Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bulk M7 Changes #44

Open
wants to merge 15 commits into
base: cm-10.2
Choose a base branch
from
38 changes: 36 additions & 2 deletions BoardConfig.mk
Original file line number Diff line number Diff line change
@@ -65,8 +65,6 @@ BOARD_USES_SEPERATED_VOIP := true
BOARD_HAVE_HTC_CSDCLIENT := true

# Camera
USE_CAMERA_STUB := false
TARGET_PROVIDES_CAMERA_HAL := true
BOARD_NEEDS_MEMORYHEAPPMEM := true
COMMON_GLOBAL_CFLAGS += -DDISABLE_HW_ID_MATCH_CHECK
COMMON_GLOBAL_CFLAGS += -DHTC_CAMERA_HARDWARE
@@ -108,6 +106,42 @@ WIFI_DRIVER_FW_PATH_P2P := "/system/etc/firmware/fw_bcm4334_p2p.bin"
BOARD_VENDOR_QCOM_GPS_LOC_API_HARDWARE := $(TARGET_BOARD_PLATFORM)
TARGET_NO_RPC := true

# SElinux
BOARD_SEPOLICY_DIRS := \
device/htc/dlx/sepolicy

BOARD_SEPOLICY_UNION := \
file_contexts \
property_contexts \
te_macros \
bluetooth_loader.te \
bridge.te \
camera.te \
conn_init.te \
device.te \
dhcp.te \
domain.te \
drmserver.te \
file.te \
kickstart.te \
init.te \
mediaserver.te \
mpdecision.te \
netmgrd.te \
property.te \
qmux.te \
restorecon.te \
rild.te \
rmt.te \
sensors.te \
surfaceflinger.te \
system.te \
tee.te \
thermald.te \
ueventd.te \
wpa_supplicant.te \
zygote.te

# Filesystem
TARGET_USERIMAGES_USE_EXT4 := true
BOARD_BOOTIMAGE_PARTITION_SIZE := 16777216

This file was deleted.

2 changes: 1 addition & 1 deletion overlay/packages/apps/Phone/res/values/network_mode.xml
Original file line number Diff line number Diff line change
@@ -34,5 +34,5 @@
</string-array>

<!-- LTE/CDMA network mode to use for toggleLTE(true). -->
<integer name="toggleLTE_lte_cdma_nt_mode">10</integer>
<integer name="toggleLTE_lte_cdma_nt_mode">8</integer>
</resources>
17 changes: 11 additions & 6 deletions rootdir/etc/fstab.dlx
Original file line number Diff line number Diff line change
@@ -1,10 +1,15 @@
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags>
#<src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK

/dev/block/mmcblk0p32 /system ext4 ro,barrier=1 wait
/dev/block/mmcblk0p34 /data ext4 noatime,nosuid,nodev,barrier=1,data=ordered,noauto_da_alloc wait,check,encryptable=/dev/block/mmcblk0p29
/dev/block/mmcblk0p33 /cache ext4 noatime,nosuid,nodev,barrier=1,data=ordered wait,check
#/dev/block/mmcblk0p24 /devlog ext4 noatime,nosuid,nodev,data=ordered,noauto_da_alloc wait
/dev/block/mmcblk0p19 /boot emmc defaults defaults
/dev/block/mmcblk0p20 /recovery emmc defaults defaults
/dev/block/mmcblk0p32 /system ext4 rw,noatime,barrier=1 wait
/dev/block/mmcblk0p33 /cache ext4 nosuid,nodev,noatime,barrier=1 wait,check
/dev/block/mmcblk0p34 /data ext4 noatime,nosuid,nodev,noauto_da_alloc,barrier=1 wait,check,encryptable=footer
/dev/block/mmcblk0p16 /firmware/mdm vfat ro,fmask=0000,dmask=0000,shortname=lower,context=u:object_r:radio_efs_file:s0 wait
/dev/block/mmcblk0p17 /firmware/q6 vfat ro,fmask=0000,dmask=0000,shortname=lower,context=u:object_r:radio_efs_file:s0 wait

# USB storage
/devices/platform/msm_hsusb_host/usb /storage/usbdisk auto defaults voldmanaged=usbdisk:auto
/devices/platform/msm_hsusb_host/usb /storage/usbdisk auto defaults voldmanaged=usbdisk:auto
15 changes: 13 additions & 2 deletions rootdir/etc/init.dlx.rc
Original file line number Diff line number Diff line change
@@ -70,6 +70,16 @@ on fs
symlink /system/vendor/pittpatt /vendor/pittpatt
symlink /system/vendor/firmware/libpn544_fw.so /vendor/firmware/libpn544_fw.so

# Restorecon
restorecon /system/bin/efsks
restorecon /system/bin/ks
restorecon /system/bin/qcks
restorecon /system/etc/hldm.bin
restorecon /system/etc/hltof.bin
restorecon /system/etc/hltrd.bin
restorecon /system/etc/firmware/a300_pfp.fw
restorecon /system/etc/firmware/a300_pm4.fw

on early-boot
# set RLIMIT_MEMLOCK to 64MB
setrlimit 8 67108864 67108864
@@ -297,6 +307,7 @@ service mpdecision /system/bin/mpdecision --no_sleep --avg_comp
service kickstart /system/bin/qcks -1 modem_st1 -2 modem_st2 -3 radio_config -4 cdma_record -i /vendor/firmware/
class core
user root
seclabel u:r:kickstart:s0
oneshot

service startup /system/bin/sh /init.qcom.sh
@@ -311,14 +322,14 @@ service sdcard /system/bin/sdcard /data/media /mnt/shell/emulated 1023 1023
service wpa_supplicant /system/bin/wpa_supplicant -Dnl80211 -iwlan0 -c/data/misc/wifi/wpa_supplicant.conf
user root
group wifi inet
socket wpa_wlan0 dgram 0660 wifi wifi
socket wpa_wlan0 dgram 0660 wifi wifi u:object_r:wpa_socket:s0
disabled
oneshot

service p2p_supplicant /system/bin/wpa_supplicant -Dnl80211 -iwlan0 -c/data/misc/wifi/wpa_supplicant.conf
user root
group wifi inet
socket wpa_wlan0 dgram 0660 wifi wifi
socket wpa_wlan0 dgram 0660 wifi wifi u:object_r:wpa_socket:s0
disabled
oneshot

39 changes: 39 additions & 0 deletions sepolicy/bluetooth_loader.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Bluetooth executables and script (bdAddrLoader, init.qcom.bt.sh)
type bluetooth_loader, domain;
type bluetooth_loader_exec, exec_type, file_type;

# Start bdAddrLoader from init
init_daemon_domain(bluetooth_loader)

# Run init.qcom.bt.sh
allow bluetooth_loader shell_exec:file { entrypoint read };
allow bluetooth_loader bluetooth_loader_exec:file { getattr open execute_no_trans };

# init.qcom.bt.sh needs /system/bin/log access
allow bluetooth_loader devpts:chr_file rw_file_perms;

# Run hci_qcomm_init from init.qcom.bt.sh
domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach)

# hci_qcomm_init started with logwrapper
allow hci_attach devpts:chr_file rw_file_perms;
allow hci_attach bluetooth_loader:fd use;

# Read mac address from persist partition
allow bluetooth_loader persist_file:dir search;
r_dir_file(bluetooth_loader, persist_bluetooth_file)

# Talk to init over the property socket
unix_socket_connect(bluetooth_loader, property, init)
# Set persist.service.bdroid.* and bluetooth.* property values
allow { bluetooth bluetooth_loader } bluetooth_prop:property_service set;

# Shared memory node access
allow hci_attach bluetooth_device:chr_file rw_file_perms;

# Allow getprop/setprop for init.mako.bt.sh
allow bluetooth_loader system_file:file execute_no_trans;

# Bluetooth
allow bluetooth radio_efs_file:file r_file_perms;
allow bluetooth radio_efs_file:dir { open read search };
17 changes: 17 additions & 0 deletions sepolicy/bridge.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Bridge Manager (radio process)
type bridge, domain;
type bridge_exec, exec_type, file_type;

# Started by init
init_daemon_domain(bridge)

allow bridge self:netlink_kobject_uevent_socket { create bind read };

# Allow logging diagnostic items
allow bridge diagnostic_device:chr_file rw_file_perms;

# Talk to qmuxd
qmux_socket(bridge)

# XXX Label sysfs files with a specific type?
allow bridge sysfs:file { open write read getattr };
26 changes: 26 additions & 0 deletions sepolicy/camera.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Qualcomm MSM camera
type camera, domain;
type camera_exec, exec_type, file_type;

# Started by init
init_daemon_domain(camera)

allow camera self:process execmem;

allow camera camera_device:dir search;
allow camera { video_device camera_device }:chr_file rw_file_perms;
allow camera { surfaceflinger mediaserver }:fd use;

# Create /data/cam_socket0 as camera_socket
type_transition camera system_data_file:sock_file camera_socket "cam_socket0";
allow camera camera_socket:sock_file { create unlink };
dontaudit camera system_data_file:dir remove_name;

# All others under /data get camera_data_file
file_type_auto_trans(camera, system_data_file, camera_data_file);
allow camera camera_data_file:dir { write add_name };
allow camera camera_data_file:file create_file_perms;

# Connect to /data/app/sensor_ctl_socket
unix_socket_connect(camera, sensors, sensors)
allow camera sensors_socket:sock_file read;
15 changes: 15 additions & 0 deletions sepolicy/conn_init.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# wifi connection service
type conn_init, domain;
type conn_init_exec, exec_type, file_type;

# Started by logwrapper in init
domain_auto_trans(init, conn_init_exec, conn_init)
allow conn_init devpts:chr_file { read write };

# allow /persist/wifi access
allow conn_init persist_file:dir search;
r_dir_file(conn_init, persist_wifi_file)

# allow /data/misc/wifi access for firmware files
allow conn_init wifi_data_file:dir w_dir_perms;
allow conn_init wifi_data_file:file create_file_perms;
9 changes: 9 additions & 0 deletions sepolicy/device.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
type diagnostic_device, dev_type;
type kgsl_device, dev_type, mlstrustedobject;
type mpdecision_device, dev_type;
type shared_log_device, dev_type;
type power_control_device, dev_type;
type efs_block_device, dev_type;
type bluetooth_device, dev_type;
type shared_memory_device, dev_type;
type rfkill_device, dev_type;
1 change: 1 addition & 0 deletions sepolicy/dhcp.te
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
allow dhcp self:rawip_socket { create write setopt };
3 changes: 3 additions & 0 deletions sepolicy/domain.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
allow domain kgsl_device:chr_file rw_file_perms;
# libgsl is chatty about accessing /data/local/tmp
dontaudit { surfaceflinger appdomain } shell_data_file:dir search;
2 changes: 2 additions & 0 deletions sepolicy/drmserver.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Drm wants to read /firmware/image/tzapps.mdt
r_dir_file(drmserver, radio_efs_file)
22 changes: 22 additions & 0 deletions sepolicy/file.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
type mpdecision_socket, file_type;
type qmuxd_socket, file_type;
type sensors_socket, file_type;
type camera_socket, file_type;

type kickstart_data_file, file_type, data_file_type;
type sensors_data_file, file_type, data_file_type;
type camera_data_file, file_type, data_file_type;

# Default type for anything under /firmware
type radio_efs_file, fs_type;
allow fs_type radio_efs_file:filesystem associate;

allow radio_efs_file labeledfs:filesystem associate;
allow radio_efs_file rootfs:filesystem associate;

# Persist firmware types
type persist_file, file_type;
type persist_bluetooth_file, file_type;
type persist_drm_file, file_type;
type persist_sensors_file, file_type;
type persist_wifi_file, file_type;
127 changes: 127 additions & 0 deletions sepolicy/file_contexts
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
/dev/msm_acdb u:object_r:audio_device:s0
/dev/msm_mp3 u:object_r:audio_device:s0
/dev/msm_rtac u:object_r:audio_device:s0
/dev/msm_vidc.* u:object_r:audio_device:s0
/dev/msm_amrnb.* u:object_r:audio_device:s0
/dev/msm_amrwb.* u:object_r:audio_device:s0
/dev/msm_aac.* u:object_r:audio_device:s0

/dev/pn544 u:object_r:nfc_device:s0
/dev/qseecom u:object_r:tee_device:s0

# Jpeg Engine support
/dev/gemini.* u:object_r:camera_device:s0

# MSM camera related
/dev/v4l-subdev.* u:object_r:camera_device:s0
/dev/video.* u:object_r:camera_device:s0
/dev/msm_camera.* u:object_r:camera_device:s0

# Media interface
/dev/media.* u:object_r:video_device:s0

# Image Rotator Driver
/dev/msm_rotator u:object_r:video_device:s0

# Audio
/dev/rt5501 u:object_r:audio_device:s0
/dev/tfa9887 u:object_r:audio_device:s0
/dev/tpa6185 u:object_r:audio_device:s0

# Sensors
/dev/msm_dsps u:object_r:sensors_device:s0
/dev/smd_sns_dsps u:object_r:sensors_device:s0
/dev/akm8963_dev u:object_r:sensors_device:s0
/dev/cm3602 u:object_r:sensors_device:s0
/dev/lightsensor u:object_r:sensors_device:s0

/dev/mdm u:object_r:radio_device:s0
/dev/hsicctl[0-3] u:object_r:radio_device:s0
/dev/rmnet_mux_ctrl u:object_r:radio_device:s0
/dev/qmi[0-2] u:object_r:radio_device:s0
/dev/smd7 u:object_r:radio_device:s0
/dev/smdcntl0 u:object_r:radio_device:s0
/dev/smdcntl1 u:object_r:radio_device:s0
/dev/smdcntl2 u:object_r:radio_device:s0
/dev/smdcntl3 u:object_r:radio_device:s0
/dev/smdcntl4 u:object_r:radio_device:s0
/dev/smdcntl5 u:object_r:radio_device:s0
/dev/smdcntl6 u:object_r:radio_device:s0
/dev/smdcntl7 u:object_r:radio_device:s0
/dev/ttyUSB0 u:object_r:radio_device:s0

/dev/ttyHS0 u:object_r:hci_attach_dev:s0
/dev/ttyMSM0 u:object_r:hci_attach_dev:s0
/dev/smd2 u:object_r:hci_attach_dev:s0
/dev/smd3 u:object_r:hci_attach_dev:s0

/dev/cpu_dma_latency u:object_r:power_control_device:s0
/dev/diag u:object_r:diagnostic_device:s0
/dev/smd.* u:object_r:shared_memory_device:s0
/dev/smem_log u:object_r:shared_log_device:s0
/dev/kgsl-3d0 u:object_r:kgsl_device:s0
/dev/kgsl u:object_r:kgsl_device:s0

# Sockets
/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0
/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0
/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0
/dev/socket/mpdecision(/.*)? u:object_r:mpdecision_socket:s0

# Block labeling
/dev/block/mmcblk0p22 u:object_r:efs_block_device:s0
/dev/block/mmcblk0p23 u:object_r:efs_block_device:s0
/dev/block/mmcblk0p30 u:object_r:efs_block_device:s0
/dev/block/mmcblk0p18 u:object_r:efs_block_device:s0

# Modem firmware loader
/dev/ks_hsic_bridge u:object_r:kickstart_device:s0
/dev/efs_hsic_bridge u:object_r:kickstart_device:s0

# Data labeling
/data/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
/data/qcks(/.*)? u:object_r:kickstart_data_file:s0
/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
/data/misc/playready(/.*)? u:object_r:drm_data_file:s0
/data/misc/tzapps(/.*)? u:object_r:tee_data_file:s0
/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0

# System binaries
/system/bin/rmt_storage u:object_r:rmt_exec:s0
/system/bin/thermald u:object_r:thermald_exec:s0
/system/bin/mpdecision u:object_r:mpdecision_exec:s0
/system/bin/mm-qcamera-daemon u:object_r:camera_exec:s0
/system/bin/sensors.qcom u:object_r:sensors_exec:s0
/system/bin/qmuxd u:object_r:qmux_exec:s0
/system/bin/bridgemgrd u:object_r:bridge_exec:s0
/system/bin/netmgrd u:object_r:netmgrd_exec:s0
/system/bin/qseecomd u:object_r:tee_exec:s0
/system/bin/conn_init u:object_r:conn_init_exec:s0
/system/bin/efsks u:object_r:kickstart_exec:s0
/system/bin/ks u:object_r:kickstart_exec:s0
/system/bin/qcks u:object_r:kickstart_exec:s0
/system/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0
/system/bin/restorecon u:object_r:restorecon_exec:s0

# Persist firmware filesystem
/persist(/.*)? u:object_r:persist_file:s0
/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0
/persist/sensors(/.*)? u:object_r:persist_sensors_file:s0
/persist/playready(/.*)? u:object_r:persist_drm_file:s0
/persist/widevine(/.*)? u:object_r:persist_drm_file:s0
/persist/wifi(/.*)? u:object_r:persist_wifi_file:s0

# Firmwares
/firmware/mdm/image(/.*)? u:object_r:kickstart_data_file:s0
/firmware/q6(/.*)? u:object_r:radio_efs_file:s0
/system/etc/firmware(/.*)? u:object_r:radio_efs_file:s0

/system/etc/hldm.bin u:object_r:radio_efs_file:s0
/system/etc/hltof.bin u:object_r:radio_efs_file:s0
/system/etc/hltrd.bin u:object_r:radio_efs_file:s0

# for wpa_supp
/dev/rfkill u:object_r:rfkill_device:s0
4 changes: 4 additions & 0 deletions sepolicy/init.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
allow init wpa_socket:unix_dgram_socket { bind create };

allow init labeledfs:filesystem { associate };
allow init rootfs:filesystem { associate };
51 changes: 51 additions & 0 deletions sepolicy/kickstart.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# kickstart processes and scripts
type kickstart, domain;
type kickstart_exec, exec_type, file_type;
type kickstart_device, dev_type;

# kickstart_checker.sh talks to init over the property socket
unix_socket_connect(kickstart, property, init)

# Start /system/bin/qcks from init
init_daemon_domain(kickstart)

# Spawn /system/bin/efsks and /system/bin/ks
allow kickstart kickstart_exec:file { open execute_no_trans getattr };

# Run dd on m9kefs[123] block devices; write to /data/qcks/
# Run cat on firmware and m9kefs[123] data; write to /data/qcks/
allow kickstart efs_block_device:blk_file rw_file_perms;

allow kickstart kickstart_data_file:file create_file_perms;
allow kickstart kickstart_data_file:dir rw_dir_perms;

allow kickstart radio_efs_file:file r_file_perms;
allow kickstart radio_efs_file:dir search;

# Let efsks access /dev/mdm and /dev/ttyUSB0 nodes
allow kickstart radio_device:chr_file { open read write ioctl getattr };

# Allow to run toolbox commands
allow kickstart shell_exec:file rx_file_perms;

# Toolbox commands for firmware dd
allow kickstart system_file:file execute_no_trans;

# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2
allow kickstart block_device:dir { getattr write search };

# Set system property key
allow kickstart radio_prop:property_service set;

allow kickstart shell_exec:file entrypoint;
# ls on /data/qcks/
allow kickstart self:capability dac_override;

allow kickstart kickstart_tmpfs:file { open write create getattr setattr unlink };
allow kickstart tmpfs:dir { add_name remove_name };

# Access to the modem bridge chardevs
allow kickstart kickstart_device:chr_file rw_file_perms;

# set wake locks
allow kickstart sysfs:file { write };
12 changes: 12 additions & 0 deletions sepolicy/mediaserver.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
allow mediaserver audio_data_file:dir w_dir_perms;
allow mediaserver audio_data_file:file create_file_perms;
allow mediaserver camera_data_file:sock_file w_file_perms;

qmux_socket(mediaserver)

unix_socket_send(mediaserver, camera, camera)

allow mediaserver self:socket create;

# Allow logging diagnostic items
allow mediaserver diagnostic_device:chr_file rw_file_perms;
20 changes: 20 additions & 0 deletions sepolicy/mpdecision.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# CPU governor (root process)
type mpdecision, domain;
type mpdecision_exec, exec_type, file_type;

# Started by init
init_daemon_domain(mpdecision)

# dac_override to unlink /dev/socket/mpdecision/touchboost
allow mpdecision self:capability { dac_override fsetid net_admin };
allow mpdecision self:netlink_kobject_uevent_socket { create read setopt bind read };

# Create under /dev/socket/mpdecision
allow mpdecision mpdecision_socket:dir w_dir_perms;
allow mpdecision mpdecision_socket:sock_file { create setattr write };

allow mpdecision socket_device:dir { write add_name };
allow mpdecision socket_device:sock_file { create setattr write };

# XXX Should we label with own type?
allow mpdecision sysfs:file { read open write setattr };
28 changes: 28 additions & 0 deletions sepolicy/netmgrd.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Network utilities (radio process)
type netmgrd, domain;
type netmgrd_exec, exec_type, file_type;

# Started by init
init_daemon_domain(netmgrd)

allow netmgrd self:udp_socket { create ioctl };
# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket
allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
allow netmgrd self:packet_socket { write bind read create };
allow netmgrd self:netlink_socket { write read create bind setopt };
allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr };

# Talk to qmuxd
qmux_socket(netmgrd)

# Allow logging diagnostic items
allow netmgrd diagnostic_device:chr_file rw_file_perms;

# /data/data_test/ access with shell
allow netmgrd shell_exec:file { execute read open execute_no_trans };
allow netmgrd system_file:file { execute_no_trans };

# Talk to init over the property socket
unix_socket_connect(netmgrd, property, init)
# Set net.rmnet_usb0. values
allow netmgrd radio_prop:property_service set;
1 change: 1 addition & 0 deletions sepolicy/property.te
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
type bluetooth_prop, property_type;
3 changes: 3 additions & 0 deletions sepolicy/property_contexts
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
persist.service.bdroid. u:object_r:bluetooth_prop:s0
bluetooth. u:object_r:bluetooth_prop:s0
net.rmnet_usb0. u:object_r:radio_prop:s0
19 changes: 19 additions & 0 deletions sepolicy/qmux.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Qualcomm Management Interface Multiplexer
type qmux, domain;
type qmux_exec, exec_type, file_type;

# Started by init
init_daemon_domain(qmux)

# Create local qmux_connect_socket
allow qmux qmuxd_socket:dir w_dir_perms;
allow qmux qmuxd_socket:sock_file { create setattr getattr unlink };

# /dev/hsicctl* node access
allow qmux radio_device:chr_file rw_file_perms;

# Allow logging diagnostic items
allow qmux diagnostic_device:chr_file rw_file_perms;

# XXX Should we label with own type
allow qmux sysfs:file { open write append read getattr };
6 changes: 6 additions & 0 deletions sepolicy/restorecon.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# restorecon processes and scripts
type restorecon, domain;
type restorecon_exec, exec_type, file_type;

allow restorecon radio_efs_file:file { getattr };
allow restorecon radio_efs_file:filesystem { associate };
12 changes: 12 additions & 0 deletions sepolicy/rild.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
allow rild self:netlink_socket { create bind read write };
allow rild self:netlink_route_socket { write };
allow rild self:netlink_kobject_uevent_socket { create setopt bind };

# Talk to qmuxd
qmux_socket(rild)

# Allow logging diagnostic items
allow rild diagnostic_device:chr_file rw_file_perms;

# XXX label with own type?
allow rild sysfs:file { read open write getattr };
27 changes: 27 additions & 0 deletions sepolicy/rmt.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# remote storage process
type rmt, domain;
type rmt_exec, exec_type, file_type;

# Started by init
init_daemon_domain(rmt)

# opens and reads the primary block device
allow rmt block_device:blk_file { open read };
allow rmt block_device:dir search;

# XXX should we allow sys_rawio on /dev/mem?
allow rmt self:capability { sys_rawio };
# dac_override on open /sys/power/wake_lock
allow rmt self:capability { setuid setgid dac_override };
allow rmt self:socket { create ioctl bind setopt read };

allow rmt cgroup:dir { create add_name };
# XXX do we need write access?
allow rmt kmem_device:chr_file rw_file_perms;

# Allow shared memory logging access
allow rmt shared_log_device:chr_file rw_file_perms;

# XXX Should we label with own type?
allow rmt sysfs:file { open append read getattr write };
allow rmt sysfs:dir rw_dir_perms;
33 changes: 33 additions & 0 deletions sepolicy/sensors.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Integrated qualcomm sensor process
type sensors, domain;
type sensors_exec, exec_type, file_type;

# Started by init
init_daemon_domain(sensors)

# dac_override open /dev/msm_dsps
allow sensors self:capability { setuid setgid chown dac_override };

# Allow logging diagnostic items
allow sensors diagnostic_device:chr_file rw_file_perms;

# Create /data/app/sensor_ctl_socket
file_type_auto_trans(sensors, apk_data_file, sensors_socket);

allow sensors sensors_data_file:dir create_dir_perms;
allow sensors sensors_data_file:file create_file_perms;
dontaudit sensors apk_data_file:dir remove_name;

# Access to sensor nodes
allow sensors sensors_device:chr_file rw_file_perms;

# XXX should power_control_device be labeled differently?
allow sensors power_control_device:chr_file { write open append };

# Access to /persist/sensors
allow sensors persist_file:dir { search getattr };
allow sensors persist_sensors_file:dir r_dir_perms;
allow sensors persist_sensors_file:file rw_file_perms;

# XXX label with own type?
allow sensors sysfs:file { open append read write getattr };
1 change: 1 addition & 0 deletions sepolicy/surfaceflinger.te
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
allow surfaceflinger sysfs:file rw_file_perms;
22 changes: 22 additions & 0 deletions sepolicy/system.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
allow system diagnostic_device:chr_file rw_file_perms;

allow system init:unix_dgram_socket sendto;
allow system wpa_socket:unix_dgram_socket sendto;

qmux_socket(system)

# PowerManagerService
unix_socket_connect(system, sensors, sensors)
allow system sensors_socket:sock_file read;
allow system sensors:unix_stream_socket sendto;

# mpdecision access
unix_socket_connect(system, mpdecision, mpdecision)
unix_socket_send(system, mpdecision, mpdecision)
allow system mpdecision:unix_stream_socket sendto;
allow system mpdecision_socket:dir search;

allow system sysfs:file { read open write };

# WifiStateMachine
allow system self:capability { sys_module };
12 changes: 12 additions & 0 deletions sepolicy/te_macros
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#####################################
# qmux_socket(clientdomain)
# Allow client to send via a local
# socket to the qmux domain.
define(`qmux_socket', `
type $1_qmuxd_socket, file_type;
file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
unix_socket_connect($1, qmuxd, qmux)
allow qmux $1_qmuxd_socket:sock_file { getattr unlink };
')


12 changes: 12 additions & 0 deletions sepolicy/tee.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Qualcomm Secure Execution Environment Communicator policy
allow tee self:process execmem;

# Access /data/misc/playready
allow tee system_data_file:dir { open read };
allow tee drm_data_file:dir rw_dir_perms;
allow tee drm_data_file:file rw_file_perms;

# Access /persist/{widevine,playready}
allow tee persist_file:dir search;
allow tee persist_drm_file:dir r_dir_perms;
allow tee persist_drm_file:file r_file_perms;
22 changes: 22 additions & 0 deletions sepolicy/thermald.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Temperature sensor daemon (root process)
type thermald, domain;
type thermald_exec, exec_type, file_type;

# Started by init
init_daemon_domain(thermald)

# XXX should we allow kexec_load with /dev/socket/qmux_radio/qmux_client_socket
# dac_override open, unlink with /dev/socket/qmux_radio/qmux_client_socket
allow thermald self:capability { net_admin fsetid dac_override };

allow thermald self:socket { ioctl create write read };
allow thermald self:netlink_kobject_uevent_socket { read create setopt bind };

# Talk to qmuxd
qmux_socket(thermald)

# Access to shared memory logger and logging diagnostic items
allow thermald { shared_log_device diagnostic_device }:chr_file rw_file_perms;

# XXX Should we label with own type?
allow thermald sysfs:file { open read write getattr };
5 changes: 5 additions & 0 deletions sepolicy/ueventd.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Drivers read firmware files (/firmware/image, /system/etc/firmware)
allow ueventd { radio_device radio_efs_file wifi_data_file }:file r_file_perms;
allow ueventd { radio_efs_file wifi_data_file }:dir search;

allow ueventd radio_efs_file:file { read open getattr };
12 changes: 12 additions & 0 deletions sepolicy/wpa_supplicant.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
allow wpa init:unix_dgram_socket { read write };

# logwrapper used with wpa_supplicant
allow wpa devpts:chr_file { read write };

allow wpa wpa_socket:unix_dgram_socket { read write };
allow wpa_socket system:unix_dgram_socket sendto;

allow wpa radio_efs_file:file r_file_perms;

## /dev/rfkill for wpa_supp
allow wpa rfkill_device:chr_file rw_file_perms;
1 change: 1 addition & 0 deletions sepolicy/zygote.te
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
allow zygote init:unix_stream_socket { read write accept getopt setopt getattr setattr listen };