Seandroid: Adding policies for IMS
Adding policy for IMS
Change-Id: I65e5ac5c9cf9b110a1fe68ceab1df6fa9814294d
diff --git a/common/ims.te b/common/ims.te
index 1a35abe..fff1870 100644
--- a/common/ims.te
+++ b/common/ims.te
@@ -4,13 +4,41 @@
# Started by init
init_daemon_domain(ims)
+net_domain(ims)
-allow radio ims_socket:sock_file { open read write };
-allow ims ims_socket:sock_file { open read write };
-allow ims property_socket:sock_file write;
-allow ims servicemanager:binder call;
+# Talk to qmuxd
+qmux_socket(ims)
+
+# To make VT call
binder_use(ims)
+
+# Bring up IMSPDM
+allow ims kernel:system module_request;
+
+allow ims self:socket create_socket_perms;
+allow ims self:capability { net_admin net_raw };
+
+# Use generic netlink socket
+allow ims self:netlink_socket create_socket_perms;
+
+# To run NDC command
+allow ims shell_exec:file rx_file_perms;
+allow ims system_file:file rx_file_perms;
+
+# IMS route installation
+allow ims wcnss_service_exec:file rx_file_perms;
+
+# Talk to netd via netd_socket
+unix_socket_connect(ims, netd, netd)
+
+# Talk to qumuxd via ims_socket
+unix_socket_connect(ims, ims, qmuxd)
+
+# Talk to init via property_socket
unix_socket_connect(ims, property, init)
-allow ims self:socket { read bind create write ioctl };
-allow ims system_prop:property_service set;
+
+#Add connectionmanager service
allow ims imscm_service:service_manager add;
+
+# Set property to start imsdata_daemon and ims_rtp_daemon
+allow ims qcom_ims_prop:property_service set;
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
index 49838d8..0fb8750 100644
--- a/common/mm-qcamerad.te
+++ b/common/mm-qcamerad.te
@@ -35,3 +35,6 @@
#Remove GL fine reference
allow mm-qcamerad shell_data_file:dir search;
+
+# IMS use camera daemon to make VT call
+allow mm-qcamerad port:tcp_socket name_bind;
diff --git a/common/property.te b/common/property.te
index 1e54640..ea480c7 100644
--- a/common/property.te
+++ b/common/property.te
@@ -1,2 +1,3 @@
# property for uicc_daemon
type uicc_prop, property_type;
+type qcom_ims_prop, property_type;
diff --git a/common/property_contexts b/common/property_contexts
index fd1f716..1c4c7a4 100644
--- a/common/property_contexts
+++ b/common/property_contexts
@@ -1,2 +1,3 @@
wc_transport. u:object_r:bluetooth_prop:s0
usb_uicc. u:object_r:uicc_prop:s0
+sys.ims. u:object_r:qcom_ims_prop:s0
diff --git a/common/radio.te b/common/radio.te
index c117da1..2b854f5 100644
--- a/common/radio.te
+++ b/common/radio.te
@@ -8,3 +8,6 @@
#Need permission to execute dpmd talk to radio layer
unix_socket_connect(radio, dpmd, dpmd)
+
+# IMS needs permission to use unix domain socket
+allow radio ims:unix_stream_socket connectto;
diff --git a/msm8994/ims.te b/msm8994/ims.te
deleted file mode 100644
index 69bd1f3..0000000
--- a/msm8994/ims.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow ims self:capability net_raw;
-allow ims self:socket { read bind create write ioctl };