Jaihind Yadav | 78f021f | 2019-01-25 15:44:50 +0530 | [diff] [blame^] | 1 | # Copyright (c) 2019, The Linux Foundation. All rights reserved. |
| 2 | # |
| 3 | # Redistribution and use in source and binary forms, with or without |
| 4 | # modification, are permitted provided that the following conditions are |
| 5 | # met: |
| 6 | # * Redistributions of source code must retain the above copyright |
| 7 | # notice, this list of conditions and the following disclaimer. |
| 8 | # * Redistributions in binary form must reproduce the above |
| 9 | # copyright notice, this list of conditions and the following |
| 10 | # disclaimer in the documentation and/or other materials provided |
| 11 | # with the distribution. |
| 12 | # * Neither the name of The Linux Foundation nor the names of its |
| 13 | # contributors may be used to endorse or promote products derived |
| 14 | # from this software without specific prior written permission. |
| 15 | # |
| 16 | # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED |
| 17 | # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| 18 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT |
| 19 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS |
| 20 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| 21 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| 22 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
| 23 | # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
| 24 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE |
| 25 | # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
| 26 | # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | |
| 28 | typeattribute system_server system_writes_vendor_properties_violators; |
| 29 | allow system_server self:capability sys_module; |
| 30 | |
| 31 | # allow system_server to communicate with cnd process over cnd_socket |
| 32 | #unix_socket_connect(system_server, cnd, cnd) |
| 33 | |
| 34 | # Access to sensors socket |
| 35 | #unix_socket_connect(system_server, sensors, sensors) |
| 36 | #unix_socket_send(system_server, sensors, sensors) |
| 37 | #allow system_server sensors:unix_stream_socket sendto; |
| 38 | #allow system_server sensors_socket:sock_file r_file_perms; |
| 39 | #qmux_socket(system_server); |
| 40 | |
| 41 | allow system_server self:socket create_socket_perms; |
| 42 | allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls; |
| 43 | allow system_server sysfs_sensors:dir search; |
| 44 | allow system_server sysfs_sensors:file rw_file_perms; |
| 45 | |
| 46 | allow system_server { |
| 47 | # For wifistatemachine |
| 48 | wbc_service |
| 49 | # Allow system_server to add digital pen system service |
| 50 | usf_service |
| 51 | #dpmservice |
| 52 | }:service_manager add; |
| 53 | |
| 54 | allow system_server qtitetherservice_service:service_manager find; |
| 55 | |
| 56 | #For ANT tty communication and to set wc_transport prop |
| 57 | allow system_server { |
| 58 | vendor_bluetooth_prop |
| 59 | usf_prop |
| 60 | }:property_service set; |
| 61 | |
| 62 | # required for ANT App to connectto wcnss_filter sockets |
| 63 | allow system_server bluetooth:unix_stream_socket connectto; |
| 64 | # access to iop |
| 65 | unix_socket_send(system_server, iop, dumpstate) |
| 66 | unix_socket_connect(system_server, iop, dumpstate) |
| 67 | |
| 68 | # allow system/framework applications to update the dpmd configuration files |
| 69 | #unix_socket_connect(system_server, dpmd, dpmd); |
| 70 | #allow system_server { dpmd_socket socket_device }:sock_file w_file_perms; |
| 71 | #allow system_server dpmd_data_file:dir create_dir_perms; |
| 72 | #allow system_server dpmd_data_file:file create_file_perms; |
| 73 | |
| 74 | # For location |
| 75 | binder_call(system_server, location); |
| 76 | type_transition system_server location_data_file:sock_file location_socket "location-mq-s"; |
| 77 | type_transition system_server location_data_file:sock_file location_socket "alarm_svc"; |
| 78 | #allow system_server location:unix_stream_socket connectto; |
| 79 | #allow system_server location_socket:sock_file create_file_perms; |
| 80 | |
| 81 | #For wifistatemachine |
| 82 | allow system_server kernel:key search; |
| 83 | allow system_server wlan_device:chr_file rw_file_perms; |
| 84 | set_prop(system_server, vendor_softap_prop) |
| 85 | get_prop(system_server, vendor_softap_prop) |
| 86 | |
| 87 | #For ssr |
| 88 | allow system_server ssr_device:chr_file r_file_perms; |
| 89 | |
| 90 | allow system_server { fuse }:dir search; |
| 91 | |
| 92 | allow system_server proc_audiod:file r_file_perms; |
| 93 | |
| 94 | allow system_server { |
| 95 | serial_device |
| 96 | smd_device |
| 97 | # graphics_device, audio_device, tee_device is for WFD |
| 98 | graphics_device |
| 99 | audio_device |
| 100 | tee_device |
| 101 | #allow access to power control ANT chip |
| 102 | bt_device |
| 103 | }:chr_file rw_file_perms; |
| 104 | |
| 105 | # Allow system server access to usf resources |
| 106 | allow system_server usf:process signal; |
| 107 | #allow system_server usf:unix_stream_socket connectto; |
| 108 | |
| 109 | get_prop(system_server, vendor_xlat_prop) |
| 110 | |
| 111 | # For WFD |
| 112 | allow system_server graphics_device:dir r_dir_perms; |
| 113 | userdebug_or_eng(` |
| 114 | get_prop(system_server, wfd_debug_prop) |
| 115 | ') |
| 116 | |
| 117 | #Allow access to netmgrd socket |
| 118 | #netmgr_socket(system_server); |
| 119 | # So init can manage our process |
| 120 | allow system_server RIDL:fd use; |
| 121 | allow system_server RIDL:fifo_file write; |
| 122 | |
| 123 | # So init can manage our process |
| 124 | allow system_server qti_logkit:fd use; |
| 125 | allow system_server qti_logkit:fifo_file write; |
| 126 | |
| 127 | #Rules for system server to talk to peripheral manager |
| 128 | get_prop(system_server, vendor_per_mgr_state_prop); |
| 129 | |
| 130 | # Allow system server access to qfp daemon |
| 131 | binder_call(system_server, qfp-daemon); |
| 132 | binder_call(system_server, fps_hal) |
| 133 | allow system_server iqfp_service:service_manager find; |
| 134 | |
| 135 | # For shutdown animation |
| 136 | allow system_server ctl_bootanim_prop:property_service set; |
| 137 | |
| 138 | # allow tethering to access dhcp leases |
| 139 | r_dir_file(system_server, dhcp_data_file) |
| 140 | |
| 141 | # Allow system server to access fst,wigig system properties |
| 142 | set_prop(system_server, fst_prop) |
| 143 | get_prop(system_server, fst_prop) |
| 144 | set_prop(system_server, wigig_prop) |
| 145 | |
| 146 | #allow access to fingerprintd data file |
| 147 | allow system_server fingerprintd_data_file:file { r_file_perms unlink }; |
| 148 | allow system_server fingerprintd_data_file:dir { rw_dir_perms rmdir }; |
| 149 | |
| 150 | #for Wifi module this is needed |
| 151 | allow system_server system_file:system module_load; |
| 152 | |
| 153 | userdebug_or_eng(` |
| 154 | diag_use(system_server) |
| 155 | ') |
| 156 | |
| 157 | # allow access to low persistence mode sysfs node |
| 158 | allow system_server sysfs_graphics:file rw_file_perms; |
| 159 | |
| 160 | # timerslack_ns |
| 161 | allow system_server { location_app system_app } :file write; |
| 162 | |
| 163 | #OpenGLES version |
| 164 | get_prop(system_server, vendor_opengles_prop) |
| 165 | #get_prop(system_server, qemu_hw_mainkeys_prop) |
| 166 | |
| 167 | get_prop(system_server, hwui_prop) |
| 168 | get_prop(system_server, bservice_prop) |
| 169 | get_prop(system_server, reschedule_service_prop) |
| 170 | allow system_server appdomain:file w_file_perms; |
| 171 | get_prop(system_server, vendor_cgroup_follow_prop) |
| 172 | |
| 173 | # Allow system_server to access ActivityManager tuning properties from vendor |
| 174 | get_prop(system_server, vendor_am_prop) |
| 175 | get_prop(system_server, vendor_mpctl_prop) |
| 176 | |
| 177 | # IPC call for sensor feed |
| 178 | binder_call(system_server, hal_graphics_composer) |
| 179 | binder_call(system_server, hal_camera) |
| 180 | binder_call(system_server, mm-pp-daemon) |
| 181 | |
| 182 | # Ant ipc |
| 183 | hal_client_domain(system_server,hal_bluetooth); |
| 184 | |
| 185 | hal_client_domain(system_server, hal_perf) |
| 186 | hal_client_domain(system_server, hal_sensors) |
| 187 | |
| 188 | # allow WIGIG framework hosted in system_server to access wigig_hal |
| 189 | hal_client_domain(system_server, hal_wigig) |
| 190 | # allow WIGIG framework to access network performance tuner |
| 191 | hal_client_domain(system_server, hal_wigig_npt) |
| 192 | # allow WIGIG framework access to wil6210 sysfs files like thermal_throttling |
| 193 | allow system_server sysfs_wigig:file rw_file_perms; |
| 194 | |
| 195 | # allow system_server to access IOP HAL service |
| 196 | hal_client_domain(system_server, hal_iop) |
| 197 | |
| 198 | # Allow Gesture based boost from System Server |
| 199 | get_prop(system_server, vendor_scroll_prop) |
| 200 | |
| 201 | # allow system_server to access vendor display property. |
| 202 | get_prop(system_server, vendor_display_prop) |
| 203 | get_prop(system_server, vendor_iop_prop) |
| 204 | |
| 205 | # allow system server to get mirrorlink connection status prop |
| 206 | get_prop(system_server, vendor_mirrorlink_prop) |
| 207 | |
| 208 | # allow system server to get vendor_audio_prop |
| 209 | get_prop(system_server, vendor_audio_prop) |
| 210 | |
| 211 | # allow system_server to access IWifiStats HAL service |
| 212 | hal_client_domain(system_server, hal_wifilearner) |