summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMisael Lopez Cruz2016-11-30 14:37:36 -0600
committerPraneeth Bajjuri2017-01-17 18:57:44 -0600
commit458ac2f4f1c76f4ada2db7c58ac96de0dd7b6431 (patch)
tree72bf15f64b55bdaf43f168cda1ec3329c3b012ab
parente8dbef141fe94d12bab2079922f854ba4fe9eafd (diff)
downloaddevice-ti-am57xevm-458ac2f4f1c76f4ada2db7c58ac96de0dd7b6431.tar.gz
device-ti-am57xevm-458ac2f4f1c76f4ada2db7c58ac96de0dd7b6431.tar.xz
device-ti-am57xevm-458ac2f4f1c76f4ada2db7c58ac96de0dd7b6431.zip
jacinto6evm: sepolicy: Add rules for APPE
Add the initial version of the SELinux rules for the Audio Post-Processing Engine based audio. Change-Id: If7b940bdd05da75b0e26d53d9102936c5eb8f54e Signed-off-by: Misael Lopez Cruz <misael.lopez@ti.com>
-rw-r--r--sepolicy/device.te2
-rw-r--r--sepolicy/file_contexts9
-rw-r--r--sepolicy/init.te3
-rw-r--r--sepolicy/lad_dra7xx.te4
-rw-r--r--sepolicy/mediaserver.te8
-rw-r--r--sepolicy/netd.te4
-rw-r--r--sepolicy/vis.te20
7 files changed, 50 insertions, 0 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te
index 9af3309..db470f0 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -2,3 +2,5 @@ type bluetooth_control, dev_type;
2type rtc, dev_type; 2type rtc, dev_type;
3type hwspinlock_dev, dev_type; 3type hwspinlock_dev, dev_type;
4type uio_dev, dev_type; 4type uio_dev, dev_type;
5type cmem_dev, dev_type;
6type i2c_dev, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 68f966c..dc20edc 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -33,6 +33,15 @@
33/dev/hwspinlock u:object_r:hwspinlock_dev:s0 33/dev/hwspinlock u:object_r:hwspinlock_dev:s0
34/dev/uio0 u:object_r:uio_dev:s0 34/dev/uio0 u:object_r:uio_dev:s0
35 35
36#VIS (RadioApp)
37/system/bin/RadioApp u:object_r:vis_exec:s0
38
39#I2C
40/dev/i2c-[0-9]+ u:object_r:i2c_dev:s0
41
42#CMEM
43/dev/cmem u:object_r:cmem_dev:s0
44
36#Block devices 45#Block devices
37/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/system u:object_r:system_block_device:s0 46/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/system u:object_r:system_block_device:s0
38/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/recovery u:object_r:recovery_block_device:s0 47/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/recovery u:object_r:recovery_block_device:s0
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 7ff72db..c96b477 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -6,3 +6,6 @@ allow init tmpfs:lnk_file create_file_perms;
6# /config 6# /config
7allow init configfs:dir create_dir_perms; 7allow init configfs:dir create_dir_perms;
8allow init configfs:{ file lnk_file } create_file_perms; 8allow init configfs:{ file lnk_file } create_file_perms;
9
10# Allow module insertion
11allow init system_file:system module_load;
diff --git a/sepolicy/lad_dra7xx.te b/sepolicy/lad_dra7xx.te
index a5ea3a4..ff95009 100644
--- a/sepolicy/lad_dra7xx.te
+++ b/sepolicy/lad_dra7xx.te
@@ -15,3 +15,7 @@ allow lad_dra7xx self:socket { create_socket_perms };
15allow lad_dra7xx hwspinlock_dev:chr_file { rw_file_perms }; 15allow lad_dra7xx hwspinlock_dev:chr_file { rw_file_perms };
16allow lad_dra7xx uio_dev:chr_file { rw_file_perms }; 16allow lad_dra7xx uio_dev:chr_file { rw_file_perms };
17allow lad_dra7xx sysfs:file { r_file_perms }; 17allow lad_dra7xx sysfs:file { r_file_perms };
18
19# Allow signull operation from known client processes
20allow lad_dra7xx mediaserver:process signull;
21allow lad_dra7xx vis:process signull;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 2e9e366..9e69353 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -2,3 +2,11 @@ allow mediaserver system_server:unix_stream_socket { read write };
2 2
3#Camera 3#Camera
4allow mediaserver device:dir { read open }; 4allow mediaserver device:dir { read open };
5
6#APPE
7allow mediaserver lad_data_file:fifo_file { create_file_perms };
8allow mediaserver hwspinlock_dev:chr_file { rw_file_perms };
9allow mediaserver cmem_dev:chr_file { rw_file_perms };
10allow mediaserver self:socket { create_socket_perms };
11allow mediaserver self:tcp_socket { create_stream_socket_perms };
12allow mediaserver ctl_default_prop:property_service set;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
index 6c8303c..143cc61 100644
--- a/sepolicy/netd.te
+++ b/sepolicy/netd.te
@@ -2,3 +2,7 @@
2# Ignore them 2# Ignore them
3dontaudit netd self:capability sys_module; 3dontaudit netd self:capability sys_module;
4dontaudit netd kernel:system module_request; 4dontaudit netd kernel:system module_request;
5
6# VIS
7allow netd vis:fd use;
8allow netd vis:tcp_socket { rw_socket_perms };
diff --git a/sepolicy/vis.te b/sepolicy/vis.te
new file mode 100644
index 0000000..d8cbb7a
--- /dev/null
+++ b/sepolicy/vis.te
@@ -0,0 +1,20 @@
1type vis, domain;
2type vis_exec, exec_type, file_type;
3
4# Started by init
5init_daemon_domain(vis)
6
7# Allow access to IPC related resources
8allow vis devpts:chr_file { read write ioctl getattr };
9allow vis fwmarkd_socket:sock_file write;
10allow vis self:socket { create_socket_perms };
11allow vis self:tcp_socket { create_stream_socket_perms };
12allow vis netd:unix_stream_socket connectto;
13allow vis node:tcp_socket node_bind;
14allow vis port:tcp_socket name_bind;
15allow vis lad_data_file:fifo_file { rw_file_perms };
16allow vis cmem_dev:chr_file { rw_file_perms };
17allow vis hwspinlock_dev:chr_file { rw_file_perms };
18
19# Allow access to I2C for audio codec configuration
20allow vis i2c_dev:chr_file { rw_file_perms };