android_device_asus_flo

Commit Graph

Author	SHA1	Message	Date
Mekala Natarajan	6540eb3473	tee.te: set persist_data_path permission DRM needs rw permission to access /persist/data/ Bug: 15989260 Change-Id: I4af212551c8a0db8491ab161d41e24a7d7a3f688	2014-08-08 11:53:10 -07:00
Robert Craig	df2aa61a2d	SELinux policy updates. * Make gpu_device a trusted object since all apps can write to the device. denied { write } for pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file * Drop dead type mpdecision_device. * Create policy for mm-pp-daemon and keep it permissive. Address the following initial denials. denied { write } for pid=220 comm="mm-pp-daemon" name="property_service" dev="tmpfs" ino=7289 scontext=u:r:ppd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file denied { connectto } for pid=220 comm="mm-pp-daemon" path="/dev/socket/property_service" scontext=u:r:ppd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket denied { read write } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file denied { open } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file denied { ioctl } for pid=220 comm="mm-pp-daemon" path="/dev/graphics/fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file * Add kickstart_exec labels for kickstart binaries that are used by deb devices. * Add tee policy. Label /data/misc/playready and allow tee access. denied { write } for pid=259 comm="qseecomd" name="misc" dev="mmcblk0p30" ino=635233 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { read } for pid=232 comm="qseecomd" name="/" dev="mmcblk0p30" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { create } for pid=306 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir denied { search } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir denied { read } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir denied { write } for pid=265 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir denied { create } for pid=252 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file denied { read write open } for pid=271 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p30" ino=635264 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file * Give surfaceflinger access to /dev/socket/pps and allow access to certain sysfs nodes. denied { write } for pid=181 comm="surfaceflinger" name="pps" dev="tmpfs" ino=7958 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:ppd_socket:s0 tclass=sock_file denied { write } for pid=182 comm="surfaceflinger" name="hpd" dev="sysfs" ino=9639 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file Change-Id: Ia7a5c63365593af7ac5adc207b27fad113b01dd3	2013-11-25 11:43:49 -05:00
Robert Craig	9d6624a0b5	Add to selinux policy. Bring policy over from the mako board which has a lot of similar domains and services. mako is also a Qualcomm board which allows a lot of that policy to be directly brought over and applied. Included in this are some radio specific pieces. Though not directly applicable to flo, the deb board inherits this policy. Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f	2013-11-15 14:24:59 -05:00

Author

SHA1

Message

Date

Mekala Natarajan

6540eb3473

tee.te: set persist_data_path permission

DRM needs rw permission to access /persist/data/

Bug: 15989260
Change-Id: I4af212551c8a0db8491ab161d41e24a7d7a3f688

2014-08-08 11:53:10 -07:00

Robert Craig

df2aa61a2d

SELinux policy updates.

* Make gpu_device a trusted object since all apps can
  write to the device.
    denied  { write } for  pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

* Drop dead type mpdecision_device.

* Create policy for mm-pp-daemon and keep it permissive.
  Address the following initial denials.
    denied  { write } for  pid=220 comm="mm-pp-daemon" name="property_service" dev="tmpfs" ino=7289 scontext=u:r:ppd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
    denied  { connectto } for  pid=220 comm="mm-pp-daemon" path="/dev/socket/property_service" scontext=u:r:ppd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket
    denied  { read write } for  pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
    denied  { open } for  pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
    denied  { ioctl } for  pid=220 comm="mm-pp-daemon" path="/dev/graphics/fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file

* Add kickstart_exec labels for kickstart binaries
  that are used by deb devices.

* Add tee policy. Label /data/misc/playready and
  allow tee access.
    denied  { write } for  pid=259 comm="qseecomd" name="misc" dev="mmcblk0p30" ino=635233 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
    denied  { read } for  pid=232 comm="qseecomd" name="/" dev="mmcblk0p30" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
    denied  { create } for  pid=306 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { search } for  pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { read } for  pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { write } for  pid=265 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { create } for  pid=252 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
    denied  { read write open } for  pid=271 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p30" ino=635264 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file

* Give surfaceflinger access to /dev/socket/pps and allow
  access to certain sysfs nodes.
    denied  { write } for  pid=181 comm="surfaceflinger" name="pps" dev="tmpfs" ino=7958 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:ppd_socket:s0 tclass=sock_file
    denied  { write } for  pid=182 comm="surfaceflinger" name="hpd" dev="sysfs" ino=9639 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Ia7a5c63365593af7ac5adc207b27fad113b01dd3

2013-11-25 11:43:49 -05:00

Robert Craig

9d6624a0b5

Add to selinux policy.

Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.

Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.

Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f

2013-11-15 14:24:59 -05:00

3 Commits