Up to date as of Sept 9, 2016

common/bluetooth.te

@@ -61,3 +61,6 @@ qmux_socket(bluetooth);
 
 # for finding wbc_service
 allow bluetooth wbc_service:service_manager find;
+
+# for fastmmi test bluetooth
+allow bluetooth mmi:unix_stream_socket connectto;

common/bootanim.te

@@ -0,0 +1,30 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# allow bootanim to binder mediaserver
+binder_call(bootanim, mediaserver);
+allow bootanim mediaserver_service:service_manager find;

common/device.te

@@ -26,6 +26,7 @@ type battery_data_device, dev_type;
 
 #Add qdsp_device type
 type qdsp_device, dev_type, mlstrustedobject;
+type dsp_device, dev_type;
 #Define hvdcp/quickcharge device
 type hvdcp_device, dev_type;
 

common/dpmservice_app.te

@@ -34,7 +34,7 @@ allow dpmservice_app dpmd_socket:sock_file write;
 allow dpmservice_app dpmd_app_data_file:file create_file_perms;
 allow dpmservice_app dpmservice:service_manager  { add find };
 
-allow dpmservice_app dpmd_data_file:dir rw_dir_perms;
+allow dpmservice_app dpmd_data_file:dir create_dir_perms;
 allow dpmservice_app dpmd_data_file:file create_file_perms;
 allow dpmservice_app app_api_service:service_manager find;
 allow dpmservice_app system_api_service:service_manager find;

common/file.te

@@ -79,6 +79,9 @@ type sysfs_cpu_online, fs_type, sysfs_type;
 type mpctl_socket, file_type, mlstrustedobject;
 type mpctl_data_file, file_type, data_file_type;
 
+#define the files writer during the operation of app state changes
+type gamed_socket, file_type;
+
 #define the files writter during the operatio of iop
 type iop_socket, file_type;
 type iop_data_file, file_type, data_file_type;
@@ -143,6 +146,7 @@ type persist_usf_file, file_type;
 
 #qfp-daemon
 type qfp-daemon_data_file, file_type, data_file_type;
+type persist_qc_senseid_file, file_type;
 
 # dts notifier files
 type dts_data_file, file_type, data_file_type;
@@ -174,3 +178,6 @@ type qtitetherservice_app_data_file, file_type, data_file_type;
 
 # Boot KPI Marker files
 type sys_bootkpi, sysfs_type, file_type;
+
+# /data/system/swap/swapfile - swapfile
+type swap_data_file, file_type, data_file_type;

common/file_contexts

@@ -9,6 +9,7 @@
 /dev/mhi_pipe_.*                                u:object_r:mhi_device:s0
 /dev/bhi                                        u:object_r:bhi_device:s0
 /dev/msm_.*                                     u:object_r:audio_device:s0
+/dev/i2c-6                                      u:object_r:audio_device:s0
 /dev/usf1                                       u:object_r:usf_device:s0
 /dev/msm_dsps                                   u:object_r:sensors_device:s0
 /dev/msm_thermal_query                          u:object_r:thermal_device:s0
@@ -18,6 +19,7 @@
 /dev/seemplog                                   u:object_r:seemplog_device:s0
 /dev/radio0                                     u:object_r:fm_radio_device:s0
 /dev/rtc0                                       u:object_r:rtc_device:s0
+/dev/sdsprpc-smd                                u:object_r:dsp_device:s0
 /dev/sensors                                    u:object_r:sensors_device:s0
 /dev/smd.*                                      u:object_r:smd_device:s0
 /dev/smem_log                                   u:object_r:smem_log_device:s0
@@ -96,6 +98,9 @@
 /dev/socket/ims_datad                           u:object_r:ims_socket:s0
 /dev/socket/ims_rtpd                            u:object_r:ims_socket:s0
 /dev/socket/perfd(/.*)?                         u:object_r:mpctl_socket:s0
+/dev/socket/perfd                               u:object_r:mpctl_socket:s0
+/dev/socket/gamed                               u:object_r:gamed_socket:s0
+/dev/socket/iop                                 u:object_r:iop_socket:s0
 /dev/socket/qlogd                               u:object_r:qlogd_socket:s0
 /dev/socket/ipacm_log_file                      u:object_r:ipacm_socket:s0
 /dev/socket/dpmd                                u:object_r:dpmd_socket:s0
@@ -136,6 +141,8 @@
 /system/bin/mmi                                 u:object_r:mmi_exec:s0
 /system/bin/mpdecision                          u:object_r:mpdecision_exec:s0
 /system/vendor/bin/perfd                        u:object_r:perfd_exec:s0
+/data/misc/perfd(/.*)?                          u:object_r:mpctl_socket:s0
+/system/vendor/bin/gamed                        u:object_r:gamed_exec:s0
 /system/bin/iop                                 u:object_r:dumpstate_exec:s0
 /system/bin/msm_irqbalance                      u:object_r:msm_irqbalanced_exec:s0
 /system/bin/imsdatadaemon                       u:object_r:ims_exec:s0
@@ -220,7 +227,7 @@
 /system/bin/tbaseLoader                         u:object_r:tbaseLoader_exec:s0
 /system/bin/mcStarter                           u:object_r:mcStarter_exec:s0
 /system/bin/fstman                              u:object_r:fstman_exec:s0
-/system/vendor/bin/mdtp_service                 u:object_r:mdtpdaemon_exec:s0
+/system/vendor/bin/mdtpd                        u:object_r:mdtpdaemon_exec:s0
 
 ###################################
 # sysfs files
@@ -281,7 +288,6 @@
 /data/time(/.*)?                                                    u:object_r:time_data_file:s0
 /data/nfc(/.*)?                                                     u:object_r:nfc_data_file:s0
 /data/system/perfd(/.*)?                                            u:object_r:mpctl_data_file:s0
-/data/misc/perfd(/.*)?                                              u:object_r:mpctl_socket:s0
 /data/misc/iop(/.*)?                                                u:object_r:iop_data_file:s0
 /data/misc/iop/iop                                                  u:object_r:iop_socket:s0
 /data/misc/display(/.*)?                                            u:object_r:display_misc_file:s0
@@ -304,6 +310,7 @@
 /data/misc/audio_pp(/.*)?                                           u:object_r:audio_pp_data_file:s0
 /data/ramdump(/.*)?                                                 u:object_r:ssr_ramdump_data_file:s0
 /data/misc/SelfHost/socket(/.*)?                                    u:object_r:RIDL_socket:s0
+/data/system/swap(/.*)?                                             u:object_r:swap_data_file:s0
 
 ###################################
 # persist files
@@ -315,6 +322,7 @@
 /persist/data(/.*)?                                                 u:object_r:persist_drm_file:s0
 /persist/data/tz(/.*)?                                              u:object_r:persist_drm_file:s0
 /persist/data/sfs(/.*)?                                             u:object_r:persist_drm_file:s0
+/persist/qc_senseid(/.*)?                                           u:object_r:persist_qc_senseid_file:s0
 /persist/usf(/.*)?                                                  u:object_r:persist_usf_file:s0
 /persist/hlos_rfs(/.*)?                                             u:object_r:rfs_shared_hlos_file:s0
 /persist/display(/.*)?                                              u:object_r:persist_display_file:s0

common/fstman.te

@@ -35,6 +35,8 @@ allow fstman self:capability { net_admin net_raw };
 allow fstman self:netlink_route_socket nlmsg_write;
 allow fstman sysfs:file write;
 r_dir_file(fstman, wifi_data_file)
+allow fstman wifi_data_file:dir rw_dir_perms;
+allow fstman wifi_data_file:file create_file_perms;
 allow fstman { wpa hostapd }:unix_dgram_socket sendto;
 allow fstman wpa_socket:dir rw_dir_perms;
 allow fstman wpa_socket:sock_file create_file_perms;

common/gamed.te

@@ -0,0 +1,35 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# GAMED
+
+type gamed, domain;
+type gamed_exec, exec_type, file_type;
+
+init_daemon_domain(gamed)
+
+unix_socket_connect(gamed, mpctl, perfd)

common/healthd.te

@@ -2,4 +2,6 @@ r_dir_file(healthd, sysfs_battery_supply)
 r_dir_file(healthd, sysfs_usb_supply)
 r_dir_file(healthd, sysfs_thermal);
 allow healthd alarm_device:chr_file rw_file_perms;
+
+#allow healthd read rtc device file
 allow healthd rtc_device:chr_file r_file_perms;

common/hostapd.te

@@ -43,3 +43,5 @@ allow hostapd cnd:fifo_file r_file_perms;
 allow hostapd smem_log_device:chr_file rw_file_perms;
 allow hostapd fstman:unix_dgram_socket sendto;
 unix_socket_send(hostapd, wpa, netd)
+allow hostapd netd:unix_dgram_socket sendto;
+allow hostapd wpa_socket:sock_file write;

common/init_shell.te

@@ -45,6 +45,7 @@ allow qti_init_shell self:capability {
     fsetid
     dac_override
     dac_read_search
+    sys_admin
 };
 
 # For  property starting with hw
@@ -59,6 +60,7 @@ allow qti_init_shell {
     system_prop
     freq_prop
     perfd_prop
+    gamed_prop
     mpdecision_prop
     bluetooth_prop
     config_prop
@@ -80,6 +82,7 @@ allow qti_init_shell {
     qemu_hw_mainkeys_prop
     alarm_boot_prop
     boot_animation_prop
+    debug_gralloc_prop
     # Needed for starting console in userdebug mode
     userdebug_or_eng(`ctl_console_prop coresight_prop')
     rmnet_mux_prop
@@ -153,3 +156,11 @@ allow qti_init_shell cgroup:dir add_name;
 
 # To allow copy for mbn files
 r_dir_file(qti_init_shell, firmware_file)
+
+# /dev/block/zram0
+allow qti_init_shell block_device:dir r_dir_perms;
+allow qti_init_shell swap_block_device:blk_file rw_file_perms;
+
+# /data/system/swap/swapfile
+allow qti_init_shell swap_data_file:dir rw_dir_perms;
+allow qti_init_shell swap_data_file:file create_file_perms;

common/iop.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+# Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -26,11 +26,15 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ##############################################################################
 
-allow dumpstate self:capability { chown dac_override } ;
+allow dumpstate self:capability { chown dac_override };
 allow dumpstate self:socket create_socket_perms;
 r_dir_file( dumpstate, system_app_data_file );
 allow dumpstate app_data_file:dir r_dir_perms;
-allow dumpstate app_data_file:file r_file_perms ;
+allow dumpstate app_data_file:file r_file_perms;
+allow dumpstate bluetooth_data_file:dir r_dir_perms;
+allow dumpstate bluetooth_data_file:file r_file_perms;
+allow dumpstate radio_data_file:dir r_dir_perms;
+allow dumpstate radio_data_file:file r_file_perms;
 r_dir_file( dumpstate, appdomain );
 r_dir_file( dumpstate, apk_data_file );
 

common/location_app.te

@@ -8,6 +8,7 @@ qmux_socket(location_app)
 userdebug_or_eng(`
   net_domain(location_app)
   allow location_app { adbd su }:unix_stream_socket connectto;
+  allow location_app mediaserver_service:service_manager find;
 ')
 
 allow location_app surfaceflinger_service:service_manager find;

common/mdtp.te

@@ -28,6 +28,17 @@
 type mdtpdaemon, domain;
 type mdtpdaemon_exec, exec_type, file_type;
 
+allow mdtpdaemon self:capability {
+    setuid
+    setgid
+};
+
+userdebug_or_eng(`
+    #Needed for kill(pid, 0) existance test
+    allow mdtpdaemon su:process signull;
+    allow mdtpdaemon self:capability kill;
+')
+
 #Allow for transition from init domain to mdtpdaemon
 init_daemon_domain(mdtpdaemon)
 
@@ -48,9 +59,30 @@ r_dir_file(mdtpdaemon, firmware_file)
 
 #Allow access to qsee directories
 allow mdtpdaemon data_qsee_file:dir create_dir_perms;
+allow mdtpdaemon data_qsee_file:file create_file_perms;
 
 #Allow access to qsee fifos
 allow mdtpdaemon data_qsee_file:fifo_file create_file_perms;
 
 #Allow access to tee device
 allow mdtpdaemon tee_device:chr_file rw_file_perms;
+
+# Provide access to block devices
+allow mdtpdaemon block_device:dir r_dir_perms;
+allow mdtpdaemon mdtp_device:blk_file rw_file_perms;
+allow mdtpdaemon dip_device:blk_file rw_file_perms;
+allow mdtpdaemon system_block_device:blk_file r_file_perms;
+
+# Provide access to QTI Crypto driver for MDTP
+# allow mdtpdaemon qce_device:chr_file rw_file_perms;
+
+# Provide read access to all /system files for MDTP file-to-block-mapping
+r_dir_file(mdtpdaemon, exec_type)
+r_dir_file(mdtpdaemon, system_file)
+
+# Provide mdtpd ability to access QMUXD/IPCRouter for QMI
+qmux_socket(mdtpdaemon);
+allow mdtpdaemon self:socket create_socket_perms;
+
+# Provide tee ability to run executables in rootfs for MDTP
+allow mdtpdaemon rootfs:file x_file_perms;

common/mediaserver.te

@@ -68,6 +68,9 @@ r_dir_file(mediaserver, adsprpcd_file);
 #Allow mediaserver to connect to unix sockets for staproxy service
 allow mediaserver system_app:unix_stream_socket { connectto read write setopt };
 
+# allow mediaserver to communicate with bootanim
+binder_call(mediaserver, bootanim);
+
 #Allow mediaserver to access service manager STAProxyService
 #Allow mediaserver to access service manager wfdservice
 allow mediaserver { STAProxyService wfdservice_service }:service_manager find;

common/mm-qcamerad.te

@@ -60,6 +60,11 @@ allow mm-qcamerad graphics_device:dir r_dir_perms;
 type_transition mm-qcamerad system_data_file:file camera_data_file "fdAlbum";
 allow mm-qcamerad camera_data_file:file create_file_perms;
 
+allow mm-qcamerad graphics_device:dir r_dir_perms;
+
 #Allow access to /dev/graphics/fb* for screen capture
 allow mm-qcamerad graphics_device:chr_file rw_file_perms;
 unix_socket_connect(mm-qcamerad, property, init)
+
+#Allow camera work normally in FFBM
+binder_call(mm-qcamerad, mmi);

common/mmi.te

@@ -52,6 +52,7 @@ allow mmi audio_device:chr_file rw_file_perms;
 
 #FM case
 allow mmi fm_radio_device:chr_file r_file_perms;
+allow mmi fm_data_file:file r_file_perms;
 allow mmi fm_prop:property_service set;
 
 #bluetooth case
@@ -62,7 +63,8 @@ allow mmi smd_device:chr_file rw_file_perms;
 
 #GPS case
 allow mmi location_data_file:fifo_file create_file_perms;
-allow mmi location_data_file:dir w_dir_perms;
+allow mmi location_data_file:dir create_dir_perms;
+allow mmi location_data_file:file create_file_perms;
 allow mmi mmi_socket:sock_file create_file_perms;
 type_transition mmi socket_device:sock_file mmi_socket;
 allow mmi location_exec:file rx_file_perms;
@@ -98,3 +100,16 @@ allow mmi surfaceflinger_service:service_manager find;
 #Allow mmi to use IPC
 binder_use(mmi)
 binder_call(mmi,surfaceflinger)
+
+#sensor cases
+unix_socket_connect(mmi, sensors, sensors);
+allow mmi sensors_device:chr_file r_file_perms;
+
+#logcat
+domain_auto_trans(mmi, logcat_exec, logd);
+
+#mmi test
+unix_socket_connect(mmi, cnd, cnd);
+unix_socket_connect(mmi, dpmwrapper, dpmd);
+unix_socket_connect(mmi, netmgrd, netmgrd);
+net_domain(mmi);

common/net.te

@@ -4,3 +4,12 @@ unix_socket_connect(netdomain, cnd, cnd)
 # allow netdomain access to dpmd
 unix_socket_connect(netdomain, dpmwrapper, dpmd)
 
+allow netd self:capability fsetid;
+allow netd hostapd:unix_dgram_socket sendto;
+
+# Allow netd to chmod dir /data/misc/dhcp
+allow netd dhcp_data_file:dir create_dir_perms;
+
+type_transition netd wifi_data_file:dir wpa_socket "sockets";
+allow netd wpa_socket:dir create_dir_perms;
+allow netd wpa_socket:sock_file create_file_perms;