Robert Craig
df2aa61a2d
SELinux policy updates.
...
* Make gpu_device a trusted object since all apps can
write to the device.
denied { write } for pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
* Drop dead type mpdecision_device.
* Create policy for mm-pp-daemon and keep it permissive.
Address the following initial denials.
denied { write } for pid=220 comm="mm-pp-daemon" name="property_service" dev="tmpfs" ino=7289 scontext=u:r:ppd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
denied { connectto } for pid=220 comm="mm-pp-daemon" path="/dev/socket/property_service" scontext=u:r:ppd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket
denied { read write } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
denied { open } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
denied { ioctl } for pid=220 comm="mm-pp-daemon" path="/dev/graphics/fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
* Add kickstart_exec labels for kickstart binaries
that are used by deb devices.
* Add tee policy. Label /data/misc/playready and
allow tee access.
denied { write } for pid=259 comm="qseecomd" name="misc" dev="mmcblk0p30" ino=635233 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { read } for pid=232 comm="qseecomd" name="/" dev="mmcblk0p30" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { create } for pid=306 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { search } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { read } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { write } for pid=265 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { create } for pid=252 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
denied { read write open } for pid=271 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p30" ino=635264 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
* Give surfaceflinger access to /dev/socket/pps and allow
access to certain sysfs nodes.
denied { write } for pid=181 comm="surfaceflinger" name="pps" dev="tmpfs" ino=7958 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:ppd_socket:s0 tclass=sock_file
denied { write } for pid=182 comm="surfaceflinger" name="hpd" dev="sysfs" ino=9639 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: Ia7a5c63365593af7ac5adc207b27fad113b01dd3
2013-11-25 11:43:49 -05:00
Robert Craig
9d6624a0b5
Add to selinux policy.
...
Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.
Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.
Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f
2013-11-15 14:24:59 -05:00