SEAndroid: Add sepolicy for multimedia doamins
Add policy for denial seeen for various tests
Change-Id: I523fef4c87c3a3436546c95d7ac35254fa442d1a
diff --git a/Android.mk b/Android.mk
index 98db201..c03abd3 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,6 +10,7 @@
genfs_contexts \
file_contexts \
service_contexts \
+ te_macros \
device.te \
vold.te \
ueventd.te \
@@ -52,7 +53,12 @@
qseecomd.te \
mcStarter.te \
keystore.te \
- ims_rmt.te
+ ims_rmt.te \
+ healthd.te \
+ surfaceflinger.te \
+ wpa.te \
+ bootanim.te \
+ zygote.te
# Compile sensor pilicy only for SSC targets
SSC_TARGET_LIST := apq8084
diff --git a/common/adbd.te b/common/adbd.te
index fa2beb5..636c9e9 100644
--- a/common/adbd.te
+++ b/common/adbd.te
@@ -2,3 +2,4 @@
userdebug_or_eng(`
permissive adbd;
')
+allow adbd tombstone_data_file:dir getattr;
diff --git a/common/atfwd.te b/common/atfwd.te
index 6cf530b..b4a3fdf 100644
--- a/common/atfwd.te
+++ b/common/atfwd.te
@@ -5,9 +5,7 @@
init_daemon_domain(atfwd)
# Creates/Talks to qmuxd via the qmux_radio socket.
-allow atfwd qmux_radio_socket:dir rw_dir_perms;
-allow atfwd qmux_radio_socket:sock_file create_file_perms;
-unix_socket_connect(atfwd, qmux_radio, qmuxd);
+qmux_socket(atfwd);
#Allow IPC binding with ServiceManager & System apps
binder_use(atfwd);
diff --git a/common/bootanim.te b/common/bootanim.te
new file mode 100644
index 0000000..0e66297
--- /dev/null
+++ b/common/bootanim.te
@@ -0,0 +1 @@
+allow bootanim shell_data_file:dir search;
diff --git a/common/cnd.te b/common/cnd.te
index 4b1bc14..1cfc90c 100644
--- a/common/cnd.te
+++ b/common/cnd.te
@@ -8,6 +8,8 @@
# associate netdomain as an attribute of cnd domain
net_domain(cnd)
+allow cnd smem_log_device:chr_file rw_file_perms;
+
# allow cnd the following capability
allow cnd self:capability { setuid setgid dac_override net_raw chown
fsetid net_admin sys_module };
@@ -15,7 +17,7 @@
# socket used to communicate with kernel via the netlink syscall
allow cnd self:netlink_tcpdiag_socket { bind create write read
- nlmsg_read };
+ nlmsg_read getopt};
allow cnd self:netlink_route_socket { read bind create write
nlmsg_read };
@@ -33,9 +35,7 @@
allow cnd cnd_data_file:dir { open read write add_name remove_name search };
# allow cnd to access qmux_radio_socket
-allow cnd qmux_radio_socket:dir { write add_name };
-allow cnd qmux_radio_socket:sock_file { create write setattr};
-allow cnd qmuxd:unix_stream_socket connectto;
+qmux_socket(cnd)
# cnd access diag_device /dev/diag for logging
allow cnd diag_device:chr_file { read write open ioctl };
diff --git a/common/file.te b/common/file.te
index 1b545c5..f773d79 100755
--- a/common/file.te
+++ b/common/file.te
@@ -2,10 +2,7 @@
type firmware_file, fs_type, contextmount_type;
#Define the qmux socket type
-type qmux_audio_socket, file_type;
-type qmux_bluetooth_socket, file_type;
-type qmux_gps_socket, file_type;
-type qmux_radio_socket, file_type;
+type qmuxd_socket, file_type;
# Define cnd socket and data file type
type cnd_socket, file_type;
diff --git a/common/file_contexts b/common/file_contexts
index 966ac1c..1b5ecd2 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -29,14 +29,14 @@
/dev/block/bootdevice/by-name/fsg u:object_r:modem_efs_partition_device:s0
/dev/block/bootdevice/by-name/fsc u:object_r:modem_efs_partition_device:s0
/dev/block/bootdevice/by-name/ssd u:object_r:ssd_device:s0
-/dev/block/bootdevice/by-name/rpmb u:object_r:rpmb_device:s0
+/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
###################################
# Dev socket nodes
#
-/dev/socket/qmux_audio u:object_r:qmux_audio_socket:s0
-/dev/socket/qmux_bluetooth u:object_r:qmux_bluetooth_socket:s0
-/dev/socket/qmux_gps u:object_r:qmux_gps_socket:s0
-/dev/socket/qmux_radio u:object_r:qmux_radio_socket:s0
+/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0
/dev/socket/sensor_ctl_socket u:object_r:sensors_socket:s0
/dev/socket/cnd u:object_r:cnd_socket:s0
/dev/socket/nims u:object_r:cnd_socket:s0
diff --git a/common/healthd.te b/common/healthd.te
new file mode 100644
index 0000000..b14073f
--- /dev/null
+++ b/common/healthd.te
@@ -0,0 +1,4 @@
+allow healthd sysfs_battery_supply:dir search;
+allow healthd sysfs_battery_supply:file { read open };
+allow healthd sysfs_usb_supply:dir search;
+allow healthd sysfs_usb_supply:file { read open };
diff --git a/common/init_shell.te b/common/init_shell.te
index 48fead3..f0b77cc 100644
--- a/common/init_shell.te
+++ b/common/init_shell.te
@@ -12,3 +12,5 @@
#most of the default properties are set by init_shell
allow init_shell default_prop:property_service set;
+
+allow init_shell shell_exec:file execute_no_trans;
diff --git a/common/mediaserver.te b/common/mediaserver.te
index a0a6d5f..731ea42 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -5,3 +5,10 @@
unix_socket_send(mediaserver, camera, mm-qcamerad)
allow mediaserver qseecom_device:chr_file { read write ioctl open };
+
+allow mediaserver self:socket create_socket_perms;
+
+binder_call(mediaserver, rild)
+
+qmux_socket(mediaserver)
+allow mediaserver camera_data_file:sock_file write;
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
index fd4371d..3c53c0a 100644
--- a/common/mm-qcamerad.te
+++ b/common/mm-qcamerad.te
@@ -19,3 +19,15 @@
allow mm-qcamerad { surfaceflinger mediaserver }:fd use;
# Need to investigate this
allow mm-qcamerad self:tcp_socket create_socket_perms;
+
+allow mm-qcamerad camera_data_file:dir { write remove_name search add_name };
+allow mm-qcamerad camera_data_file:sock_file { create unlink };
+allow mm-qcamerad node:tcp_socket node_bind;
+allow mm-qcamerad self:tcp_socket listen;
+
+#/data/fdAlbum
+allow mm-qcamerad system_data_file:dir w_dir_perms;
+allow mm-qcamerad system_data_file:file create_file_perms;
+
+#Remove GL fine reference
+allow mm-qcamerad shell_data_file:dir search;
diff --git a/common/netd.te b/common/netd.te
index 9d22c38..3b480ef 100644
--- a/common/netd.te
+++ b/common/netd.te
@@ -1,3 +1,5 @@
#Policies for IPv6 tethering
allow netd netd:capability { setgid setuid };
allow netd netd:packet_socket { create bind setopt read ioctl };
+
+dontaudit netd self:capability sys_module;
diff --git a/common/netmgrd.te b/common/netmgrd.te
index 49bf70c..03243c1 100644
--- a/common/netmgrd.te
+++ b/common/netmgrd.te
@@ -30,12 +30,7 @@
allow netmgrd init:unix_stream_socket { connectto };
allow netmgrd property_socket:sock_file { write };
-#Allow operations on qmux device sockets
-allow netmgrd qmux_radio_socket:sock_file { create setattr getattr write unlink };
-allow netmgrd qmux_radio_socket:dir { write add_name remove_name search };
-
-#Allow communication with qmuxd
-allow netmgrd qmuxd:unix_stream_socket { connectto };
+qmux_socket(netmgrd);
#Allow writing of ipv6 network properties
allow netmgrd proc_net:file { write };
diff --git a/common/qmuxd.te b/common/qmuxd.te
index 299dade..40cdac8 100644
--- a/common/qmuxd.te
+++ b/common/qmuxd.te
@@ -9,14 +9,16 @@
')
#Allow qmuxd to operate on various qmux device sockets
-allow qmuxd qmux_radio_socket:dir { write add_name remove_name search };
-allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink };
-allow qmuxd qmux_audio_socket:dir { write add_name remove_name search };
-allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink };
-allow qmuxd qmux_gps_socket:dir { write add_name remove_name search };
-allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink };
-allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search };
-allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_radio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_audio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_gps_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink };
+
+qmux_socket(qmuxd);
#Allow logging
allow qmuxd diag_device:chr_file { rw_file_perms };
diff --git a/common/qseecomd.te b/common/qseecomd.te
index faff1f6..ebb92f2 100644
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -4,4 +4,6 @@
allow qseecomd ssd_device:blk_file { read write getattr open ioctl };
allow qseecomd rpmb_device:blk_file { read write getattr open ioctl };
allow qseecomd block_device:dir search;
-allow qseecomd qseecom_device:chr_file { read write ioctl };
+allow qseecomd qseecom_device:chr_file { read write ioctl open };
+allow qseecomd self:capability { setgid setuid dac_override };
+allow qseecomd firmware_file:dir search;
diff --git a/common/radio.te b/common/radio.te
index 354b089..f8e3ace 100644
--- a/common/radio.te
+++ b/common/radio.te
@@ -1,6 +1,5 @@
# Talks to qmuxd via the qmux_radio socket.
-unix_socket_connect(radio, qmux_radio, qmuxd);
-allow radio qmux_radio_socket:dir search;
+qmux_socket(radio);
allow radio ims_socket:sock_file write;
#Need permission to execute com.qualcomm.qti.telephony/app_dex/xx
diff --git a/common/rild.te b/common/rild.te
index 7ceaff0..900aced 100644
--- a/common/rild.te
+++ b/common/rild.te
@@ -1,12 +1,13 @@
-allow rild qmux_radio_socket:dir { write remove_name search add_name };
-allow rild qmux_radio_socket:sock_file { write create unlink setattr };
-allow rild qmuxd:unix_stream_socket connectto;
+#allow rild qmux_radio_socket:dir { write remove_name search add_name };
+#allow rild qmux_radio_socket:sock_file { write create unlink setattr };
+#allow rild qmuxd:unix_stream_socket connectto;
+qmux_socket(rild);
allow rild subsys_esoc0_device:chr_file { open read };
allow rild servicemanager:binder call;
allow rild mediaserver:binder { transfer call };
-allow rild diag_device:chr_file { open read write };
+#allow rild diag_device:chr_file { open read write };
allow rild rild_socket:chr_file { open read write };
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
new file mode 100644
index 0000000..9193f38
--- /dev/null
+++ b/common/surfaceflinger.te
@@ -0,0 +1,2 @@
+allow surfaceflinger sysfs_graphics:chr_file rw_file_perms;
+allow surfaceflinger shell_data_file:dir search;
diff --git a/common/system_server.te b/common/system_server.te
index a0701af..920bb9f 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -10,3 +10,4 @@
unix_socket_send(system_server, sensors, sensors)
allow system_server sensors:unix_stream_socket sendto;
allow system_server sensors_socket:sock_file r_file_perms;
+qmux_socket(system_server);
diff --git a/common/te_macros b/common/te_macros
new file mode 100644
index 0000000..927de5a
--- /dev/null
+++ b/common/te_macros
@@ -0,0 +1,13 @@
+#####################################
+# qmux_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the qmux domain.
+# Also allow the client domain to remove
+# its own socket.
+define(`qmux_socket', `
+type $1_qmuxd_socket, file_type;
+file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
+allow $1 qmuxd_socket:dir remove_name;
+unix_socket_connect($1, qmuxd, qmuxd)
+allow qmuxd $1_qmuxd_socket:sock_file { getattr unlink };
+')
diff --git a/common/thermal-engine.te b/common/thermal-engine.te
index 5f07f2c..8e0e7a8 100644
--- a/common/thermal-engine.te
+++ b/common/thermal-engine.te
@@ -19,9 +19,6 @@
allow thermal-engine sysfs_thermal:dir { read search open };
allow thermal-engine sysfs_thermal:file { read write getattr open };
allow thermal-engine sysfs_thermal:lnk_file read;
-#This is required to access diag device
-allow thermal-engine diag_device:chr_file {read write open ioctl};
#This is required for qmi access
-allow thermal-engine qmux_radio_socket:dir {read write search add_name remove_name};
-allow thermal-engine qmux_radio_socket:sock_file {create read write setattr unlink};
-allow thermal-engine qmuxd:unix_stream_socket {connectto};
+qmux_socket(thermal-engine);
+allow thermal-engine sysfs_mpdecision:file { read open };
diff --git a/common/time_daemon.te b/common/time_daemon.te
index 1a3d415..b2be79f 100644
--- a/common/time_daemon.te
+++ b/common/time_daemon.te
@@ -5,6 +5,7 @@
# Make transition to its own time_daemon domain from init
init_daemon_domain(time_daemon)
+allow time_daemon smem_log_device:chr_file { read write };
# Add rules for access permissions
#============= IOCTL operations ==============
diff --git a/common/ueventd.te b/common/ueventd.te
index e452811..fe115de 100644
--- a/common/ueventd.te
+++ b/common/ueventd.te
@@ -10,7 +10,6 @@
allow ueventd wifi_data_file:dir search;
allow ueventd wifi_data_file:file { read getattr open };
-#For powersupply and thermal status
allow ueventd sysfs_battery_supply:file w_file_perms;
allow ueventd sysfs_thermal:file w_file_perms;
allow ueventd sysfs_usb_supply:file w_file_perms;
diff --git a/common/wpa.te b/common/wpa.te
new file mode 100644
index 0000000..ffd68cc
--- /dev/null
+++ b/common/wpa.te
@@ -0,0 +1 @@
+allow wpa persist_file:dir search;
diff --git a/common/zygote.te b/common/zygote.te
new file mode 100644
index 0000000..9c7c35e
--- /dev/null
+++ b/common/zygote.te
@@ -0,0 +1 @@
+allow zygote shell_data_file:dir search;
diff --git a/test/qmi_ping.te b/test/qmi_ping.te
index d2ec598..c5808f1 100644
--- a/test/qmi_ping.te
+++ b/test/qmi_ping.te
@@ -12,14 +12,12 @@
#to enable qmuxd interface apis to access diag
allow qmi_ping diag_device:chr_file {read write open ioctl};
#enable accessing the path where qmuxds named sockets are present
- allow qmi_ping qmux_radio_socket:dir {read write search add_name};
#to interface with qmuxd through unix sockets
- allow qmi_ping qmux_radio_socket:sock_file {create read write setattr};
#to use socket interface to ipc router
allow qmi_ping qmi_ping:socket {create bind read write ioctl setopt};
#enable running test as root user => privileged process
#enable privileged processes to bypass permission checks
allow qmi_ping qmi_ping:capability {dac_override dac_read_search setgid setuid fsetid};
#QCCI calls qmuxd API. The API will internally require this
- allow qmi_ping qmuxd:unix_stream_socket {connectto};
+ qmux_socket(qmi_ping);
')
diff --git a/test/qmi_test_service.te b/test/qmi_test_service.te
index 03650fb..ed97c2e 100644
--- a/test/qmi_test_service.te
+++ b/test/qmi_test_service.te
@@ -12,14 +12,12 @@
#to enable qmuxd interface apis to access diag
allow qmi_test_service diag_device:chr_file {read write open ioctl};
#enable accessing the path where qmuxds named sockets are present
- allow qmi_test_service qmux_radio_socket:dir {read write search add_name};
#to interface with qmuxd through unix sockets
- allow qmi_test_service qmux_radio_socket:sock_file {create read write setattr};
#to access ipc router socket
allow qmi_test_service qmi_test_service:socket {create bind ioctl read write setopt};
#enable running test as root user => privileged process
#enable privileged processes to bypass permission checks
allow qmi_test_service qmi_test_service:capability {dac_override dac_read_search setgid setuid fsetid};
#QCCI calls qmuxd API. The API will internally require this
- allow qmi_test_service qmuxd:unix_stream_socket {connectto};
+ qmux_socket(qmi_test_service);
')