Merge "sepolicy : added ueventd write permission to sysfs_battery_supply sysfs_usb_supply and sysfs_thermal."
diff --git a/Android.mk b/Android.mk
index 6bb46bc..98db201 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,4 +1,5 @@
# Board specific SELinux policy variable definitions
+ifeq ($(call is-vendor-board-platform,QCOM),true)
BOARD_SEPOLICY_DIRS := \
device/qcom/sepolicy \
device/qcom/sepolicy/common \
@@ -8,6 +9,7 @@
BOARD_SEPOLICY_UNION := \
genfs_contexts \
file_contexts \
+ service_contexts \
device.te \
vold.te \
ueventd.te \
@@ -33,12 +35,34 @@
diag.te \
diag_test.te \
audiod.te \
- sensors.te \
- sensors_test.te \
+ service.te \
system_app.te \
thermal-engine.te \
global_macros.te \
system_app.te \
bluetooth.te \
init_shell.te \
- mpdecision.te
+ mpdecision.te \
+ mm-qcamerad.te \
+ domain.te \
+ init_shell.te \
+ time_daemon.te \
+ rmt_storage.te \
+ hvdcp.te \
+ qseecomd.te \
+ mcStarter.te \
+ keystore.te \
+ ims_rmt.te
+
+# Compile sensor pilicy only for SSC targets
+SSC_TARGET_LIST := apq8084
+SSC_TARGET_LIST += msm8226
+SSC_TARGET_LIST += msm8960
+SSC_TARGET_LIST += msm8974
+SSC_TARGET_LIST += msm8994
+
+#ifeq ($(call is-board-platform-in-list,$(SSC_TARGET_LIST)),true)
+BOARD_SEPOLICY_UNION += sensors.te
+BOARD_SEPOLICY_UNION += sensors_test.te
+#endif
+endif
diff --git a/common/atfwd.te b/common/atfwd.te
index 4108a5c..6cf530b 100644
--- a/common/atfwd.te
+++ b/common/atfwd.te
@@ -2,23 +2,14 @@
type atfwd_exec, exec_type, file_type;
# Started by init
-#init_daemon_domain(atfwd)
-
-#============= atfwd ==============
-#Set CTL property
-#allow atfwd ctl_default_prop:property_service set;
-
-#Allow logging
-#allow atfwd diag_device:chr_file { read write open };
-
-# Talks to init via the property socket.
-#unix_socket_connect(atfwd, property, init);
+init_daemon_domain(atfwd)
# Creates/Talks to qmuxd via the qmux_radio socket.
-#unix_socket_connect(atfwd, qmux_radio, qmuxd);
-#allow atfwd qmux_radio_socket:sock_file create;
-#allow atfwd qmux_radio_socket:dir { write search add_name };
+allow atfwd qmux_radio_socket:dir rw_dir_perms;
+allow atfwd qmux_radio_socket:sock_file create_file_perms;
+unix_socket_connect(atfwd, qmux_radio, qmuxd);
#Allow IPC binding with ServiceManager & System apps
-#allow atfwd servicemanager:binder call;
-#allow atfwd system_app:binder call;
+binder_use(atfwd);
+binder_call(atfwd, system_app);
+binder_call(atfwd, servicemanager);
diff --git a/common/device.te b/common/device.te
index 3b074a4..0702ccf 100755
--- a/common/device.te
+++ b/common/device.te
@@ -26,11 +26,15 @@
#Define mpdecision device
type device_latency, dev_type;
-#Define qrngd device
-type qrng_device, dev_type;
-
#Define rct device type for time daemon
type rtc_device, dev_type;
#Added for fm_radio device
type fm_radio_device, dev_type;
+
+#Add for storage pertitions for EFS partitions
+type modem_efs_partition_device, dev_type;
+
+#Define device for partition links
+type ssd_device, dev_type;
+type rpmb_device, dev_type;
diff --git a/common/domain.te b/common/domain.te
new file mode 100644
index 0000000..07223d1
--- /dev/null
+++ b/common/domain.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+ allow domain diag_device:chr_file rw_file_perms;
+')
diff --git a/common/drmserver.te b/common/drmserver.te
index 412b890..9275aa6 100644
--- a/common/drmserver.te
+++ b/common/drmserver.te
@@ -1,2 +1,5 @@
#Address denial logs for drm server accessing firmware file
allow drmserver firmware_file:file { read getattr open };
+
+#Address denial logs for drm server accessing qseecom driver
+allow drmserver qseecom_device:chr_file { read write ioctl open };
diff --git a/common/file.te b/common/file.te
index 8676045..1b545c5 100755
--- a/common/file.te
+++ b/common/file.te
@@ -27,7 +27,6 @@
type proc_audiod, fs_type;
# Sensor file types
-type sensors_system_file, file_type;
type sensors_socket, file_type;
type sensors_data_file, file_type, data_file_type;
type sensors_persist_file, file_type;
@@ -59,3 +58,9 @@
type sysfs_mpdecision, fs_type, sysfs_type;
type sysfs_rqstats, fs_type, sysfs_type;
type sysfs_cpu_online, fs_type, sysfs_type;
+
+#mm-qcamera-daemon socket
+type camera_socket, file_type;
+
+#Socket node needed by ims_data daemon
+type ims_socket, file_type;
diff --git a/common/file_contexts b/common/file_contexts
index f6c0c93..966ac1c 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -1,156 +1,121 @@
-/dev/qseecom u:object_r:qseecom_device:s0
+###################################
+# Dev nodes
+#
+/dev/adsprpc-smd u:object_r:qdsp_device:s0
+/dev/cpu_dma_latency u:object_r:device_latency:s0
+/dev/diag u:object_r:diag_device:s0
+/dev/hsicctl.* u:object_r:hsic_device:s0
+/dev/kgsl-3d0 u:object_r:gpu_device:s0
+/dev/mhi_pipe_.* u:object_r:mhi_device:s0
+/dev/msm_.* u:object_r:audio_device:s0
+/dev/msm_dsps u:object_r:sensors_device:s0
+/dev/msm_thermal_query u:object_r:thermal_device:s0
+/dev/nfc-nci u:object_r:nfc_device:s0
+/dev/qseecom u:object_r:qseecom_device:s0
+/dev/radio0 u:object_r:fm_radio_device:s0
+/dev/rtc0 u:object_r:rtc_device:s0
+/dev/sensors u:object_r:sensors_device:s0
+/dev/smd.* u:object_r:smd_device:s0
+/dev/smem_log u:object_r:smem_log_device:s0
+/dev/subsys_esoc0 u:object_r:subsys_esoc0_device:s0
+/dev/ttyHSL0 u:object_r:console_device:s0
+/dev/ttyHS[0-9]* u:object_r:serial_device:s0
+/dev/usb_ext_chg u:object_r:hvdcp_device:s0
+/dev/media([0-9])+ u:object_r:camera_device:s0
+/dev/jpeg[0-9]* u:object_r:camera_device:s0
+/dev/v4l-subdev.* u:object_r:camera_device:s0
+/dev/block/bootdevice/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/fsg u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/fsc u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/ssd u:object_r:ssd_device:s0
+/dev/block/bootdevice/by-name/rpmb u:object_r:rpmb_device:s0
+###################################
+# Dev socket nodes
+#
+/dev/socket/qmux_audio u:object_r:qmux_audio_socket:s0
+/dev/socket/qmux_bluetooth u:object_r:qmux_bluetooth_socket:s0
+/dev/socket/qmux_gps u:object_r:qmux_gps_socket:s0
+/dev/socket/qmux_radio u:object_r:qmux_radio_socket:s0
+/dev/socket/sensor_ctl_socket u:object_r:sensors_socket:s0
+/dev/socket/cnd u:object_r:cnd_socket:s0
+/dev/socket/nims u:object_r:cnd_socket:s0
+/dev/socket/thermal-send-client u:object_r:thermal_socket:s0
+/dev/socket/thermal-recv-client u:object_r:thermal_socket:s0
+/dev/socket/thermal-recv-passive-client u:object_r:thermal_socket:s0
+/dev/socket/ims_qmid u:object_r:ims_socket:s0
+/dev/socket/ims_datad u:object_r:ims_socket:s0
+/dev/socket/ims_rtpd u:object_r:ims_socket:s0
-#Contexts for the qmux sockets
-/dev/socket/qmux_audio u:object_r:qmux_audio_socket:s0
-/dev/socket/qmux_bluetooth u:object_r:qmux_bluetooth_socket:s0
-/dev/socket/qmux_gps u:object_r:qmux_gps_socket:s0
-/dev/socket/qmux_radio u:object_r:qmux_radio_socket:s0
-
-#Context for irq balence
-/system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0
-
-#Context for the logging
-/dev/diag u:object_r:diag_device:s0
-/system/bin/test_diag u:object_r:diag_exec:s0
-/system/bin/PktRspTest u:object_r:diag_exec:s0
-/system/bin/diag_callback_client u:object_r:diag_exec:s0
-/system/bin/diag_dci_sample u:object_r:diag_exec:s0
-/system/bin/diag_klog u:object_r:diag_exec:s0
-/system/bin/diag_mdlog u:object_r:diag_exec:s0
-/system/bin/diag_socket_log u:object_r:diag_exec:s0
-/system/bin/diag_uart_log u:object_r:diag_exec:s0
-/system/bin/diag_qshrink4_daemon u:object_r:diag_exec:s0
-/data/diag_log(/.*)? u:object_r:diag_data_file:s0
-
-/dev/smem_log u:object_r:smem_log_device:s0
-
-#Context for the hsic devices
-/dev/hsicctl.* u:object_r:hsic_device:s0
-
-#Context for the mhi devices
-/dev/mhi_pipe_.* u:object_r:mhi_device:s0
-
-#Context for the timeout for platform specific transports
-/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
-/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
-/sys/devices/virtual/smdpkt/smdcntl[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
-/sys/devices/virtual/smdpkt/smdcntl1[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
-
-#Context for the files written during the operation of netmgrd and qmuxd
-/data/data_test(/.*)? u:object_r:data_test_data_file:s0
-
-#Context for the netmgrd and qmuxd daemons
-/system/bin/netmgrd u:object_r:netmgrd_exec:s0
-/system/bin/qmuxd u:object_r:qmuxd_exec:s0
-/dev/kgsl-3d0 u:object_r:gpu_device:s0
-
-#Context for ATFWD daemon
-/system/bin/ATFWD-daemon u:object_r:atfwd_exec:s0
-
-/dev/smd.* u:object_r:smd_device:s0
-/system/bin/irsc_util u:object_r:irsc_util_exec:s0
-# Persist filesystem
-/persist(/.*)? u:object_r:persist_file:s0
-
-/dev/subsys_esoc0 u:object_r:subsys_esoc0_device:s0
-
-#Context for cnd
-/dev/socket/cnd u:object_r:cnd_socket:s0
-/system/bin/cnd u:object_r:cnd_exec:s0
-/dev/socket/nims u:object_r:cnd_socket:s0
-/data/connectivity(/.*)? u:object_r:cnd_data_file:s0
-
-#context for audio devices
-/dev/msm_.* u:object_r:audio_device:s0
-/system/bin/audiod u:object_r:audiod_exec:s0
-
-# Context for sensor objects
-# Sensor devices
-/dev/sensors u:object_r:sensors_device:s0
-/dev/msm_dsps u:object_r:sensors_device:s0
-
-# Sensor socket
-/dev/socket/sensor_ctl_socket u:object_r:sensors_socket:s0
-
-# Sensor system files
-/system/bin/sensors.qcom u:object_r:sensors_exec:s0
-/system/bin/sns.* u:object_r:sensors_test_exec:s0
-/system/etc/sensors(/.*)? u:object_r:sensors_system_file:s0
-/system/etc/sensor_def_qcomdev.conf u:object_r:sensors_system_file:s0
-
-# Sensor data files
-/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
-
-# Sensor persist files
-/persist/sensors(/.*)? u:object_r:sensors_persist_file:s0
-
-#Contexts for thermal-engine
-/system/bin/thermal-engine u:object_r:thermal-engine_exec:s0
-/dev/msm_thermal_query u:object_r:thermal_device:s0
-/sys/devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
-/sys/devices/.*bcl.*(/.*)? u:object_r:sysfs_thermal:s0
-/sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0
-/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
-/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0
-/dev/socket/thermal-send-client u:object_r:thermal_socket:s0
-/dev/socket/thermal-recv-client u:object_r:thermal_socket:s0
-/dev/socket/thermal-recv-passive-client u:object_r:thermal_socket:s0
-
-#Add context for adsp device
-/dev/adsprpc-smd u:object_r:qdsp_device:s0
-
-# Contexts for UART
-/dev/ttyHSL0 u:object_r:console_device:s0
-/dev/ttyHS[0-9]* u:object_r:serial_device:s0
-
-# UART DebugFS
-/sys/module/msm_serial_hs/parameters/debug_mask u:object_r:sysfs_msmuart_file:s0
-
+###################################
# System files
-#/system/bin/rmt_storage u:object_r:rmt_storage_exec:s0
-#/system/bin/rfs_access u:object_r:rfs_access_exec:s0
+#
+/system/bin/ATFWD-daemon u:object_r:atfwd_exec:s0
+/system/bin/PktRspTest u:object_r:diag_exec:s0
+/system/bin/audiod u:object_r:audiod_exec:s0
+/system/bin/cnd u:object_r:cnd_exec:s0
+/system/bin/diag_callback_client u:object_r:diag_exec:s0
+/system/bin/diag_dci_sample u:object_r:diag_exec:s0
+/system/bin/diag_klog u:object_r:diag_exec:s0
+/system/bin/diag_mdlog u:object_r:diag_exec:s0
+/system/bin/diag_qshrink4_daemon u:object_r:diag_exec:s0
+/system/bin/diag_socket_log u:object_r:diag_exec:s0
+/system/bin/diag_uart_log u:object_r:diag_exec:s0
+/system/bin/irsc_util u:object_r:irsc_util_exec:s0
+/system/bin/mpdecision u:object_r:mpdecision_exec:s0
+/system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0
+/system/bin/netmgrd u:object_r:netmgrd_exec:s0
+/system/bin/qmuxd u:object_r:qmuxd_exec:s0
+/system/bin/sensors.qcom u:object_r:sensors_exec:s0
+/system/bin/sns.* u:object_r:sensors_test_exec:s0
+/system/bin/test_diag u:object_r:diag_exec:s0
+/system/bin/thermal-engine u:object_r:thermal-engine_exec:s0
+/system/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0
+/system/rfs.* u:object_r:rfs_system_file:s0
+/system/bin/time_daemon u:object_r:time_daemon_exec:s0
+/system/bin/rmt_storage u:object_r:rmt_storage_exec:s0
+/system/bin/hvdcp u:object_r:hvdcp_exec:s0
+/system/bin/qseecomd u:object_r:qseecomd_exec:s0
-# Storage RFS files
-/system/rfs.* u:object_r:rfs_system_file:s0
-/data/rfs.* u:object_r:rfs_data_file:s0
+###################################
+# sysfs files
+#
+/sys/class/graphics/fb0/mdp/caps u:object_r:sysfs_graphics:s0
+/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/devices/.*bcl.*(/.*)? u:object_r:sysfs_thermal:s0
+/sys/devices/f9200000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/msm_dwc3/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/msm_otg/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
+/sys/devices/qpnp-charger.*/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0
+/sys/devices/system/cpu/cpu0/rq-stats/* u:object_r:sysfs_rqstats:s0
+/sys/devices/virtual/graphics/fb0/idle_time u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb1/product_description u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb1/vendor_name u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
+/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
+/sys/devices/virtual/smdpkt/smdcntl1[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
+/sys/devices/virtual/smdpkt/smdcntl[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
+/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/module/msm_serial_hs/parameters/debug_mask u:object_r:sysfs_msmuart_file:s0
+/sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/module/msm_thermal/core_control/cpus_offlined u:object_r:sysfs_mpdecision:s0
+/sys/devices/f9a55000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
-# Contexts for mm-pp-daemon
-#/system/bin/mm-pp-daemon u:object_r:mm-pp-daemon_exec:s0
+###################################
+# data files
+#
+/data/connectivity(/.*)? u:object_r:cnd_data_file:s0
+/data/data_test(/.*)? u:object_r:data_test_data_file:s0
+/data/diag_log(/.*)? u:object_r:diag_data_file:s0
+/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
+/data/rfs.* u:object_r:rfs_data_file:s0
+/data/camera(/.*)? u:object_r:camera_socket:s0
+/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0
+/data/time/* u:object_r:time_data_file:s0
-#Contexts for SurfaceFlinger sysfs nodes all other in this folder get
-#default context (i.e.,sysfs) .
-/sys/devices/virtual/graphics/fb0/idle_time u:object_r:sysfs_graphics:s0
-/sys/class/graphics/fb0/mdp/caps u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb1/vendor_name u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb1/product_description u:object_r:sysfs_graphics:s0
-
-# These are for quick charge related entries
-#/system/bin/hvdcp u:object_r:hvdcp_exec:s0
-/dev/usb_ext_chg u:object_r:hvdcp_device:s0
-
-# USB power supply related entries other entries like /sys/devices/f9axxx
-# are device specific will go to respective folder
-/sys/devices/msm_otg/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
-/sys/devices/f9200000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
-/sys/devices/msm_dwc3/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
-/sys/devices/qpnp-charger.*/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0
-
-#Context for mpdecision
-/sys/module/msm_thermal/core_control/cpus_offlined u:object_r:sysfs_mpdecision:s0
-/dev/cpu_dma_latency u:object_r:device_latency:s0
-/system/bin/mpdecision u:object_r:mpdecision_exec:s0
-/sys/devices/system/cpu/cpu0/rq-stats/* u:object_r:sysfs_rqstats:s0
-
-#QSEECOM related contexts
-#/system/bin/qseecomd u:object_r:qseecomd_exec:s0
-/dev/msm-rng u:object_r:qrng_device:s0
-#/system/bin/qrngd u:object_r:qrngd_exec:s0
-
-# Files and devices
-#/system/bin/time_daemon u:object_r:time_daemon_exec:s0
-/dev/rtc0 u:object_r:rtc_device:s0
-#/data/time/* u:object_r:time_data_file:s0
-
-#Added for fm_radio device
-/dev/radio0 u:object_r:fm_radio_device:s0
-
+###################################
+# persist files
+#
+/persist(/.*)? u:object_r:persist_file:s0
+/persist/sensors(/.*)? u:object_r:sensors_persist_file:s0
diff --git a/common/hvdcp.te b/common/hvdcp.te
new file mode 100644
index 0000000..9d3c4da
--- /dev/null
+++ b/common/hvdcp.te
@@ -0,0 +1,16 @@
+# HVDVP quickcharge
+type hvdcp, domain;
+type hvdcp_exec, exec_type, file_type;
+
+# Make transition to its own HVDCP domain from init
+init_daemon_domain(hvdcp)
+
+# Add rules for access permissions
+allow hvdcp hvdcp_device:chr_file rw_file_perms;
+allow hvdcp sysfs_battery_supply:file rw_file_perms;
+allow hvdcp sysfs_battery_supply:dir { search };
+allow hvdcp sysfs_usb_supply:file rw_file_perms;
+allow hvdcp sysfs_usb_supply:dir { search };
+allow hvdcp self:capability { setgid setuid };
+allow hvdcp cgroup:dir { create add_name };
+allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/common/ims_rmt.te b/common/ims_rmt.te
new file mode 100644
index 0000000..7e98c2d
--- /dev/null
+++ b/common/ims_rmt.te
@@ -0,0 +1,10 @@
+#integrated sensor process
+type ims_rtp_daemon, domain;
+type ims_rtp_daemon_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(ims_rtp_daemon)
+
+allow radio ims_socket:sock_file { open read write };
+allow ims_rtp_daemon ims_socket:sock_file { open read write };
+
diff --git a/common/keystore.te b/common/keystore.te
new file mode 100644
index 0000000..589fc18
--- /dev/null
+++ b/common/keystore.te
@@ -0,0 +1,2 @@
+# Allow keystore to operate using qseecom_device
+allow keystore qseecom_device:chr_file { read write ioctl open };
diff --git a/common/mcStarter.te b/common/mcStarter.te
new file mode 100644
index 0000000..30ae91c
--- /dev/null
+++ b/common/mcStarter.te
@@ -0,0 +1,7 @@
+# mobicore daemon
+type mcStarter, domain;
+type mcStarter_exec, exec_type, file_type;
+init_daemon_domain(mcStarter)
+
+# Allow Mobicore to use qseecom services for loading the app
+allow mcStarter qseecom_device:chr_file { read write ioctl open };
diff --git a/common/mediaserver.te b/common/mediaserver.te
index b67ad17..a0a6d5f 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -1,2 +1,7 @@
# allow mediaserver to communicate with cnd
unix_socket_connect(mediaserver, cnd, cnd)
+
+allow mediaserver camera_device:chr_file rw_file_perms;
+unix_socket_send(mediaserver, camera, mm-qcamerad)
+
+allow mediaserver qseecom_device:chr_file { read write ioctl open };
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
new file mode 100644
index 0000000..fd4371d
--- /dev/null
+++ b/common/mm-qcamerad.te
@@ -0,0 +1,21 @@
+type mm-qcamerad, domain;
+type mm-qcamerad_exec, exec_type, file_type;
+init_daemon_domain(mm-qcamerad)
+
+userdebug_or_eng(`
+ allow mm-qcamerad debugfs:dir search;
+')
+
+#Communicate with user land process through domain socket
+allow mm-qcamerad camera_socket:sock_file { create unlink write };
+allow mm-qcamerad camera_socket:dir w_dir_perms;
+unix_socket_connect(mm-qcamerad, sensors, sensors)
+
+allow mm-qcamerad self:process execmem;
+# Interact with other media devices
+allow mm-qcamerad camera_device:dir search;
+allow mm-qcamerad { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms;
+
+allow mm-qcamerad { surfaceflinger mediaserver }:fd use;
+# Need to investigate this
+allow mm-qcamerad self:tcp_socket create_socket_perms;
diff --git a/common/netmgrd.te b/common/netmgrd.te
index c135843..49bf70c 100644
--- a/common/netmgrd.te
+++ b/common/netmgrd.te
@@ -45,3 +45,8 @@
#Allow execution of commands in shell
allow netmgrd system_file:file { execute_no_trans };
+
+allow netmgrd self:socket read;
+
+#Allow communication with netd
+allow netmgrd netd_socket:sock_file write;
diff --git a/common/qseecomd.te b/common/qseecomd.te
new file mode 100644
index 0000000..faff1f6
--- /dev/null
+++ b/common/qseecomd.te
@@ -0,0 +1,7 @@
+type qseecomd, domain;
+type qseecomd_exec, exec_type, file_type;
+init_daemon_domain(qseecomd)
+allow qseecomd ssd_device:blk_file { read write getattr open ioctl };
+allow qseecomd rpmb_device:blk_file { read write getattr open ioctl };
+allow qseecomd block_device:dir search;
+allow qseecomd qseecom_device:chr_file { read write ioctl };
diff --git a/common/radio.te b/common/radio.te
index 5b4031f..8bd7e28 100644
--- a/common/radio.te
+++ b/common/radio.te
@@ -1,3 +1,4 @@
# Talks to qmuxd via the qmux_radio socket.
unix_socket_connect(radio, qmux_radio, qmuxd);
allow radio qmux_radio_socket:dir search;
+allow radio ims_socket:sock_file write;
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
new file mode 100644
index 0000000..2ee8365
--- /dev/null
+++ b/common/rmt_storage.te
@@ -0,0 +1,14 @@
+# rmt_storage - rmt_storage daemon
+type rmt_storage, domain;
+type rmt_storage_exec, exec_type, file_type;
+init_daemon_domain(rmt_storage)
+
+allow rmt_storage modem_efs_partition_device:blk_file { read write open };
+allow rmt_storage block_device:dir search;
+allow rmt_storage cgroup:dir { create add_name };
+allow rmt_storage smem_log_device:chr_file { read write ioctl open };
+allow rmt_storage self:capability { setuid setgid sys_admin dac_override };
+allow rmt_storage self:capability2 block_suspend;
+allow rmt_storage self:socket { create_socket_perms };
+allow rmt_storage sysfs_wake_lock:file { open write append };
+allow rmt_storage uio_device:chr_file { read write open };
diff --git a/common/sensors.te b/common/sensors.te
index 40c52cc..e865b35 100644
--- a/common/sensors.te
+++ b/common/sensors.te
@@ -2,35 +2,50 @@
type sensors, domain;
type sensors_exec, exec_type, file_type;
+# Started by init
init_daemon_domain(sensors)
-type_transition sensors apk_data_file:sock_file sensors_socket;
-type_transition sensors persist_file:{ dir file } sensors_persist_file;
-type_transition sensors socket_device:{ dir sock_file } sensors_socket;
-type_transition sensors system_data_file:{ dir file } sensors_data_file;
+# Change own perms to (nobody,nobody)
+allow sensors self:capability { setuid setgid };
+# Chown /data/misc/sensors/debug/ to nobody
+allow sensors self:capability chown;
+dontaudit sensors self:capability fsetid;
+# Access /data/misc/sensors/debug and /data/system/sensors/settings
+allow sensors self:capability { dac_override dac_read_search };
+
+# Sensors socket
+allow sensors sensors_socket:sock_file create_file_perms;
+type_transition sensors socket_device:sock_file sensors_socket "sensor_ctl_socket";
+allow sensors socket_device:dir rw_dir_perms;
+
+# Create directories and files under /data/misc/sensors
+# and /data/system/sensors. Allow generic r/w file access.
+allow sensors sensors_data_file:dir create_dir_perms;
+allow sensors sensors_data_file:file create_file_perms;
+
+# Access sensor nodes (/dev/msm_dsps, /dev/sensors)
+allow sensors sensors_device:chr_file rw_file_perms;
+
+# Access to /persist/sensors
+allow sensors persist_file:dir r_dir_perms;
+allow sensors sensors_persist_file:dir rw_dir_perms;
+allow sensors sensors_persist_file:file create_file_perms;
+
+# Wake lock access
+wakelock_use(sensors)
+
+allow sensors cgroup:dir { create add_name };
+
+allow sensors self:socket *;
+
+# Access to other devices
+allow sensors smd_device:chr_file rw_file_perms;
+allow sensors smem_log_device:chr_file rw_file_perms;
+allow sensors device_latency:chr_file w_file_perms;
+
+# Access to tests from userdebug/eng builds
userdebug_or_eng(`
domain_auto_trans(shell, sensors_exec, sensors)
- domain_auto_trans(adbd, sensors_exec, sensors)
+ allow sensors diag_device:chr_file rw_file_perms;
')
-
-#============= sensors ==============
-allow sensors apk_data_file:dir { write add_name remove_name };
-allow sensors cgroup:dir { create add_name };
-allow sensors diag_device:chr_file { read write ioctl open };
-allow sensors persist_file:dir { search getattr };
-allow sensors self:capability { setuid chown setgid dac_override };
-allow sensors self:capability2 block_suspend;
-allow sensors self:socket { read bind create write ioctl };
-allow sensors sensors_data_file:dir { write getattr setattr read create open add_name };
-allow sensors sensors_data_file:file { write getattr setattr read create open append };
-allow sensors sensors_device:chr_file { read ioctl open };
-allow sensors sensors_persist_file:dir search;
-allow sensors sensors_persist_file:file { read open };
-allow sensors sensors_socket:sock_file { write create getattr setattr unlink };
-allow sensors sensors_system_file:dir { read search open };
-allow sensors sensors_system_file:file { read getattr open };
-allow sensors smd_device:chr_file { read open append };
-allow sensors smem_log_device:chr_file { read write ioctl open };
-allow sensors socket_device:dir { write add_name };
-allow sensors sysfs_wake_lock:file { open append };
diff --git a/common/service.te b/common/service.te
new file mode 100644
index 0000000..612d43d
--- /dev/null
+++ b/common/service.te
@@ -0,0 +1 @@
+type atfwd_service, service_manager_type;
diff --git a/common/service_contexts b/common/service_contexts
new file mode 100644
index 0000000..c549ecf
--- /dev/null
+++ b/common/service_contexts
@@ -0,0 +1 @@
+AtCmdFwd u:object_r:atfwd_service:s0
diff --git a/common/system_app.te b/common/system_app.te
index 48103f8..da0489e 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -1,3 +1,4 @@
# fm_radio app needes open read write on fm_radio_device
allow system_app fm_radio_device:chr_file { read open ioctl};
allow system_app ctl_default_prop:property_service set;
+allow system_app atfwd_service:service_manager add;
diff --git a/common/system_server.te b/common/system_server.te
index 6787e7a..a0701af 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -5,6 +5,8 @@
allow system_server cnd_data_file:dir { read open write getattr add_name };
allow system_server cnd_data_file:file { create write getattr setattr read lock open };
-# allow system_server to communicate with sensors daemon over sensors_socket
-allow system_server sensors:unix_stream_socket connectto;
-allow system_server sensors_socket:sock_file write;
+# Access to sensors socket
+unix_socket_connect(system_server, sensors, sensors)
+unix_socket_send(system_server, sensors, sensors)
+allow system_server sensors:unix_stream_socket sendto;
+allow system_server sensors_socket:sock_file r_file_perms;
diff --git a/common/time_daemon.te b/common/time_daemon.te
new file mode 100644
index 0000000..1a3d415
--- /dev/null
+++ b/common/time_daemon.te
@@ -0,0 +1,18 @@
+# Policies for time daemon
+type time_daemon, domain;
+type time_daemon_exec, exec_type, file_type;
+type time_data_file, file_type, data_file_type;
+
+# Make transition to its own time_daemon domain from init
+init_daemon_domain(time_daemon)
+
+# Add rules for access permissions
+#============= IOCTL operations ==============
+allow time_daemon rtc_device:chr_file { open read ioctl };
+allow time_daemon alarm_device:chr_file { open read write ioctl };
+
+#============= File read/write ==============
+allow time_daemon time_data_file:file { write create open read};
+allow time_daemon time_data_file:dir { write add_name search};
+allow time_daemon self:socket { write read create ioctl};
+allow time_daemon self:capability { setuid setgid };
diff --git a/test/sensors_test.te b/test/sensors_test.te
index 591ba5e..92872b5 100644
--- a/test/sensors_test.te
+++ b/test/sensors_test.te
@@ -7,10 +7,10 @@
domain_auto_trans(shell, sensors_test_exec, sensors_test)
domain_auto_trans(adbd, sensors_test_exec, sensors_test)
- allow sensors_test devpts:chr_file { open read write ioctl getattr };
+ allow sensors_test devpts:chr_file rw_file_perms;
allow sensors_test sensors:unix_stream_socket connectto;
- allow sensors_test sensors_device:chr_file { getattr read };
- allow sensors_test sensors_socket:sock_file { read write };
- allow sensors_test smd_device:chr_file { read write open };
- allow sensors_test socket_device:dir read;
+ allow sensors_test sensors_device:chr_file rw_file_perms;
+ allow sensors_test sensors_socket:sock_file rw_file_perms;
+ allow sensors_test smd_device:chr_file rw_file_perms;
+ allow sensors_test socket_device:dir r_dir_perms;
')