_data_file:file create_file_perms; +allow mm-qcamerad graphics_device:dir r_dir_perms; + #Allow access to /dev/graphics/fb* for screen capture allow mm-qcamerad graphics_device:chr_file rw_file_perms; unix_socket_connect(mm-qcamerad, property, init) From 4d6321b36d26cc9503aaaedc6110b4124bcd88dd Mon Sep 17 00:00:00 2001 From: Mao Jinlong Date: Thu, 3 Dec 2015 19:37:30 +0800 Subject: [PATCH 16/42] healthd : allow healthd have right to read rtc dev file healthd need to have access to rtc dev file to get rtc and alarm time. Change-Id: Id7224465e5e2152b6819285e0eb2e7a66d84f68c --- common/healthd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/healthd.te b/common/healthd.te index 3212afa..7c1b19a 100644 --- a/common/healthd.te +++ b/common/healthd.te @@ -2,4 +2,6 @@ r_dir_file(healthd, sysfs_battery_supply) r_dir_file(healthd, sysfs_usb_supply) r_dir_file(healthd, sysfs_thermal); allow healthd alarm_device:chr_file rw_file_perms; + +#allow healthd read rtc device file allow healthd rtc_device:chr_file r_file_perms; From db89b47b475e3c8a45c6e33378c5b533533358ce Mon Sep 17 00:00:00 2001 From: Nicholas Flintham Date: Tue, 14 Jun 2016 11:14:29 +0100 Subject: [PATCH 17/42] ridl.te fix formatting Change-Id: I012a115854c22841e761318dd903ce09621aaaa1 --- common/ridl.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/ridl.te b/common/ridl.te index ea42535..5d95a61 100644 --- a/common/ridl.te +++ b/common/ridl.te @@ -94,8 +94,8 @@ userdebug_or_eng(` allow RIDL self:packet_socket create_socket_perms; allow RIDL self:capability net_raw; - # allow location - allow RIDL app_api_service:service_manager find; + # allow location + allow RIDL app_api_service:service_manager find; ') # drop root caps From 499c8fbc14f9f12a74ffa7b5ee2fd2e320e26635 Mon Sep 17 00:00:00 2001 From: Vince Leung Date: Wed, 15 Oct 2014 15:15:57 -0700 Subject: [PATCH 18/42] sepolicy: add mpctl related policies Add mpctl related policies into mpdecision. Add system_server policy to allow it to use mpctl. Add system_app policy to allow it to use mpctl. Add mediaserver policy to allow it to use mpctl. Change-Id: I2e73cee528a87cefe58bd58aad16cda84f6cabf4 --- common/file_contexts | 2 ++ common/perfd.te | 2 ++ 2 files changed, 4 insertions(+) diff --git a/common/file_contexts b/common/file_contexts index 7002550..e18e609 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -95,6 +95,7 @@ /dev/socket/ims_qmid u:object_r:ims_socket:s0 /dev/socket/ims_datad u:object_r:ims_socket:s0 /dev/socket/ims_rtpd u:object_r:ims_socket:s0 +/dev/socket/perfd(/.*)? u:object_r:mpctl_socket:s0 /dev/socket/perfd u:object_r:mpctl_socket:s0 /dev/socket/gamed u:object_r:gamed_socket:s0 /dev/socket/qlogd u:object_r:qlogd_socket:s0 @@ -137,6 +138,7 @@ /system/bin/mmi u:object_r:mmi_exec:s0 /system/bin/mpdecision u:object_r:mpdecision_exec:s0 /system/vendor/bin/perfd u:object_r:perfd_exec:s0 +/data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0 /system/vendor/bin/gamed u:object_r:gamed_exec:s0 /system/bin/iop u:object_r:dumpstate_exec:s0 /system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0 diff --git a/common/perfd.te b/common/perfd.te index b21b4a6..0cec6b7 100644 --- a/common/perfd.te +++ b/common/perfd.te @@ -14,6 +14,8 @@ allow perfd { allow perfd self:{ netlink_kobject_uevent_socket socket} create_socket_perms; # mpctl socket +allow perfd mpctl_socket:dir rw_dir_perms; +allow perfd mpctl_socket:sock_file create_file_perms; allow perfd mpctl_socket:sock_file rw_file_perms; # default_values file From e0c70cbeeef523b53b305d03af225d467805a4c8 Mon Sep 17 00:00:00 2001 From: Ricardo Cerqueira Date: Wed, 15 Jun 2016 19:44:25 +0100 Subject: [PATCH 19/42] msm8937: Fix labeling of the cache and FRP partitions Change-Id: Ib48d599155a354d2a6c366816b878e041a2cbdba --- msm8937/file_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/msm8937/file_contexts b/msm8937/file_contexts index 13ddaee..fae3375 100644 --- a/msm8937/file_contexts +++ b/msm8937/file_contexts @@ -42,4 +42,5 @@ /dev/block/platform/soc/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/dip u:object_r:dip_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0 -/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 From 52dd2b39689236ae898b72d8e54539e3085885d0 Mon Sep 17 00:00:00 2001 From: Ricardo Cerqueira Date: Wed, 22 Jun 2016 17:14:56 +0100 Subject: [PATCH 20/42] dpm: Let dpmserviceapp create its subdirs Change-Id: I165b059cac1b2db39d0bd600349ca66c6e4f201a --- common/dpmservice_app.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/dpmservice_app.te b/common/dpmservice_app.te index 47f23bc..7caf962 100644 --- a/common/dpmservice_app.te +++ b/common/dpmservice_app.te @@ -34,7 +34,7 @@ allow dpmservice_app dpmd_socket:sock_file write; allow dpmservice_app dpmd_app_data_file:file create_file_perms; allow dpmservice_app dpmservice:service_manager { add find }; -allow dpmservice_app dpmd_data_file:dir rw_dir_perms; +allow dpmservice_app dpmd_data_file:dir create_dir_perms; allow dpmservice_app dpmd_data_file:file create_file_perms; allow dpmservice_app app_api_service:service_manager find; allow dpmservice_app system_api_service:service_manager find; From f3d4d622bba6a105f20589d36d344dd4442982c6 Mon Sep 17 00:00:00 2001 From: Ravi Kumar Siddojigari Date: Wed, 13 Jan 2016 13:01:39 +0530 Subject: [PATCH 21/42] file_contexts: Adding context to block devices Adding context to boot, recovery, cache and frp block device Change-Id: Ib19d0a5fbff6f65cc45b42d8ebcb29df91e1beb7 CRs-fixed: 904364 --- msm8909/file_contexts | 3 +++ msm8952/file_contexts | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/msm8909/file_contexts b/msm8909/file_contexts index caf3ec1..8802050 100644 --- a/msm8909/file_contexts +++ b/msm8909/file_contexts @@ -40,3 +40,6 @@ /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 diff --git a/msm8952/file_contexts b/msm8952/file_contexts index f1983f9..d6b49ad 100644 --- a/msm8952/file_contexts +++ b/msm8952/file_contexts @@ -42,6 +42,9 @@ /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/soc.0/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 #Using soc instead of soc.0 to make it compatable with 3.18 kernel @@ -56,3 +59,7 @@ /dev/block/platform/soc/7824900.sdhci/by-name/dip u:object_r:dip_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0 /dev/block/platform/soc/7824900.sdhci/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/soc/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 From 755a03893b3e01049db6e0ebd1465d37249a5792 Mon Sep 17 00:00:00 2001 From: Ricardo Cerqueira Date: Wed, 29 Jun 2016 11:52:03 +0100 Subject: [PATCH 22/42] wcnss: Fix annoying warning when ptt looks for its log dir Change-Id: I40eeb6895f1c5550813bf8b4182e33f9a4dc5dfd --- common/wcnss_service.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/wcnss_service.te b/common/wcnss_service.te index d922276..1ac434a 100644 --- a/common/wcnss_service.te +++ b/common/wcnss_service.te @@ -40,6 +40,7 @@ allow wcnss_service vfat:dir create_dir_perms; allow wcnss_service vfat:file create_file_perms; # This is needed for ptt_socket app to write logs file collected to sdcard +allow wcnss_service storage_file:dir search; r_dir_file(wcnss_service, storage_file) r_dir_file(wcnss_service, mnt_user_file) ') From 57006624c8863b5ec5fdc3a528831a4ac20856ea Mon Sep 17 00:00:00 2001 From: Ricardo Cerqueira Date: Wed, 13 Jul 2016 16:54:59 +0100 Subject: [PATCH 23/42] wcnss: Fix I40eeb6895f1c5550813bf8b4182e33f9a4dc5dfd This applies to user builds, too Change-Id: Iddc7421ba83b3fd7b5f9a66b2dd1c3ffe240e1fa --- common/wcnss_service.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/wcnss_service.te b/common/wcnss_service.te index 1ac434a..84a2f35 100644 --- a/common/wcnss_service.te +++ b/common/wcnss_service.te @@ -32,6 +32,7 @@ allow wcnss_service self:netlink_socket create_socket_perms; allow wcnss_service firmware_file:dir r_dir_perms; allow wcnss_service firmware_file:file r_file_perms; allow wcnss_service sysfs:file w_file_perms; +allow wcnss_service storage_file:dir search; userdebug_or_eng(` allow wcnss_service fuse:dir create_dir_perms; @@ -40,7 +41,6 @@ allow wcnss_service vfat:dir create_dir_perms; allow wcnss_service vfat:file create_file_perms; # This is needed for ptt_socket app to write logs file collected to sdcard -allow wcnss_service storage_file:dir search; r_dir_file(wcnss_service, storage_file) r_dir_file(wcnss_service, mnt_user_file) ') From 1c04ae12d15834ea8f0438039904dc7085a9e76a Mon Sep 17 00:00:00 2001 From: Omprakash Dhyade Date: Fri, 18 Dec 2015 10:54:14 -0800 Subject: [PATCH 24/42] perfd: add permissions to read/write proc/ of appdomain Creating sched group requires to write on /proc//sched_group_id. Give permissions for the same. Change-Id: Id5686c917041d638fda99b3553261fee98556c51 --- common/perfd.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/perfd.te b/common/perfd.te index 0cec6b7..dd427b6 100644 --- a/common/perfd.te +++ b/common/perfd.te @@ -28,6 +28,10 @@ r_dir_file(perfd, system_server) # Allow perfd to check for existence of other processes allow perfd domain:process signull; +# Allow access to /proc/PID +allow perfd appdomain:dir r_dir_perms; +allow perfd appdomain:file rw_file_perms; + # Allow access to thermal sysfs entry r_dir_file(perfd, sysfs_thermal) allow perfd sysfs_thermal:file write; From 3671fcdbbc39116a95ca6f4bddf9c40e01ed2229 Mon Sep 17 00:00:00 2001 From: Tom Marshall Date: Fri, 15 Jul 2016 14:55:48 -0700 Subject: [PATCH 25/42] sepolicy: msm8909: Remove duplicate boot/recovery/cache lines These were added in I5dc5d125dec1fb03646da04ffb01c1153b9f3cab, then added again by upstream Ib19d0a5fbff6f65cc45b42d8ebcb29df91e1beb7. Change-Id: I1864a3b2d7357d30c5f5db9f54ca4c0575fa75f9 --- msm8909/file_contexts | 3 --- 1 file changed, 3 deletions(-) diff --git a/msm8909/file_contexts b/msm8909/file_contexts index 8802050..b20387e 100644 --- a/msm8909/file_contexts +++ b/msm8909/file_contexts @@ -27,8 +27,6 @@ ################################### # Primary storage device nodes # -/dev/block/platform/soc.0/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0 -/dev/block/platform/soc.0/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 @@ -36,7 +34,6 @@ /dev/block/platform/soc.0/7824900.sdhci/by-name/ssd u:object_r:ssd_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_partition:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/soc.0/7824900.sdhci/by-name/cache u:object_r:cache_block_device:s0 /dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 /dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0 From d91cf97ac9a945268bac55b4dece88d5853398ad Mon Sep 17 00:00:00 2001 From: Matt Mower Date: Mon, 25 Jul 2016 01:51:58 -0500 Subject: [PATCH 26/42] sepolicy: Mark time_daemon domain as mlstrusted * Relax socket constraints for platform apps Change-Id: Ib8a44887b3cceb3481f8a66600b43c761fbaa70c --- common/time_daemon.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/time_daemon.te b/common/time_daemon.te index e67e425..7cf5395 100644 --- a/common/time_daemon.te +++ b/common/time_daemon.te @@ -1,5 +1,5 @@ # Policies for time daemon -type time_daemon, domain; +type time_daemon, domain, mlstrustedsubject; type time_daemon_exec, exec_type, file_type; type time_data_file, file_type, data_file_type; From 816fc9bfdb61b1d78c5ebd8e8b092d8f5caf8f0f Mon Sep 17 00:00:00 2001 From: Abhimanyu Garg Date: Wed, 9 Mar 2016 15:41:04 -0800 Subject: [PATCH 27/42] sepolicy: update iop socket path iop socket path has been changed from /data/misc/iop/iop to /dev/socket/iop. Remove socket dir create policies from iop.te and replace with rw socket file permissions. Change-Id: I8fcef873b26234d517c319debcd09bf817fd75e2 --- common/file_contexts | 1 + common/iop.te | 3 +-- common/system_server.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/common/file_contexts b/common/file_contexts index e18e609..f761191 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -98,6 +98,7 @@ /dev/socket/perfd(/.*)? u:object_r:mpctl_socket:s0 /dev/socket/perfd u:object_r:mpctl_socket:s0 /dev/socket/gamed u:object_r:gamed_socket:s0 +/dev/socket/iop u:object_r:iop_socket:s0 /dev/socket/qlogd u:object_r:qlogd_socket:s0 /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 /dev/socket/dpmd u:object_r:dpmd_socket:s0 diff --git a/common/iop.te b/common/iop.te index c35fc47..5e73902 100644 --- a/common/iop.te +++ b/common/iop.te @@ -35,8 +35,7 @@ r_dir_file( dumpstate, appdomain ); r_dir_file( dumpstate, apk_data_file ); #Create a socket for receiving info from IOP -type_transition dumpstate iop_data_file:sock_file iop_socket "iop"; -allow dumpstate iop_socket:sock_file { create_file_perms unlink }; +allow dumpstate iop_socket:sock_file rw_file_perms; #default_values file allow dumpstate iop_data_file:dir rw_dir_perms; diff --git a/common/system_server.te b/common/system_server.te index 569e1ab..87bfc53 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -38,7 +38,7 @@ allow system_server { bluetooth_prop usf_prop }:property_service set; # required for ANT App to connectto wcnss_filter sockets allow system_server bluetooth:unix_stream_socket connectto; # access to iop -allow system_server iop_data_file:dir r_dir_perms; +allow system_server iop_socket:dir r_dir_perms; unix_socket_send(system_server, iop, dumpstate) unix_socket_connect(system_server, iop, dumpstate) From 3af1189819ffa421f66b559311fd3c9e3644d970 Mon Sep 17 00:00:00 2001 From: Dedy Lansky Date: Tue, 1 Dec 2015 09:22:24 +0200 Subject: [PATCH 28/42] sepolicy: allow fstman write permissions to wifi directory FST Manager needs write permissions to wifi directory for supporting whitelist of rate upgrate interface (wlan1) Change-Id: I564e7da6118e17f7487242c55b0373dab8d12578 --- common/fstman.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/fstman.te b/common/fstman.te index 82ac45d..f727e71 100644 --- a/common/fstman.te +++ b/common/fstman.te @@ -35,6 +35,8 @@ allow fstman self:capability { net_admin net_raw }; allow fstman self:netlink_route_socket nlmsg_write; allow fstman sysfs:file write; r_dir_file(fstman, wifi_data_file) +allow fstman wifi_data_file:dir rw_dir_perms; +allow fstman wifi_data_file:file create_file_perms; allow fstman { wpa hostapd }:unix_dgram_socket sendto; allow fstman wpa_socket:dir rw_dir_perms; allow fstman wpa_socket:sock_file create_file_perms; From f8bbee80b49945678e3517272ecc30e82ee4d8a1 Mon Sep 17 00:00:00 2001 From: Puneet Mishra Date: Wed, 14 Oct 2015 13:16:59 +0100 Subject: [PATCH 29/42] sepolicy: Policy for SmartcardService Allow the SmartcardService to communicate with the new QSEE Proxy daemon through the QPay Library. Change-Id: Ic66899c2e016c40e17c0f3f3c454b44b73a26bf8 --- common/seapp_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/seapp_contexts b/common/seapp_contexts index 3bf7e05..ae657cc 100644 --- a/common/seapp_contexts +++ b/common/seapp_contexts @@ -9,6 +9,7 @@ user=system seinfo=platform name=com.qti.dpmserviceapp domain=dpmservice_app typ #Add new domain for QSEE services user=system seinfo=platform name=com.qualcomm.qti.auth.fidocryptoservice domain=qsee_svc_app type=qsee_svc_app_data_file user=system seinfo=platform name=com.qualcomm.qti.auth.fidosuiservice domain=qsee_svc_app type=qsee_svc_app_data_file +user=system seinfo=platform name=org.simalliance.openmobileapi.service.SmartcardService domain=qsee_svc_app type=qsee_svc_app_data_file #Add new domain for MDTP services user=system seinfo=platform name=com.qualcomm.qti.securemsm.mdtp.MdtpService domain=mdtpservice_app type=mdtp_svc_app_data_file From 9b5cf1bc0fb839dfb832a362d6827a7d99ae5c9c Mon Sep 17 00:00:00 2001 From: taozhang Date: Wed, 4 Nov 2015 14:50:25 +0800 Subject: [PATCH 30/42] common: add selinux policy for fastmmi Add selinux policy for the test cases in fastmmi, for example, camera, bluetooth, wifi, sensor, storage, logcat and etc. Change-Id: Id51893ad9e101d9306b5608410389321544db9be --- common/bluetooth.te | 3 +++ common/mm-qcamerad.te | 3 +++ common/mmi.te | 17 ++++++++++++++++- common/surfaceflinger.te | 3 +++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/common/bluetooth.te b/common/bluetooth.te index 84b77f6..5da23a0 100644 --- a/common/bluetooth.te +++ b/common/bluetooth.te @@ -61,3 +61,6 @@ qmux_socket(bluetooth); # for finding wbc_service allow bluetooth wbc_service:service_manager find; + +# for fastmmi test bluetooth +allow bluetooth mmi:unix_stream_socket connectto; diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index 7bc5dfe..55acfc3 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -65,3 +65,6 @@ allow mm-qcamerad graphics_device:dir r_dir_perms; #Allow access to /dev/graphics/fb* for screen capture allow mm-qcamerad graphics_device:chr_file rw_file_perms; unix_socket_connect(mm-qcamerad, property, init) + +#Allow camera work normally in FFBM +binder_call(mm-qcamerad, mmi); diff --git a/common/mmi.te b/common/mmi.te index 6badeab..4dc37ed 100644 --- a/common/mmi.te +++ b/common/mmi.te @@ -52,6 +52,7 @@ allow mmi audio_device:chr_file rw_file_perms; #FM case allow mmi fm_radio_device:chr_file r_file_perms; +allow mmi fm_data_file:file r_file_perms; allow mmi fm_prop:property_service set; #bluetooth case @@ -62,7 +63,8 @@ allow mmi smd_device:chr_file rw_file_perms; #GPS case allow mmi location_data_file:fifo_file create_file_perms; -allow mmi location_data_file:dir w_dir_perms; +allow mmi location_data_file:dir create_dir_perms; +allow mmi location_data_file:file create_file_perms; allow mmi mmi_socket:sock_file create_file_perms; type_transition mmi socket_device:sock_file mmi_socket; allow mmi location_exec:file rx_file_perms; @@ -98,3 +100,16 @@ allow mmi surfaceflinger_service:service_manager find; #Allow mmi to use IPC binder_use(mmi) binder_call(mmi,surfaceflinger) + +#sensor cases +unix_socket_connect(mmi, sensors, sensors); +allow mmi sensors_device:chr_file r_file_perms; + +#logcat +domain_auto_trans(mmi, logcat_exec, logd); + +#mmi test +unix_socket_connect(mmi, cnd, cnd); +unix_socket_connect(mmi, dpmwrapper, dpmd); +unix_socket_connect(mmi, netmgrd, netmgrd); +net_domain(mmi); diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 556f5eb..1d0b2a5 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -31,3 +31,6 @@ allow surfaceflinger display_misc_file:file create_file_perms; unix_socket_connect(surfaceflinger, pps, mm-pp-daemon) r_dir_file(surfaceflinger, firmware_file) + +#Allow access to fastmmi +binder_call(surfaceflinger, mmi) \ No newline at end of file From 816c6f5c9fddbb40d0f0850996f39154973877fb Mon Sep 17 00:00:00 2001 From: Trilokesh Rangam Date: Thu, 3 Dec 2015 10:35:24 +0530 Subject: [PATCH 31/42] sepolicy : Allow bootkpi access to system apps and vold Allowing BootKPI markers access to system apps and vold to log corresponding KPI entries. Change-Id: Ice2f60f12f0eec9a0b4c43f98f88540ce155145b --- msm8960/bootkpi.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/msm8960/bootkpi.te b/msm8960/bootkpi.te index e932e69..cd29b0e 100644 --- a/msm8960/bootkpi.te +++ b/msm8960/bootkpi.te @@ -33,4 +33,6 @@ userdebug_or_eng(` allow surfaceflinger sys_bootkpi:file rw_file_perms; allow untrusted_app sys_bootkpi:file rw_file_perms; allow location sys_bootkpi:file rw_file_perms; + allow system_app sys_bootkpi:file rw_file_perms; + allow vold sys_bootkpi:file rw_file_perms; ') From 23e5305a623ed404236d2a3033628f8d7f770363 Mon Sep 17 00:00:00 2001 From: Avinash Nalluri Date: Wed, 28 Oct 2015 21:31:47 +0530 Subject: [PATCH 32/42] sepolicy: Add secontexts boot and persist.nativehmi.exit persist.nativehmi.exit is used by the bootanimation app boot is the bin used for bootandimation Change-Id: I508ba92ad98a8575edf4cafc02566781069bd2fb --- msm8960/file_contexts | 1 + msm8960/property_contexts | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/msm8960/file_contexts b/msm8960/file_contexts index c43f6a1..ae0f939 100755 --- a/msm8960/file_contexts +++ b/msm8960/file_contexts @@ -42,6 +42,7 @@ /system/bin/qcks u:object_r:mdm_helper_exec:s0 /system/bin/efks u:object_r:mdm_helper_exec:s0 /system/bin/DR_AP_Service u:object_r:location_exec:s0 +/system/bin/boot u:object_r:bootanim_exec:s0 ################################### # Data files diff --git a/msm8960/property_contexts b/msm8960/property_contexts index bb3c9d5..9eb5387 100644 --- a/msm8960/property_contexts +++ b/msm8960/property_contexts @@ -1 +1,30 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#This is need for the nativehmi bootanimation ctl.thermal-engine u:object_r:ctl_thermal-engine_prop:s0 +persist.nativehmi.exit u:object_r:ctl_bootanim_prop:s0 From 99c39d67449054a2f12ac8a58e8ae196c62d9f10 Mon Sep 17 00:00:00 2001 From: Avinash Nalluri Date: Thu, 29 Oct 2015 16:34:19 +0530 Subject: [PATCH 33/42] sepolicy : add inital rule to bootanimation. add nativeHMI to support or read inputdevice. add secontext for sys.mediaserver.ready add new domain for earlyaudio add nativehmi.appname property. Change-Id: I8e7028bfe24acfa84e946a341435a1e4457d3c25 --- msm8960/bootanim.te | 34 ++++++++++++++++++++++++++++++++++ msm8960/property_contexts | 2 ++ msm8960/system_app.te | 29 +++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+) create mode 100644 msm8960/bootanim.te create mode 100644 msm8960/system_app.te diff --git a/msm8960/bootanim.te b/msm8960/bootanim.te new file mode 100644 index 0000000..00b5b9c --- /dev/null +++ b/msm8960/bootanim.te @@ -0,0 +1,34 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRIN:qGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#need this for the detecting the keys +allow bootanim input_device:dir r_dir_perms; +allow bootanim input_device:chr_file rw_file_perms; + +#needed for bootanimation to exit +unix_socket_connect(bootanim, property, init) +allow bootanim ctl_bootanim_prop:property_service set; diff --git a/msm8960/property_contexts b/msm8960/property_contexts index 9eb5387..67841d9 100644 --- a/msm8960/property_contexts +++ b/msm8960/property_contexts @@ -28,3 +28,5 @@ #This is need for the nativehmi bootanimation ctl.thermal-engine u:object_r:ctl_thermal-engine_prop:s0 persist.nativehmi.exit u:object_r:ctl_bootanim_prop:s0 +nativehmi.appname u:object_r:ctl_bootanim_prop:s0 +sys.mediaserver.ready u:object_r:audio_prop:s0 diff --git a/msm8960/system_app.te b/msm8960/system_app.te new file mode 100644 index 0000000..e6beb28 --- /dev/null +++ b/msm8960/system_app.te @@ -0,0 +1,29 @@ +# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRIN:qGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#nativeHMI need this +allow system_app ctl_bootanim_prop:property_service set; From 2090b5699da7a4c532e8def8cc13877c85b1c1c0 Mon Sep 17 00:00:00 2001 From: Kuirong Wang Date: Fri, 13 Nov 2015 11:22:37 -0800 Subject: [PATCH 34/42] sepolicy: add permissions for i2c-6 device Add audio_device permission for i2c-6 device. Change-Id: I43af04bd32057969662b5726ff792fead2ff2a77 --- common/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/file_contexts b/common/file_contexts index f761191..ebb0e40 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -9,6 +9,7 @@ /dev/mhi_pipe_.* u:object_r:mhi_device:s0 /dev/bhi u:object_r:bhi_device:s0 /dev/msm_.* u:object_r:audio_device:s0 +/dev/i2c-6 u:object_r:audio_device:s0 /dev/usf1 u:object_r:usf_device:s0 /dev/msm_dsps u:object_r:sensors_device:s0 /dev/msm_thermal_query u:object_r:thermal_device:s0 From b5935ba67e7a83f1b176af0c8c936941b3fa5bcd Mon Sep 17 00:00:00 2001 From: Abhimanyu Garg Date: Tue, 26 Jan 2016 16:54:17 -0800 Subject: [PATCH 35/42] SEPolicy: Update SePolicy for IOP Adding radio_data_file and bluetooth_data_file for IOP. Change-Id: I7fd0bca30d055886c3e99b27cccaf08c51079922 --- common/iop.te | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/common/iop.te b/common/iop.te index 5e73902..e0a6463 100644 --- a/common/iop.te +++ b/common/iop.te @@ -1,4 +1,4 @@ -# Copyright (c) 2015, The Linux Foundation. All rights reserved. +# Copyright (c) 2015-2016, The Linux Foundation. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are @@ -26,11 +26,15 @@ # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ############################################################################## -allow dumpstate self:capability { chown dac_override } ; +allow dumpstate self:capability { chown dac_override }; allow dumpstate self:socket create_socket_perms; r_dir_file( dumpstate, system_app_data_file ); allow dumpstate app_data_file:dir r_dir_perms; -allow dumpstate app_data_file:file r_file_perms ; +allow dumpstate app_data_file:file r_file_perms; +allow dumpstate bluetooth_data_file:dir r_dir_perms; +allow dumpstate bluetooth_data_file:file r_file_perms; +allow dumpstate radio_data_file:dir r_dir_perms; +allow dumpstate radio_data_file:file r_file_perms; r_dir_file( dumpstate, appdomain ); r_dir_file( dumpstate, apk_data_file ); From 5d05125ed3881c0e58f80451e0ce7460b891dfea Mon Sep 17 00:00:00 2001 From: Kevin Tang Date: Tue, 16 Feb 2016 14:47:39 -0800 Subject: [PATCH 36/42] Location: added media server access permission for test app ODLT needs to use audio for testing, which would require media server access. Adding the corresponding SE rule. Change-Id: I4c15c237bf5514521496137004be648ef7dc94eb CRs-Fixed: 913508 --- common/location_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/location_app.te b/common/location_app.te index 3c8f5d6..7e11186 100644 --- a/common/location_app.te +++ b/common/location_app.te @@ -8,6 +8,7 @@ qmux_socket(location_app) userdebug_or_eng(` net_domain(location_app) allow location_app { adbd su }:unix_stream_socket connectto; + allow location_app mediaserver_service:service_manager find; ') allow location_app surfaceflinger_service:service_manager find; From c79bef84519e6d54c860c0845e66c96853341ad2 Mon Sep 17 00:00:00 2001 From: Sathish Ambley Date: Wed, 2 Mar 2016 11:19:41 -0800 Subject: [PATCH 37/42] sepolicy: Add permissions for new dsp node Add permission for SLPI node for targets where different subsystems exist for ADSP and Sensors. Change-Id: I161575826dfc929304a86a320f25ce2881cc2719 --- common/device.te | 1 + common/file_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/common/device.te b/common/device.te index 4778a3b..fe81af0 100644 --- a/common/device.te +++ b/common/device.te @@ -26,6 +26,7 @@ type battery_data_device, dev_type; #Add qdsp_device type type qdsp_device, dev_type, mlstrustedobject; +type dsp_device, dev_type; #Define hvdcp/quickcharge device type hvdcp_device, dev_type; diff --git a/common/file_contexts b/common/file_contexts index ebb0e40..10f73ec 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -19,6 +19,7 @@ /dev/seemplog u:object_r:seemplog_device:s0 /dev/radio0 u:object_r:fm_radio_device:s0 /dev/rtc0 u:object_r:rtc_device:s0 +/dev/sdsprpc-smd u:object_r:dsp_device:s0 /dev/sensors u:object_r:sensors_device:s0 /dev/smd.* u:object_r:smd_device:s0 /dev/smem_log u:object_r:smem_log_device:s0 From 5e8d2dc45f6f0267812dd1cba3d35f95f7408619 Mon Sep 17 00:00:00 2001 From: Srikanth Chintala Date: Sat, 23 Jan 2016 18:09:48 +0530 Subject: [PATCH 38/42] sepolicy: remove exec permission for radio Remove exec permission for radio to run com.qualcomm.qti.telephony/app_dex/* Change-Id: Ibceb29133e22fbe6ac5bbfe7fc9b7d253acc2bf8 --- common/radio.te | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/common/radio.te b/common/radio.te index a0426e0..6f72664 100644 --- a/common/radio.te +++ b/common/radio.te @@ -1,9 +1,6 @@ # Talks to qmuxd via the qmux_radio socket. qmux_socket(radio); -#Need permission to execute com.qualcomm.qti.telephony/app_dex/xx -allow radio radio_data_file:file x_file_perms; - #Need permission to execute dpmd talk to radio layer unix_socket_connect(radio, dpmd, dpmd) @@ -11,4 +8,4 @@ unix_socket_connect(radio, dpmd, dpmd) unix_socket_connect(radio, ims, ims) # IMS needs permission to use avtimer -allow radio avtimer_device:chr_file r_file_perms; \ No newline at end of file +allow radio avtimer_device:chr_file r_file_perms; From 8a1072d4be3742f66b38a7e9d48d7a09e5031bd3 Mon Sep 17 00:00:00 2001 From: Sathish Ambley Date: Thu, 24 Mar 2016 15:53:16 -0700 Subject: [PATCH 39/42] sepolicy: Add policy for VR service Add policy for VR service. CRs-Fixed: 994847 Change-Id: I5bfe220cc71545e67cead4f485e7d451ac1e8ab2 --- msm8996/app.te | 30 +++++++++++++ msm8996/file.te | 4 ++ msm8996/file_contexts | 13 ++++++ msm8996/init_shell.te | 28 ++++++++++++ msm8996/mm-qcamerad.te | 29 ++++++++++++ msm8996/property.te | 29 ++++++++++++ msm8996/property_contexts | 28 ++++++++++++ msm8996/qvrd.te | 93 +++++++++++++++++++++++++++++++++++++++ msm8996/surfaceflinger.te | 30 +++++++++++++ 9 files changed, 284 insertions(+) create mode 100644 msm8996/app.te create mode 100644 msm8996/init_shell.te create mode 100644 msm8996/mm-qcamerad.te create mode 100644 msm8996/property.te create mode 100644 msm8996/property_contexts create mode 100644 msm8996/qvrd.te create mode 100644 msm8996/surfaceflinger.te diff --git a/msm8996/app.te b/msm8996/app.te new file mode 100644 index 0000000..9893883 --- /dev/null +++ b/msm8996/app.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Allow all apps to connect to VR service +allow appdomain qvrd:fd use; +unix_socket_connect(appdomain, qvrd, qvrd) diff --git a/msm8996/file.te b/msm8996/file.te index f45217d..ebc72cf 100644 --- a/msm8996/file.te +++ b/msm8996/file.te @@ -30,3 +30,7 @@ type qvop_data_file, file_type, data_file_type; #TLOC Files type tlocd_data_file, file_type, data_file_type; + +# Data type for qvrd +type qvrd_data_file, file_type, data_file_type; +type qvrd_socket, file_type, mlstrustedobject; diff --git a/msm8996/file_contexts b/msm8996/file_contexts index 948bdcd..6cb9d47 100644 --- a/msm8996/file_contexts +++ b/msm8996/file_contexts @@ -23,6 +23,7 @@ # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ################################### # Dev block nodes @@ -75,14 +76,26 @@ /dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0 /dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0 +################################### +# Dev socket nodes +# +/dev/socket/qvrservice u:object_r:qvrd_socket:s0 + ################################### # System files # /system/bin/qvop-daemon u:object_r:qvop_exec:s0 /system/bin/tloc_daemon u:object_r:tlocd_exec:s0 +/system/vendor/bin/qvrservice u:object_r:qvrd_exec:s0 + +################################### +# sysfs files +# +/sys/devices/virtual/graphics/fb([0-2])+/lineptr_value u:object_r:sysfs_graphics:s0 ################################### # data files # /data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 /data/misc/tloc(/.*)? u:object_r:tlocd_data_file:s0 +/data/misc/qvr(/.*)? u:object_r:qvrd_data_file:s0 diff --git a/msm8996/init_shell.te b/msm8996/init_shell.te new file mode 100644 index 0000000..5546fa1 --- /dev/null +++ b/msm8996/init_shell.te @@ -0,0 +1,28 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +allow qti_init_shell ctl_qvrd_prop:property_service set; diff --git a/msm8996/mm-qcamerad.te b/msm8996/mm-qcamerad.te new file mode 100644 index 0000000..5e3ff47 --- /dev/null +++ b/msm8996/mm-qcamerad.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#Allow camera to work normally in VR mode +binder_call(mm-qcamerad, qvrd) diff --git a/msm8996/property.te b/msm8996/property.te new file mode 100644 index 0000000..e317966 --- /dev/null +++ b/msm8996/property.te @@ -0,0 +1,29 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#properties for qvrd +type ctl_qvrd_prop, property_type; diff --git a/msm8996/property_contexts b/msm8996/property_contexts new file mode 100644 index 0000000..9548ba8 --- /dev/null +++ b/msm8996/property_contexts @@ -0,0 +1,28 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +ctl.qvrd u:object_r:ctl_qvrd_prop:s0 diff --git a/msm8996/qvrd.te b/msm8996/qvrd.te new file mode 100644 index 0000000..03cd15a --- /dev/null +++ b/msm8996/qvrd.te @@ -0,0 +1,93 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type qvrd, domain, mlstrustedsubject; +type qvrd_exec, exec_type, file_type; + +init_daemon_domain(qvrd) + +# +# General +# + +# Allow interracting with qvrd directory +allow qvrd qvrd_data_file:dir create_dir_perms; +allow qvrd qvrd_data_file:file create_file_perms; + +# Allow access to our socket +allow qvrd qvrd_socket:sock_file rw_file_perms; + +# +# Sensors +# + +# Allow access to ADSP & SLPI +allow qvrd { qdsp_device dsp_device }:chr_file r_file_perms; + +# Allow access to adsprpcd +r_dir_file(qvrd, adsprpcd_file); + +# +# Display +# + +# Allow access to /sys/devices/virtual/graphics/fb* for lineptr interrupts +allow qvrd sysfs_graphics:file rw_file_perms; + +# Allow access to /dev/graphics/fb0 for configuring vsync interrupts +allow qvrd graphics_device:dir r_dir_perms; +allow qvrd graphics_device:chr_file rw_file_perms; + +# Allow access to SurfaceFlinger for toggling display sync model +binder_use(qvrd) +binder_call(qvrd, surfaceflinger); +allow qvrd surfaceflinger_service:service_manager find; + +# +# Scheduler +# + +allow qvrd self:capability { sys_nice }; +userdebug_or_eng(` + allow qvrd su:process setsched; +') +allow qvrd appdomain:process setsched; + +# +# Camera +# + +# Allow access to camera HAL +allow qvrd { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms; +allow qvrd camera_data_file:dir rw_dir_perms; +allow qvrd camera_data_file:sock_file w_file_perms; +allow qvrd mm-qcamerad:unix_dgram_socket sendto; + +# Allow access to /dev/video/* devices +allow qvrd video_device:dir r_dir_perms; + +unix_socket_connect(qvrd, mpctl, perfd) diff --git a/msm8996/surfaceflinger.te b/msm8996/surfaceflinger.te new file mode 100644 index 0000000..cbad216 --- /dev/null +++ b/msm8996/surfaceflinger.te @@ -0,0 +1,30 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Required to allow VR service to access camera via HAL +allow surfaceflinger qvrd:dir r_dir_perms; +allow surfaceflinger qvrd:file r_file_perms; From e9c294e8e94020ff4860c3ea586ff4b40dbfb974 Mon Sep 17 00:00:00 2001 From: Lior Barenboim Date: Fri, 6 May 2016 11:11:52 -0700 Subject: [PATCH 40/42] seandroid: allow QFP dameon access to Android services Allow the QFP daemon to connect to a service exposed by the Fingerprint Android service for access to Android functions CRs-fixed: 1012634 Change-Id: I648a37e5c95564d522a9059f2fefa6a94bba162e --- common/qfp-daemon.te | 3 +++ common/service.te | 1 + common/service_contexts | 1 + common/system_app.te | 1 + 4 files changed, 6 insertions(+) diff --git a/common/qfp-daemon.te b/common/qfp-daemon.te index b154c54..d09c24c 100644 --- a/common/qfp-daemon.te +++ b/common/qfp-daemon.te @@ -43,6 +43,9 @@ allow qfp-daemon qfp-daemon_data_file:file create_file_perms; # Access to tee_device allow qfp-daemon tee_device:chr_file rw_file_perms; +# Access QFP Android Proxy +allow qfp-daemon qfp_proxy_service:service_manager find; + # Add IQfpService service allow qfp-daemon iqfp_service:service_manager add; diff --git a/common/service.te b/common/service.te index 4120049..e58a7bc 100644 --- a/common/service.te +++ b/common/service.te @@ -1,4 +1,5 @@ type iqfp_service, service_manager_type; +type qfp_proxy_service, service_manager_type; type atfwd_service, service_manager_type; type per_mgr_service, service_manager_type; type dpmservice, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index 3e495ec..eca822b 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -1,4 +1,5 @@ android.apps.IQfpService u:object_r:iqfp_service:s0 +android.apps.IQfpAndroidService u:object_r:qfp_proxy_service:s0 AtCmdFwd u:object_r:atfwd_service:s0 dpmservice u:object_r:dpmservice:s0 listen.service u:object_r:mediaserver_service:s0 diff --git a/common/system_app.te b/common/system_app.te index f8eef95..cc54c3b 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -16,6 +16,7 @@ allow system_app { # access to color service SDK color_service STAProxyService + qfp_proxy_service }:service_manager add; # access to perflock From 2c0cd78e8d258cef556c056d938f79f09748075c Mon Sep 17 00:00:00 2001 From: Steve Kondik Date: Fri, 5 Aug 2016 00:21:05 -0700 Subject: [PATCH 41/42] sepolicy: Fix garbage in upstream commit Change-Id: I8847d799386cfb5609b890a8fb4c6f43afe32ebe --- common/mm-qcamerad.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te index 55acfc3..7912568 100644 --- a/common/mm-qcamerad.te +++ b/common/mm-qcamerad.te @@ -67,4 +67,4 @@ allow mm-qcamerad graphics_device:chr_file rw_file_perms; unix_socket_connect(mm-qcamerad, property, init) #Allow camera work normally in FFBM -binder_call(mm-qcamerad, mmi); +binder_call(mm-qcamerad, mmi); From 2c4cee6b2e80ce37aa6849a91c533e391e62512b Mon Sep 17 00:00:00 2001 From: Steve Kondik Date: Fri, 5 Aug 2016 23:18:33 -0700 Subject: [PATCH 42/42] sepolicy: Re-add legacy IOP rules * Still in use for now. Change-Id: Ieb4c420e73efcb729cc9554de6837ccb71ff603d --- common/iop.te | 3 ++- common/system_server.te | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/common/iop.te b/common/iop.te index e0a6463..9f7fd71 100644 --- a/common/iop.te +++ b/common/iop.te @@ -39,7 +39,8 @@ r_dir_file( dumpstate, appdomain ); r_dir_file( dumpstate, apk_data_file ); #Create a socket for receiving info from IOP -allow dumpstate iop_socket:sock_file rw_file_perms; +type_transition dumpstate iop_data_file:sock_file iop_socket "iop"; +allow dumpstate iop_socket:sock_file { create_file_perms unlink }; #default_values file allow dumpstate iop_data_file:dir rw_dir_perms; diff --git a/common/system_server.te b/common/system_server.te index 87bfc53..f933ca9 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -39,6 +39,7 @@ allow system_server { bluetooth_prop usf_prop }:property_service set; allow system_server bluetooth:unix_stream_socket connectto; # access to iop allow system_server iop_socket:dir r_dir_perms; +allow system_server iop_data_file:dir r_dir_perms; unix_socket_send(system_server, iop, dumpstate) unix_socket_connect(system_server, iop, dumpstate)