flo: N sepolicy bringup

Change-Id: I23c887880addf2cfc208b36f1bfc5ee6fb53921a
2016-10-31 22:15:40 +11:00 · 2016-10-31 22:15:40 +11:00 · ab4c632c9d
parent ad64e126b1
commit ab4c632c9d
8 changed files with 16 additions and 3 deletions
--- a/init.flo.rc
+++ b/init.flo.rc
@ -362,7 +362,7 @@ service thermald /system/bin/thermald
 service mpdecision /system/bin/mpdecision --avg_comp
    class main
    user root
-    group root system
+    group root readproc system
    disabled

 service qcamerasvr /system/bin/mm-qcamera-daemon
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@ -8,7 +8,7 @@ init_daemon_domain(camera)
 # Interact with other media devices
 allow camera video_device:dir search;
 allow camera { gpu_device video_device }:chr_file rw_file_perms;
-allow camera { surfaceflinger mediaserver }:fd use;
+allow camera { surfaceflinger mediaserver cameraserver }:fd use;

 # Create front and back camera sockets (/data/cam_socket[12])
 type_transition camera system_data_file:sock_file camera_socket "cam_socket1";
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@ -0,0 +1,7 @@
+unix_socket_send(cameraserver, camera, camera);
+unix_socket_send(cameraserver, mpdecision, mpdecision);
+
+allow cameraserver sysfs:file r_file_perms;
+
+# for libmmjpeg
+allow cameraserver system_file:file execmod;
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@ -0,0 +1,2 @@
+allow mediacodec audio_device:chr_file rw_file_perms;
+
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te
@ -42,5 +42,6 @@ allow mpdecision sysfs:file write;
 # /proc/PID/status file.
 r_dir_file(mpdecision, system_server)
 r_dir_file(mpdecision, mediaserver)
+r_dir_file(mpdecision, cameraserver)

 allow mpdecision self:capability sys_nice;
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@ -0,0 +1 @@
+allow priv_app device:dir r_dir_perms;
--- a/sepolicy/rmt.te
+++ b/sepolicy/rmt.te
@ -6,7 +6,7 @@ type rmt_exec, exec_type, file_type;
 init_daemon_domain(rmt)

 # Drop (user, group) to (nobody, nobody)
-allow rmt self:capability { setuid setgid };
+allow rmt self:capability { setuid setgid dac_override };

 # opens and reads /dev/block/mmcblk0
 allow rmt root_block_device:blk_file r_file_perms;
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -17,3 +17,5 @@ allow system_server mpdecision_socket:dir search;
 # Read /data/misc/sensors or /data/system/sensors.
 allow system_server sensors_data_file:dir r_dir_perms;
 allow system_server sensors_data_file:file r_file_perms;
+
+allow system_server persist_file:dir r_dir_perms;
				`@ -0,0 +1,2 @@`
				`allow mediacodec audio_device:chr_file rw_file_perms;`