flo: Update sepolicies
This commit is contained in:
followmsi
parent
8f1e22179c
commit
35a1e8206f
|
|
@ -141,6 +141,7 @@ HAVE_ADRENO_SOURCE:= false
|
|||
|
||||
SELINUX_IGNORE_NEVERALLOWS := true
|
||||
|
||||
include device/qcom/sepolicy-legacy/sepolicy.mk
|
||||
BOARD_SEPOLICY_DIRS += device/asus/flo/sepolicy
|
||||
|
||||
# Security Patch Level
|
||||
|
|
|
|||
|
|
@ -1,9 +1,6 @@
|
|||
# Bluetooth executables and script (bdAddrLoader, init.flo.bt.sh)
|
||||
type bluetooth_loader, domain, device_domain_deprecated;
|
||||
type bluetooth_loader_exec, exec_type, file_type;
|
||||
|
||||
# Start bdAddrLoader from init
|
||||
init_daemon_domain(bluetooth_loader)
|
||||
# type bluetooth_loader, domain, device_domain_deprecated;
|
||||
# type bluetooth_loader_exec, exec_type, file_type;
|
||||
|
||||
# Run init.flo.bt.sh
|
||||
allow bluetooth_loader shell_exec:file rx_file_perms;
|
||||
|
|
|
|||
|
|
@ -14,3 +14,5 @@ qmux_socket(bridge)
|
|||
# Alert the RmNet SMD & SDIO function driver of the correct transport.
|
||||
# (/sys/class/android_usb/f_rmnet_smd_sdio/transport)
|
||||
allow bridge sysfs_rmnet:file { open read write getattr };
|
||||
|
||||
allow bridge sysfs_android_usb:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -12,18 +12,16 @@ allow camera video_device:chr_file rw_file_perms;
|
|||
allow camera { surfaceflinger mediaserver cameraserver }:fd use;
|
||||
hal_client_domain(camera, hal_graphics_allocator)
|
||||
|
||||
# Create front and back camera sockets (/data/cam_socket[12])
|
||||
type_transition camera system_data_file:sock_file camera_socket "cam_socket1";
|
||||
type_transition camera system_data_file:sock_file camera_socket "cam_socket2";
|
||||
allow camera camera_socket:sock_file { create unlink };
|
||||
allow camera system_data_file:dir w_dir_perms;
|
||||
allow camera system_data_file:sock_file unlink;
|
||||
# Create camera sockets
|
||||
allow camera camera_socket:dir w_dir_perms;
|
||||
allow camera camera_socket:sock_file create_file_perms;
|
||||
|
||||
type_transition camera system_data_file:file camera_data_file "fdAlbum";
|
||||
allow camera camera_data_file:file create_file_perms;
|
||||
|
||||
# Connect to sensor socket (/data/app/sensor_ctl_socket)
|
||||
# Connect to sensor socket
|
||||
unix_socket_connect(camera, sensors, sensors)
|
||||
allow camera sensors_socket:dir search;
|
||||
allow camera sensors_socket:sock_file read;
|
||||
|
||||
# Read camera files from persist filesystem
|
||||
|
|
|
|||
|
|
@ -1,16 +1,9 @@
|
|||
# Interact with sockets
|
||||
unix_socket_send(cameraserver, camera, camera)
|
||||
allow cameraserver camera_data_file:sock_file write;
|
||||
allow cameraserver property_socket:sock_file { open read write ioctl };
|
||||
allow cameraserver init:unix_stream_socket connectto;
|
||||
unix_socket_send(cameraserver, camera, camera);
|
||||
unix_socket_send(cameraserver, mpdecision, mpdecision);
|
||||
|
||||
#allow cameraserver system_file:file execmod;
|
||||
# for libmmjpeg
|
||||
allow cameraserver vendor_file:file execmod;
|
||||
allow cameraserver camera_device:chr_file { open read write ioctl };
|
||||
allow cameraserver cameraserver:fd use;
|
||||
|
||||
# Allow writing to mpdecision
|
||||
unix_socket_send(cameraserver, mpdecision, mpdecision)
|
||||
|
||||
# Allow access to sysfs
|
||||
allow cameraserver sysfs:file { getattr read open };
|
||||
# Allow reading /dev/graphics
|
||||
allow cameraserver graphics_device:dir r_dir_perms;
|
||||
allow cameraserver camera_socket:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -21,3 +21,5 @@ allow conn_init wlan_device:chr_file rw_file_perms;
|
|||
# init.flo.wifi.sh runs toolbox
|
||||
allow conn_init system_file:file execute_no_trans;
|
||||
allow conn_init toolbox_exec:file rx_file_perms;
|
||||
|
||||
allow conn_init wcnss_device:chr_file rw_file_perms ;
|
||||
|
|
|
|||
|
|
@ -1,16 +1,8 @@
|
|||
type wlan_device, dev_type;
|
||||
|
||||
type diag_device, dev_type;
|
||||
|
||||
# Kickstart device used by QC qcks
|
||||
type kickstart_device, dev_type;
|
||||
|
||||
# SMD device, used by hci_qcomm_init
|
||||
type smd_device, dev_type;
|
||||
|
||||
# Radio related block device
|
||||
type efs_block_device, dev_type;
|
||||
type modem_block_device, dev_type;
|
||||
|
||||
# Shared memory logger
|
||||
type shared_log_device, dev_type;
|
||||
|
|
|
|||
|
|
@ -1,31 +1,16 @@
|
|||
# Qualcomm MSM Interface (QMI) socket
|
||||
type qmuxd_socket, file_type;
|
||||
type sensors_socket, file_type, data_file_type, core_data_file_type;
|
||||
type camera_socket, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
type sensors_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
type kickstart_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
type mpdecision_socket, file_type;
|
||||
type kickstart_data_file, file_type, data_file_type;
|
||||
|
||||
# Default type for anything under /firmware
|
||||
type radio_efs_file, fs_type, contextmount_type;
|
||||
|
||||
# Persist firmware types
|
||||
type persist_file, file_type;
|
||||
type persist_bluetooth_file, file_type;
|
||||
type persist_camera_file, file_type;
|
||||
type persist_data_file, file_type;
|
||||
type persist_drm_file, file_type;
|
||||
type persist_sensors_file, file_type;
|
||||
type persist_wifi_file, file_type;
|
||||
|
||||
type firmware_file, file_type;
|
||||
|
||||
type sysfs_rmnet, fs_type, sysfs_type;
|
||||
type sysfs_mpdecision, fs_type, sysfs_type;
|
||||
type sysfs_soc, sysfs_type, fs_type;
|
||||
type sysfs_surfaceflinger, fs_type, sysfs_type;
|
||||
|
||||
#type for devstart
|
||||
type sysfs_audio, sysfs_type, fs_type;
|
||||
type sysfs_rmt_storage, fs_type, sysfs_type;
|
||||
type sysfs_msm_subsys, fs_type, sysfs_type;
|
||||
type sensors_vendor_data_file, file_type, data_file_type;
|
||||
|
|
|
|||
|
|
@ -1,54 +1,20 @@
|
|||
# Used by keystore to access trustzone
|
||||
/dev/qseecom u:object_r:tee_device:s0
|
||||
|
||||
# GPS
|
||||
/dev/gss u:object_r:sensors_device:s0
|
||||
|
||||
# WLAN
|
||||
/dev/wcnss_wlan u:object_r:wlan_device:s0
|
||||
|
||||
###### GPU device (world r/w)
|
||||
/dev/kgsl-3d0 u:object_r:gpu_device:s0
|
||||
/dev/kgsl u:object_r:gpu_device:s0
|
||||
|
||||
# Image Rotator Driver
|
||||
/dev/msm_rotator u:object_r:video_device:s0
|
||||
|
||||
# Qualcomm MSM Interface (QMI) devices
|
||||
/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0
|
||||
/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
|
||||
/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0
|
||||
/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0
|
||||
|
||||
/dev/bcm2079x-i2c u:object_r:nfc_device:s0
|
||||
/dev/diag u:object_r:diag_device:s0
|
||||
/dev/stune(/.*)? u:object_r:cgroup:s0
|
||||
|
||||
# efs block labeling
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/m9kefs[123c] u:object_r:efs_block_device:s0
|
||||
# Root block labeling
|
||||
/dev/block/mmcblk0 u:object_r:root_block_device:s0
|
||||
# modemst1, modemst2, fsg, ssd labeling
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/modemst[12] u:object_r:modem_block_device:s0
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_block_device:s0
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:modem_block_device:s0
|
||||
# system and recovery labeling
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/system u:object_r:system_block_device:s0
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0
|
||||
# cache and userdata labeling
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0
|
||||
# encryption metadata
|
||||
/dev/block/platform/msm_sdcc\.1/by-name/metadata u:object_r:metadata_block_device:s0
|
||||
# zram block labeling
|
||||
/dev/block/zram0 u:object_r:swap_block_device:s0
|
||||
|
||||
# CPU governor controls
|
||||
/dev/socket/mpdecision(/.*)? u:object_r:mpdecision_socket:s0
|
||||
|
||||
## Radio related
|
||||
# modem driver
|
||||
/dev/mdm u:object_r:radio_device:s0
|
||||
# high speed inter-chip controls
|
||||
/dev/hsicctl[0-3] u:object_r:radio_device:s0
|
||||
# mux controller
|
||||
|
|
@ -57,28 +23,21 @@
|
|||
/dev/qmi[0-2] u:object_r:radio_device:s0
|
||||
# shared memory drivers
|
||||
/dev/smdcntl[0-7] u:object_r:radio_device:s0
|
||||
/dev/smd7 u:object_r:radio_device:s0
|
||||
|
||||
# Bluetooth shared memory interfaces
|
||||
/dev/smd2 u:object_r:hci_attach_dev:s0
|
||||
/dev/smd3 u:object_r:hci_attach_dev:s0
|
||||
# Default label for shared memory drivers
|
||||
/dev/smd([0-9])+ u:object_r:smd_device:s0
|
||||
/dev/smem_log u:object_r:shared_log_device:s0
|
||||
|
||||
# Serial console
|
||||
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
|
||||
/dev/ttyMSM0 u:object_r:hci_attach_dev:s0
|
||||
|
||||
# Serial-to-Usb support
|
||||
/dev/ttyUSB0 u:object_r:radio_device:s0
|
||||
|
||||
# Jpeg Engine support
|
||||
/dev/gemini.* u:object_r:video_device:s0
|
||||
# MSM camera related
|
||||
/dev/v4l-subdev.* u:object_r:video_device:s0
|
||||
/dev/msm_camera(/.*)? u:object_r:camera_device:s0
|
||||
/dev/media([0-9])+ u:object_r:camera_device:s0
|
||||
|
||||
# Qualcomm MSM Audio devices
|
||||
/dev/msm_acdb u:object_r:audio_device:s0
|
||||
|
|
@ -90,15 +49,9 @@
|
|||
/dev/msm_aac.* u:object_r:audio_device:s0
|
||||
|
||||
# MSM Dedicated Sensors Processor Subsystem
|
||||
/dev/msm_dsps u:object_r:sensors_device:s0
|
||||
# Sensors shared Memory Packet Interface
|
||||
/dev/smd_sns_dsps u:object_r:sensors_device:s0
|
||||
|
||||
/dev/cpu_dma_latency u:object_r:power_control_device:s0
|
||||
|
||||
/dev/ks_hsic_bridge u:object_r:kickstart_device:s0
|
||||
/dev/efs_hsic_bridge u:object_r:kickstart_device:s0
|
||||
|
||||
/system/vendor/bin/qcks u:object_r:kickstart_exec:s0
|
||||
/system/vendor/bin/efsks u:object_r:kickstart_exec:s0
|
||||
/system/vendor/bin/ks u:object_r:kickstart_exec:s0
|
||||
|
|
@ -106,13 +59,11 @@
|
|||
|
||||
/data/cam_socket[0-9] u:object_r:camera_socket:s0
|
||||
/data/app/sensor_ctl_socket u:object_r:sensors_socket:s0
|
||||
/dev/socket/qcamera(/.*)? u:object_r:camera_socket:s0
|
||||
/dev/socket/sensors(/.*)? u:object_r:sensors_socket:s0
|
||||
|
||||
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
|
||||
/data/qcks(/.*)? u:object_r:kickstart_data_file:s0
|
||||
/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
|
||||
/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0
|
||||
/data/vendor/sensors(/.*)? u:object_r:sensors_vendor_data_file:s0
|
||||
/data/misc/playready(/.*)? u:object_r:drm_data_file:s0
|
||||
/data/fdAlbum u:object_r:camera_data_file:s0
|
||||
|
||||
/system/vendor/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0
|
||||
/system/vendor/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0
|
||||
|
|
@ -134,15 +85,10 @@
|
|||
/system/vendor/bin/init\.qcom\.devstart\.sh u:object_r:init-qcom-devstart-sh_exec:s0
|
||||
/system/vendor/bin/init\.qcom\.devwait\.sh u:object_r:init-qcom-devwait-sh_exec:s0
|
||||
|
||||
#/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
|
||||
|
||||
# Persist firmware filesystem
|
||||
/persist(/.*)? u:object_r:persist_file:s0
|
||||
/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0
|
||||
/persist/camera_calibration(/.*)? u:object_r:persist_camera_file:s0
|
||||
/persist/data(/.*)? u:object_r:persist_data_file:s0
|
||||
/persist/sensors(/.*)? u:object_r:persist_sensors_file:s0
|
||||
/persist/playready(/.*)? u:object_r:persist_drm_file:s0
|
||||
/persist/widevine(/.*)? u:object_r:persist_drm_file:s0
|
||||
/persist/wifi(/.*)? u:object_r:persist_wifi_file:s0
|
||||
|
||||
# firmware
|
||||
/firmware(/.*)? u:object_r:firmware_file:s0
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
allow fsck self:capability dac_override;
|
||||
allow fsck tmpfs:blk_file getattr;
|
||||
|
|
@ -7,4 +7,28 @@ genfscon sysfs /module/pm_8x60/modes u:object
|
|||
genfscon sysfs /devices/virtual/graphics/fb1/format_3d u:object_r:sysfs_surfaceflinger:s0
|
||||
genfscon sysfs /devices/virtual/graphics/fb1/hpd u:object_r:sysfs_surfaceflinger:s0
|
||||
genfscon sysfs /kernel/boot_adsp/boot u:object_r:sysfs_audio:s0
|
||||
#genfscon sysfs /devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/rev u:object_r:sysfs_disk_stat:s0
|
||||
#genfscon sysfs /devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/block/mmcblk0/stat u:object_r:sysfs_disk_stat:s0
|
||||
genfscon sysfs /devices/system/soc/soc0 u:object_r:sysfs_soc:s0
|
||||
|
||||
# remote storage
|
||||
genfscon sysfs /class/uio u:object_r:sysfs_rmt_storage:s0
|
||||
genfscon sysfs /devices/platform/msm_sharedmem/uio u:object_r:sysfs_rmt_storage:s0
|
||||
|
||||
# graphics
|
||||
genfscon sysfs /devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/gpuclk u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/max_gpuclk u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/reset_count u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:sysfs_graphics:s0
|
||||
|
||||
# thermald
|
||||
genfscon sysfs /devices/platform/msm_ssbi.0/pm8921-core/pm8xxx-adc/batt_therm u:object_r:sysfs_thermal:s0
|
||||
genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0
|
||||
|
||||
# lights
|
||||
genfscon sysfs /devices/platform/msm_fb.591617/leds/lcd-backlight u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /devices/platform/msm_ssbi.0/pm8921-core/pm8xxx-led u:object_r:sysfs_leds:s0
|
||||
|
||||
# Networking
|
||||
genfscon sysfs /devices/platform/msm_hsic_host/usb1/1-1/1-1:1.5/net/rmnet_usb0/mtu u:object_r:sysfs_net:s0
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
vndbinder_use(hal_camera_default);
|
||||
|
||||
# Text relocations in libmmjpeg
|
||||
allow hal_camera_default vendor_file:file execmod;
|
||||
|
||||
allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
|
||||
allow hal_camera_default camera_socket:dir search;
|
||||
|
||||
unix_socket_send(hal_camera_default, camera, camera)
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
allow hal_graphics_allocator_default graphics_device:chr_file rw_file_perms;
|
||||
allow hal_graphics_allocator_default graphics_device:dir search;
|
||||
|
|
@ -0,0 +1 @@
|
|||
allow hal_light_default sysfs_leds:file rw_file_perms;
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
allow hal_nfc_default nfc_data_file:dir create_dir_perms;
|
||||
allow hal_nfc_default nfc_data_file:file create_file_perms;
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
unix_socket_connect(hal_sensors_default, sensors, sensors)
|
||||
|
||||
# Read /dev/socket/sensors/ctl
|
||||
allow hal_sensors_default sensors_socket:sock_file read;
|
||||
|
||||
# Monitor /dev/socket/sensors
|
||||
allow hal_sensors_default sensors_socket:dir { search read };
|
||||
|
||||
# Read directories under /data/vendor/sensors
|
||||
allow hal_sensors_default sensors_vendor_data_file:dir search;
|
||||
|
||||
# Read sensor nodes (/dev/msm_dsps)
|
||||
allow hal_sensors_default sensors_device:chr_file read;
|
||||
|
|
@ -5,4 +5,5 @@ allow hci_attach kernel:system module_request;
|
|||
allow hci_attach hci_attach_dev:chr_file rw_file_perms;
|
||||
allow hci_attach bluetooth_efs_file:dir r_dir_perms;
|
||||
allow hci_attach bluetooth_efs_file:file r_file_perms;
|
||||
r_dir_file(hci_attach, bluetooth_prop)
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
allow healthd sysfs:file rw_file_perms;
|
||||
|
|
@ -1,3 +1,3 @@
|
|||
# Reading from /persist/wifi/.macaddr
|
||||
#allow hostapd persist_file:dir r_dir_perms;
|
||||
#r_dir_file(hostapd, persist_wifi_file)
|
||||
allow hostapd persist_file:dir r_dir_perms;
|
||||
r_dir_file(hostapd, persist_wifi_file)
|
||||
|
|
|
|||
|
|
@ -13,3 +13,4 @@ set_prop(init-qcom-devstart-sh, system_prop)
|
|||
|
||||
# Set boot_adsp and boot_slpi to 1
|
||||
allow init-qcom-devstart-sh sysfs_audio:file w_file_perms;
|
||||
allow init-qcom-devstart-sh sysfs_boot_adsp:file w_file_perms;
|
||||
|
|
|
|||
|
|
@ -1,2 +1,24 @@
|
|||
allow init diag_device:chr_file unlink;
|
||||
allow init tmpfs:lnk_file create_file_perms;
|
||||
allow init sysfs_mmc_host:file rw_file_perms;
|
||||
allow init sysfs:file { rw_file_perms setattr };
|
||||
|
||||
# Symlink /sdcard to backing block
|
||||
allow init tmpfs:lnk_file create;
|
||||
|
||||
allow init {
|
||||
sysfs_devices_system_cpu
|
||||
sysfs_livedisplay_tuneable
|
||||
sysfs_mpdecision
|
||||
sysfs_msm_subsys
|
||||
sysfs_net
|
||||
}:file w_file_perms;
|
||||
|
||||
allow init {
|
||||
proc_slabinfo
|
||||
sysfs_graphics
|
||||
sysfs_msm_subsys
|
||||
sysfs_rmnet
|
||||
sysfs_surfaceflinger
|
||||
sysfs_usb
|
||||
sysfs_wlan_fwpath
|
||||
}:file setattr;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,2 @@
|
|||
# irsc_util (used to configure IPC Router with security rules for QMI services)
|
||||
type irsc_util, domain, device_domain_deprecated;
|
||||
type irsc_util_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(irsc_util)
|
||||
|
||||
allow irsc_util self:socket create_socket_perms;
|
||||
allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
allow mediacodec audio_device:chr_file rw_file_perms;
|
||||
|
||||
r_dir_file(mediacodec, camera_prop)
|
||||
|
|
|
|||
|
|
@ -1,13 +1,6 @@
|
|||
# CPU governor (root process)
|
||||
type mpdecision, domain, device_domain_deprecated;
|
||||
type mpdecision_exec, exec_type, file_type;
|
||||
|
||||
# DAC overrides
|
||||
#allow mpdecision self:capability dac_override;
|
||||
#auditallow mpdecision self:capability dac_override;
|
||||
|
||||
# Started by init
|
||||
init_daemon_domain(mpdecision)
|
||||
allow mpdecision self:capability dac_override;
|
||||
auditallow mpdecision self:capability dac_override;
|
||||
|
||||
# CPU hotplug uevent to manage cores
|
||||
allow mpdecision self:netlink_kobject_uevent_socket { create setopt bind read };
|
||||
|
|
@ -29,13 +22,6 @@ allow mpdecision sysfs_devices_system_cpu:file rw_file_perms;
|
|||
allow mpdecision sysfs_mpdecision:dir r_dir_perms;
|
||||
allow mpdecision sysfs_mpdecision:file rw_file_perms;
|
||||
|
||||
# Some files in /sys/devices/system/cpu may pop in and out of existance,
|
||||
# defeating our attempt to label them. As a result, they could have the
|
||||
# sysfs label, not the sysfs_devices_system_cpu label.
|
||||
# Allow write access for now until we figure out a better solution.
|
||||
# For example, the following files pop in and out of existance:
|
||||
# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
|
||||
# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
|
||||
allow mpdecision sysfs:file write;
|
||||
|
||||
# This is needed to allow mpdecision to look at system_server's
|
||||
|
|
|
|||
|
|
@ -1,10 +1,3 @@
|
|||
# Network utilities (radio process)
|
||||
type netmgrd, domain, device_domain_deprecated;
|
||||
type netmgrd_exec, exec_type, file_type;
|
||||
|
||||
# Started by init
|
||||
init_daemon_domain(netmgrd)
|
||||
|
||||
# Starts as (root,radio) changes to (radio,radio)
|
||||
allow netmgrd self:capability { setuid setgid net_admin net_raw };
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,4 @@
|
|||
allow priv_app device:dir r_dir_perms;
|
||||
allowxperm priv_app self:udp_socket ioctl { SIOCGIWESSID };
|
||||
dontaudit priv_app proc_interrupts:file { open read };
|
||||
dontaudit priv_app sysfs_android_usb:file open;
|
||||
|
|
|
|||
|
|
@ -1,2 +1 @@
|
|||
ctl.rmt_storage u:object_r:ctl_rmt_prop:s0
|
||||
ctl.mpdecision u:object_r:ctl_mpdecision:s0
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ allow rmt block_device:dir r_dir_perms;
|
|||
|
||||
# Allow reads/writes to modem related block devices
|
||||
allow rmt modem_block_device:blk_file rw_file_perms;
|
||||
allow rmt smem_log_device:chr_file rw_file_perms;
|
||||
|
||||
# Allow shared memory logging access
|
||||
allow rmt shared_log_device:chr_file rw_file_perms;
|
||||
|
|
@ -28,9 +29,15 @@ wakelock_use(rmt)
|
|||
# Allow access to /dev/uio0.
|
||||
allow rmt uio_device:chr_file rw_file_perms;
|
||||
|
||||
allow rmt smem_log_device:chr_file rw_file_perms;
|
||||
allow rmt sysfs_uio:dir r_dir_perms;
|
||||
|
||||
allow rmt modem_efs_partition_device:blk_file rw_file_perms;
|
||||
allow rmt ssd_device:blk_file rw_file_perms;
|
||||
|
||||
# rmt_storage shuts itself down if there is an unknown value of ro.baseband
|
||||
set_prop(rmt, ctl_rmt_prop)
|
||||
|
||||
# Access to sysfs
|
||||
allow rmt sysfs:file { open append read getattr write };
|
||||
#allow rmt sysfs:dir rw_dir_perms;
|
||||
r_dir_file(rmt, sysfs_rmt_storage)
|
||||
r_dir_file(rmt, sysfs_uio)
|
||||
|
|
|
|||
|
|
@ -1,31 +1,14 @@
|
|||
# Integrated qualcomm sensor process
|
||||
type sensors, domain, device_domain_deprecated;
|
||||
type sensors_exec, exec_type, file_type;
|
||||
|
||||
# Started by init
|
||||
init_daemon_domain(sensors)
|
||||
|
||||
# Change own perms to (nobody,nobody)
|
||||
allow sensors self:capability { setuid setgid };
|
||||
# Chown /data/misc/sensors/debug/ to nobody
|
||||
allow sensors self:capability chown;
|
||||
dontaudit sensors self:capability fsetid;
|
||||
|
||||
# Access /data/misc/sensors/debug and /data/system/sensors/settings
|
||||
#allow sensors self:capability { dac_read_search dac_override };
|
||||
|
||||
# Create /data/app/sensor_ctl_socket (Might want to change location).
|
||||
type_transition sensors apk_data_file:sock_file sensors_socket "sensor_ctl_socket";
|
||||
# Create /dev/socket/sensors/ctl
|
||||
allow sensors sensors_socket:dir w_dir_perms;
|
||||
allow sensors sensors_socket:sock_file create_file_perms;
|
||||
# Trying to be restrictive with perms on apk_data_file
|
||||
allow sensors apk_data_file:dir { add_name write };
|
||||
# Socket can be deleted. So might have to keep in order to work.
|
||||
allow sensors apk_data_file:dir remove_name;
|
||||
|
||||
# Create directories and files under /data/misc/sensors
|
||||
# and /data/system/sensors. Allow generic r/w file access.
|
||||
allow sensors sensors_data_file:dir create_dir_perms;
|
||||
allow sensors sensors_data_file:file create_file_perms;
|
||||
allow sensors sensors_vendor_data_file:dir create_dir_perms;
|
||||
allow sensors sensors_vendor_data_file:file create_file_perms;
|
||||
|
||||
# Access sensor nodes (/dev/msm_dsps)
|
||||
allow sensors sensors_device:chr_file rw_file_perms;
|
||||
|
|
@ -41,4 +24,5 @@ allow sensors persist_sensors_file:file rw_file_perms;
|
|||
# Wake lock access
|
||||
wakelock_use(sensors)
|
||||
|
||||
allow sensors cgroup:dir { create add_name };
|
||||
allow sensors sysfs_soc:dir r_dir_perms;
|
||||
allow sensors sysfs_soc:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -1 +1,3 @@
|
|||
allow surfaceflinger sysfs_surfaceflinger:file rw_file_perms;
|
||||
allow surfaceflinger sysfs_soc:dir r_dir_perms;
|
||||
allow surfaceflinger sysfs_soc:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -7,6 +7,10 @@ unix_socket_connect(system_server, sensors, sensors)
|
|||
unix_socket_send(system_server, sensors, sensors)
|
||||
allow system_server sensors:unix_stream_socket sendto;
|
||||
allow system_server sensors_socket:sock_file r_file_perms;
|
||||
allow system_server sensors_socket:dir r_dir_perms;
|
||||
|
||||
allow system_server persist_file:dir r_dir_perms;
|
||||
allow system_server sensors_device:chr_file rw_file_perms;
|
||||
|
||||
# mpdecision socket access
|
||||
unix_socket_connect(system_server, mpdecision, mpdecision)
|
||||
|
|
@ -14,13 +18,13 @@ unix_socket_send(system_server, mpdecision, mpdecision)
|
|||
allow system_server mpdecision:unix_stream_socket sendto;
|
||||
allow system_server mpdecision_socket:dir search;
|
||||
|
||||
# Read /data/misc/sensors or /data/system/sensors.
|
||||
allow system_server sensors_data_file:dir r_dir_perms;
|
||||
allow system_server sensors_data_file:file r_file_perms;
|
||||
|
||||
allow system_server persist_file:dir r_dir_perms;
|
||||
allow system_server sensors_device:chr_file rw_file_perms;
|
||||
|
||||
# use MSM ipc router ioctls
|
||||
allow system_server self:socket ioctl;
|
||||
allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
|
||||
|
||||
allow system_server sensors_data_file:dir search;
|
||||
allow system_server sensors_data_file:dir r_file_perms;
|
||||
|
||||
allow system_server sensors_socket:sock_file getattr;
|
||||
|
||||
allow system_server thermal_service:service_manager find;
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
#####################################
|
||||
# qmux_socket(clientdomain)
|
||||
# Allow client domain to connecto and send
|
||||
# via a local socket to the qmux domain.
|
||||
# Also allow the client domain to remove
|
||||
# its own socket.
|
||||
define(`qmux_socket', `
|
||||
type $1_qmuxd_socket, file_type;
|
||||
file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
|
||||
allow $1 qmuxd_socket:dir remove_name;
|
||||
unix_socket_connect($1, qmuxd, qmux)
|
||||
allow qmux $1_qmuxd_socket:sock_file { getattr unlink };
|
||||
')
|
||||
|
|
@ -1,39 +1,47 @@
|
|||
# Temperature sensor daemon (root process)
|
||||
type thermald, domain, device_domain_deprecated;
|
||||
type thermald, domain;
|
||||
type thermald_exec, exec_type, file_type;
|
||||
|
||||
# Started by init
|
||||
init_daemon_domain(thermald)
|
||||
|
||||
# DAC overrides
|
||||
#allow thermald self:capability dac_override;
|
||||
#auditallow thermald self:capability dac_override;
|
||||
|
||||
allow thermald self:socket create_socket_perms;
|
||||
allowxperm thermald self:socket ioctl msm_sock_ipc_ioctls;
|
||||
|
||||
# CPU hotplug uevent
|
||||
allow thermald self:netlink_kobject_uevent_socket { create setopt bind read };
|
||||
allow thermald self:netlink_kobject_uevent_socket { create getopt setopt bind read };
|
||||
allow thermald self:capability net_admin;
|
||||
|
||||
# Talk to qmuxd (/dev/socket/qmux_radio)
|
||||
qmux_socket(thermald)
|
||||
|
||||
# Access shared logger (/dev/smem_log)
|
||||
allow thermald shared_log_device:chr_file rw_file_perms;
|
||||
allow thermald smem_log_device:chr_file rw_file_perms;
|
||||
|
||||
# Access /sys/devices/system/cpu/
|
||||
allow thermald sysfs_devices_system_cpu:file rw_file_perms;
|
||||
# Allow writing in /sys/devices/system/cpu
|
||||
allow thermald sysfs_devices_system_cpu:file w_file_perms;
|
||||
|
||||
# Some files in /sys/devices/system/cpu may pop in and out of existance,
|
||||
# defeating our attempt to label them. As a result, they could have the
|
||||
# sysfs label, not the sysfs_devices_system_cpu label.
|
||||
# Allow write access for now until we figure out a better solution.
|
||||
# For example, the following files pop in and out of existance:
|
||||
# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
|
||||
# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
|
||||
allow thermald sysfs:file write;
|
||||
# Access leds
|
||||
allow thermald sysfs_leds:file rw_file_perms;
|
||||
allow thermald sysfs_leds:dir r_dir_perms;
|
||||
|
||||
# Allow accessing thermal related sysfs nodes
|
||||
allow thermald sysfs_thermal:file rw_file_perms;
|
||||
allow thermald sysfs_thermal:dir r_dir_perms;
|
||||
|
||||
# Read the /sys/devices/virtual folder
|
||||
allow thermald sysfs:dir r_dir_perms;
|
||||
allow thermald sysfs:file r_file_perms;
|
||||
|
||||
# Access graphics related sysfs nodes
|
||||
allow thermald sysfs_graphics:file rw_file_perms;
|
||||
|
||||
# Access /sys/devices/system/soc/soc0
|
||||
r_dir_file(thermald, sysfs_socinfo)
|
||||
|
||||
# Connect to mpdecision.
|
||||
allow thermald mpdecision_socket:dir r_dir_perms;
|
||||
unix_socket_connect(thermald, mpdecision, mpdecision)
|
||||
|
||||
allow thermald sysfs_soc:dir r_dir_perms;
|
||||
allow thermald sysfs_soc:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
allow ueventd { radio_efs_file wifi_data_file }:dir search;
|
||||
allow ueventd { radio_efs_file wifi_data_file }:file r_file_perms;
|
||||
allow ueventd self:capability sys_nice;
|
||||
|
|
|
|||
Loading…
Reference in New Issue