diff options
-rw-r--r-- | sepolicy/device.te | 2 | ||||
-rw-r--r-- | sepolicy/file_contexts | 9 | ||||
-rw-r--r-- | sepolicy/init.te | 3 | ||||
-rw-r--r-- | sepolicy/lad_dra7xx.te | 4 | ||||
-rw-r--r-- | sepolicy/mediaserver.te | 8 | ||||
-rw-r--r-- | sepolicy/netd.te | 4 | ||||
-rw-r--r-- | sepolicy/vis.te | 20 |
7 files changed, 50 insertions, 0 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te index 9af3309..db470f0 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te | |||
@@ -2,3 +2,5 @@ type bluetooth_control, dev_type; | |||
2 | type rtc, dev_type; | 2 | type rtc, dev_type; |
3 | type hwspinlock_dev, dev_type; | 3 | type hwspinlock_dev, dev_type; |
4 | type uio_dev, dev_type; | 4 | type uio_dev, dev_type; |
5 | type cmem_dev, dev_type; | ||
6 | type i2c_dev, dev_type; | ||
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 68f966c..dc20edc 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts | |||
@@ -33,6 +33,15 @@ | |||
33 | /dev/hwspinlock u:object_r:hwspinlock_dev:s0 | 33 | /dev/hwspinlock u:object_r:hwspinlock_dev:s0 |
34 | /dev/uio0 u:object_r:uio_dev:s0 | 34 | /dev/uio0 u:object_r:uio_dev:s0 |
35 | 35 | ||
36 | #VIS (RadioApp) | ||
37 | /system/bin/RadioApp u:object_r:vis_exec:s0 | ||
38 | |||
39 | #I2C | ||
40 | /dev/i2c-[0-9]+ u:object_r:i2c_dev:s0 | ||
41 | |||
42 | #CMEM | ||
43 | /dev/cmem u:object_r:cmem_dev:s0 | ||
44 | |||
36 | #Block devices | 45 | #Block devices |
37 | /dev/block/platform/44000000.ocp/480b4000.mmc/by-name/system u:object_r:system_block_device:s0 | 46 | /dev/block/platform/44000000.ocp/480b4000.mmc/by-name/system u:object_r:system_block_device:s0 |
38 | /dev/block/platform/44000000.ocp/480b4000.mmc/by-name/recovery u:object_r:recovery_block_device:s0 | 47 | /dev/block/platform/44000000.ocp/480b4000.mmc/by-name/recovery u:object_r:recovery_block_device:s0 |
diff --git a/sepolicy/init.te b/sepolicy/init.te index 7ff72db..c96b477 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te | |||
@@ -6,3 +6,6 @@ allow init tmpfs:lnk_file create_file_perms; | |||
6 | # /config | 6 | # /config |
7 | allow init configfs:dir create_dir_perms; | 7 | allow init configfs:dir create_dir_perms; |
8 | allow init configfs:{ file lnk_file } create_file_perms; | 8 | allow init configfs:{ file lnk_file } create_file_perms; |
9 | |||
10 | # Allow module insertion | ||
11 | allow init system_file:system module_load; | ||
diff --git a/sepolicy/lad_dra7xx.te b/sepolicy/lad_dra7xx.te index a5ea3a4..ff95009 100644 --- a/sepolicy/lad_dra7xx.te +++ b/sepolicy/lad_dra7xx.te | |||
@@ -15,3 +15,7 @@ allow lad_dra7xx self:socket { create_socket_perms }; | |||
15 | allow lad_dra7xx hwspinlock_dev:chr_file { rw_file_perms }; | 15 | allow lad_dra7xx hwspinlock_dev:chr_file { rw_file_perms }; |
16 | allow lad_dra7xx uio_dev:chr_file { rw_file_perms }; | 16 | allow lad_dra7xx uio_dev:chr_file { rw_file_perms }; |
17 | allow lad_dra7xx sysfs:file { r_file_perms }; | 17 | allow lad_dra7xx sysfs:file { r_file_perms }; |
18 | |||
19 | # Allow signull operation from known client processes | ||
20 | allow lad_dra7xx mediaserver:process signull; | ||
21 | allow lad_dra7xx vis:process signull; | ||
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index 2e9e366..9e69353 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te | |||
@@ -2,3 +2,11 @@ allow mediaserver system_server:unix_stream_socket { read write }; | |||
2 | 2 | ||
3 | #Camera | 3 | #Camera |
4 | allow mediaserver device:dir { read open }; | 4 | allow mediaserver device:dir { read open }; |
5 | |||
6 | #APPE | ||
7 | allow mediaserver lad_data_file:fifo_file { create_file_perms }; | ||
8 | allow mediaserver hwspinlock_dev:chr_file { rw_file_perms }; | ||
9 | allow mediaserver cmem_dev:chr_file { rw_file_perms }; | ||
10 | allow mediaserver self:socket { create_socket_perms }; | ||
11 | allow mediaserver self:tcp_socket { create_stream_socket_perms }; | ||
12 | allow mediaserver ctl_default_prop:property_service set; | ||
diff --git a/sepolicy/netd.te b/sepolicy/netd.te index 6c8303c..143cc61 100644 --- a/sepolicy/netd.te +++ b/sepolicy/netd.te | |||
@@ -2,3 +2,7 @@ | |||
2 | # Ignore them | 2 | # Ignore them |
3 | dontaudit netd self:capability sys_module; | 3 | dontaudit netd self:capability sys_module; |
4 | dontaudit netd kernel:system module_request; | 4 | dontaudit netd kernel:system module_request; |
5 | |||
6 | # VIS | ||
7 | allow netd vis:fd use; | ||
8 | allow netd vis:tcp_socket { rw_socket_perms }; | ||
diff --git a/sepolicy/vis.te b/sepolicy/vis.te new file mode 100644 index 0000000..d8cbb7a --- /dev/null +++ b/sepolicy/vis.te | |||
@@ -0,0 +1,20 @@ | |||
1 | type vis, domain; | ||
2 | type vis_exec, exec_type, file_type; | ||
3 | |||
4 | # Started by init | ||
5 | init_daemon_domain(vis) | ||
6 | |||
7 | # Allow access to IPC related resources | ||
8 | allow vis devpts:chr_file { read write ioctl getattr }; | ||
9 | allow vis fwmarkd_socket:sock_file write; | ||
10 | allow vis self:socket { create_socket_perms }; | ||
11 | allow vis self:tcp_socket { create_stream_socket_perms }; | ||
12 | allow vis netd:unix_stream_socket connectto; | ||
13 | allow vis node:tcp_socket node_bind; | ||
14 | allow vis port:tcp_socket name_bind; | ||
15 | allow vis lad_data_file:fifo_file { rw_file_perms }; | ||
16 | allow vis cmem_dev:chr_file { rw_file_perms }; | ||
17 | allow vis hwspinlock_dev:chr_file { rw_file_perms }; | ||
18 | |||
19 | # Allow access to I2C for audio codec configuration | ||
20 | allow vis i2c_dev:chr_file { rw_file_perms }; | ||