aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormnemonyc <mnemonyc@hotmail.com>2016-12-23 23:19:42 +0100
committerdavidevinavil <davidevinavil@gmail.com>2017-01-08 05:35:09 +0100
commite0d8e01de438f062a5437561df26f510c1d5040c (patch)
treea2fa3495a48d6f907fd6d83169c6af8e012ed2aa
parentb9bf6f9d31a016f8b34d389c46cd53e246c4eee8 (diff)
z2plus: update sepolicy
Change-Id: I86ab87016e118cfff8b9debc9c38327326b9bc69
Diffstat
-rwxr-xr-xBoardConfig.mk2
-rw-r--r--sepolicy/audioserver.te1
-rw-r--r--sepolicy/bluetooth_loader.te6
-rw-r--r--sepolicy/charger_monitor.te3
-rw-r--r--sepolicy/cnd.te1
-rw-r--r--sepolicy/dashd.te46
-rw-r--r--sepolicy/dataservice_app.te1
-rw-r--r--sepolicy/dpmd.te1
-rw-r--r--sepolicy/energyawareness.te2
-rw-r--r--sepolicy/file_contexts3
-rw-r--r--sepolicy/fingerprintd.te2
-rw-r--r--[-rwxr-xr-x]sepolicy/ifaadaemon.te0
-rw-r--r--sepolicy/ims.te1
-rw-r--r--sepolicy/init.te2
-rw-r--r--sepolicy/mac_permissions.xml7
-rw-r--r--sepolicy/mm-pp-daemon.te4
-rw-r--r--sepolicy/mm-qcamerad.te1
-rw-r--r--sepolicy/netmgrd.te1
-rw-r--r--sepolicy/property_contexts7
-rw-r--r--sepolicy/qmuxd.te2
-rw-r--r--sepolicy/qti.te2
-rw-r--r--sepolicy/qti_init_shell.te7
-rw-r--r--sepolicy/rild.te1
-rw-r--r--sepolicy/seapp_contexts1
-rw-r--r--sepolicy/sensors.te2
-rw-r--r--sepolicy/surfaceflinger.te1
-rw-r--r--sepolicy/system_server.te1
-rw-r--r--sepolicy/thermal-engine.te3
-rw-r--r--sepolicy/time_daemon.te1
-rw-r--r--sepolicy/wcnss_filter.te1
-rw-r--r--sepolicy/wcnss_service.te8
31 files changed, 90 insertions, 31 deletions
diff --git a/BoardConfig.mk b/BoardConfig.mk
index efa3621..061aad7 100755
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -58,7 +58,7 @@ ENABLE_CPUSETS := true
TARGET_USES_64_BIT_BINDER := true
# Kernel
-BOARD_KERNEL_CMDLINE := console=tty60,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=16M@0-0xffffffff androidboot.selinux=permissive
+BOARD_KERNEL_CMDLINE := console=tty60,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=16M@0-0xffffffff
BOARD_KERNEL_BASE := 0x80000000
BOARD_KERNEL_PAGESIZE := 4096
BOARD_KERNEL_TAGS_OFFSET := 0x00000100
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
new file mode 100644
index 0000000..332b327
--- /dev/null
+++ b/sepolicy/audioserver.te
@@ -0,0 +1 @@
+set_prop(audioserver, diag_prop);
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
deleted file mode 100644
index 0f287d7..0000000
--- a/sepolicy/bluetooth_loader.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# Bluetooth executables and scripts
-type bluetooth_loader, domain;
-type bluetooth_loader_exec, exec_type, file_type;
-
-# Start bdAddrLoader from init
-init_daemon_domain(bluetooth_loader)
diff --git a/sepolicy/charger_monitor.te b/sepolicy/charger_monitor.te
new file mode 100644
index 0000000..f658037
--- /dev/null
+++ b/sepolicy/charger_monitor.te
@@ -0,0 +1,3 @@
+# DASH
+allow healthd healthd:capability { dac_override dac_read_search };
+allow healthd device:dir read;
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index e325e40..8d25b5f 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1 +1,2 @@
allow cnd diag_prop:property_service set;
+get_prop(cnd, diag_prop);
diff --git a/sepolicy/dashd.te b/sepolicy/dashd.te
new file mode 100644
index 0000000..41525dd
--- /dev/null
+++ b/sepolicy/dashd.te
@@ -0,0 +1,46 @@
+# dash daemon
+
+# dashd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type dashd, domain;
+
+# Write to /dev/kmsg
+allow dashd kmsg_device:chr_file rw_file_perms;
+
+allow dashd self:capability { net_admin sys_tty_config };
+wakelock_use(dashd)
+allow dashd self:netlink_kobject_uevent_socket create_socket_perms;
+binder_use(dashd)
+binder_service(dashd)
+binder_call(dashd, system_server)
+
+# Write to state file.
+allow dashd sysfs:file write;
+
+###
+### dashd: charger mode
+###
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow dashd pstorefs:dir r_dir_perms;
+allow dashd pstorefs:file r_file_perms;
+
+allow dashd graphics_device:dir r_dir_perms;
+allow dashd graphics_device:chr_file rw_file_perms;
+allow dashd input_device:dir r_dir_perms;
+allow dashd input_device:chr_file rw_file_perms;
+allow dashd tty_device:chr_file rw_file_perms;
+allow dashd ashmem_device:chr_file execute;
+allow dashd self:process execmem;
+allow dashd proc_sysrq:file rw_file_perms;
+allow dashd self:capability { sys_boot dac_override};
+allow dashd device:dir { open read write } ;
+#allow dashd device:chr_file { write read };
+
+allow dashd proc_stat:file r_file_perms;
+allow dashd sysfs_batteryinfo:file r_file_perms;
+
+r_dir_file(dashd, sysfs_usb_supply);
+r_dir_file(dashd, sysfs_battery_supply);
diff --git a/sepolicy/dataservice_app.te b/sepolicy/dataservice_app.te
new file mode 100644
index 0000000..919f269
--- /dev/null
+++ b/sepolicy/dataservice_app.te
@@ -0,0 +1 @@
+set_prop(dataservice_app, diag_prop);
diff --git a/sepolicy/dpmd.te b/sepolicy/dpmd.te
new file mode 100644
index 0000000..dad0de7
--- /dev/null
+++ b/sepolicy/dpmd.te
@@ -0,0 +1 @@
+get_prop(dpmd, diag_prop);
diff --git a/sepolicy/energyawareness.te b/sepolicy/energyawareness.te
new file mode 100644
index 0000000..4cde0c1
--- /dev/null
+++ b/sepolicy/energyawareness.te
@@ -0,0 +1,2 @@
+allow energyawareness debugfs_msm_core:file rw_file_perms;
+allow energyawareness debugfs_msm_core:dir r_dir_perms;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 75737a2..affd4b0 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -5,8 +5,6 @@
# FRP partition
/dev/block/bootdevice/by-name/config u:object_r:frp_block_device:s0
-/system/etc/init\.qcom\.bt\.sh u:object_r:bluetooth_loader_exec:s0
-
/persist/sensors/gyro_sensitity_cal u:object_r:sensors_persist_file:s0
/data/oemnvitems(/.*)? u:object_r:nv_data_file:s0
@@ -17,6 +15,7 @@
/sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc_irq:s0
/sys/devices/soc/soc:fpc_fpc1020/proximity_state u:object_r:sysfs_fpc_proximity:s0
+/dev/dash u:object_r:input_device:s0
/sys/devices/soc/.*ssusb/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0
diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te
index a9d13a6..f82389a 100644
--- a/sepolicy/fingerprintd.te
+++ b/sepolicy/fingerprintd.te
@@ -7,6 +7,4 @@ allow fingerprintd fpc_images_file:file create_file_perms;
allow fingerprintd sysfs_fpc_irq:file rw_file_perms;
allow fingerprintd tee_device:chr_file rw_file_perms;
allow fingerprintd sysfs:file write;
-allow fingerprintd proc_touchpanel:dir search;
-allow fingerprintd proc_touchpanel:file { read open };
allow fingerprintd vfat:file r_file_perms;
diff --git a/sepolicy/ifaadaemon.te b/sepolicy/ifaadaemon.te
index 91671e2..91671e2 100755..100644
--- a/sepolicy/ifaadaemon.te
+++ b/sepolicy/ifaadaemon.te
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index d7338bd..6269bab 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -1 +1,2 @@
allow ims diag_prop:property_service set;
+get_prop(ims, diag_prop);
diff --git a/sepolicy/init.te b/sepolicy/init.te
index ee83502..0776fab 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,2 +1,4 @@
allow init vfat:file { read open };
allow init socket_device:sock_file { create setattr unlink };
+
+domain_trans(init, rootfs, dashd)
diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml
index f77d495..a025144 100644
--- a/sepolicy/mac_permissions.xml
+++ b/sepolicy/mac_permissions.xml
@@ -8,4 +8,11 @@
</package>
</signer>
+ <!-- Taobao -->
+ <signer signature="30820243308201aca00302010202044c59152e300d06092a864886f70d01010505003066310b300906035504061302434e3111300f060355040813087a68656a69616e673111300f0603550407130868616e677a686f75310f300d060355040a130674616f62616f310f300d060355040b130674616f62616f310f300d0603550403130674616f62616f301e170d3130303830343037323232325a170d3337313232303037323232325a3066310b300906035504061302434e3111300f060355040813087a68656a69616e673111300f0603550407130868616e677a686f75310f300d060355040a130674616f62616f310f300d060355040b130674616f62616f310f300d0603550403130674616f62616f30819f300d06092a864886f70d010101050003818d00308189028181008406125f369fde2720f7264923a63dc48e1243c1d9783ed44d8c276602d2d570073d92c155b81d5899e9a8a97e06353ac4b044d07ca3e2333677d199e0969c96489f6323ed5368e1760731704402d0112c002ccd09a06d27946269a438fe4b0216b718b658eed9d165023f24c6ddaec0af6f47ada8306ad0c4f0fcd80d9b69110203010001300d06092a864886f70d01010505000381810053dc5a9acd6fed237c2ff2b81d502edb88bee1ea22ad0e2ad1bb8e2e2e1c20a08f3797af894f35e092c78178090acddf7e8333c8d819736380f2cc91656b684bd4b30b5bb467351bf5f494f4453768a079b4d76311654e20dea7edf106ab958d92040ab8379fca39a4cdd496571eb4e29ce83bbbe770166ba5a03fd7bf90dbcd">
+ <package name="com.taobao.taobao" >
+ <seinfo value="taobao" />
+ </package>
+ </signer>
+
</policy>
diff --git a/sepolicy/mm-pp-daemon.te b/sepolicy/mm-pp-daemon.te
new file mode 100644
index 0000000..4e4a21a
--- /dev/null
+++ b/sepolicy/mm-pp-daemon.te
@@ -0,0 +1,4 @@
+allow mm-pp-daemon diag_device:chr_file rw_file_perms;
+allow mm-pp-daemon self:socket create_socket_perms;
+r_dir_file(mm-pp-daemon, sensors_persist_file);
+set_prop(mm-pp-daemon, diag_prop);
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index 4c7c39d..b8ad436 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -1,3 +1,4 @@
allow mm-qcamerad camera_prop:property_service set;
allow mm-qcamerad permission_service:service_manager find;
allow mm-qcamerad mpctl_socket:sock_file write;
+get_prop(mm-qcamerad, diag_prop);
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 8dab413..e0f453a 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1 +1,2 @@
allow netmgrd diag_prop:property_service set;
+get_prop(netmgrd, diag_prop);
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index 2b0957e..854b445 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1,6 +1 @@
-service.soundcard. u:object_r:audio_prop:s0
-audio. u:object_r:audio_prop:s0
-sys.fake_bs_flag0 u:object_r:system_radio_prop:s0
-sys.fake_bs_flag1 u:object_r:system_radio_prop:s0
-sys.oem.sno u:object_r:system_radio_prop:s0
-persist.sys.diag.max.size u:object_r:diag_prop:s0 \ No newline at end of file
+persist.sys.diag.max.size u:object_r:diag_prop:s0
diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
index 14aa9a1..6f2f530 100644
--- a/sepolicy/qmuxd.te
+++ b/sepolicy/qmuxd.te
@@ -1,3 +1 @@
set_prop(qmuxd, diag_prop)
-allow qmuxd init:unix_stream_socket connectto;
-allow qmuxd property_socket:sock_file write;
diff --git a/sepolicy/qti.te b/sepolicy/qti.te
index 861eb5d..09692b5 100644
--- a/sepolicy/qti.te
+++ b/sepolicy/qti.te
@@ -1,3 +1 @@
set_prop(qti, diag_prop)
-allow qti init:unix_stream_socket connectto;
-allow qti property_socket:sock_file write;
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index 18f7ecc..382d8bb 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -1,7 +1,4 @@
allow qti_init_shell kmsg_device:chr_file { write open };
-allow qti_init_shell bluetooth_loader_exec:file r_file_perms;
allow qti_init_shell diag_prop:property_service set;
-allow qti_init_shell qmuxd:unix_stream_socket connectto;
-allow qti_init_shell qmuxd_socket:dir { write add_name search remove_name };
-allow qti_init_shell qmuxd_socket:sock_file { write create unlink };
-allow qti_init_shell self:socket { write getopt create read ioctl };
+allow qti_init_shell self:socket create_socket_perms;
+qmux_socket(qti_init_shell)
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 424aab7..7093468 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,3 +1,4 @@
allow rild nv_data_file:dir rw_dir_perms;
allow rild nv_data_file:file create_file_perms;
allow rild diag_prop:property_service set;
+get_prop(rild, diag_prop);
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
index 63f4cb1..c69f557 100644
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -1 +1,2 @@
user=_app seinfo=alipay name=com.eg.android.AlipayGphone* domain=alipay_app type=app_data_file
+user=_app seinfo=taobao name=com.taobao.taobao* domain=alipay_app type=app_data_file
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
index 14a5ad1..3f82807 100644
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -1,3 +1 @@
-allow sensors property_socket:sock_file write;
-allow sensors init:unix_stream_socket connectto;
set_prop(sensors, diag_prop)
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..5dd9fdc
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1 @@
+get_prop(surfaceflinger, diag_prop);
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 7bd7016..fcc0fce 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -4,3 +4,4 @@ allow system_server proc_touchpanel:file rw_file_perms;
allow system_server sensors_persist_file:file r_file_perms;
allow system_server sensors_persist_file:dir search;
allow system_server proc_stat:file r_file_perms;
+get_prop(system_server, diag_prop);
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
index 525394e..95382bf 100644
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -1,3 +1,2 @@
set_prop(thermal-engine, diag_prop)
-allow thermal-engine init:unix_stream_socket connectto;
-allow thermal-engine property_socket:sock_file write;
+allow thermal-engine sysfs_batteryinfo:file r_file_perms;
diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te
index 29af080..6bd661a 100644
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@@ -1 +1,2 @@
allow time_daemon property_socket:sock_file write;
+get_prop(time_daemon, diag_prop);
diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te
new file mode 100644
index 0000000..aad7936
--- /dev/null
+++ b/sepolicy/wcnss_filter.te
@@ -0,0 +1 @@
+get_prop(wcnss_filter, diag_prop);
diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te
index 46c74a3..2982cf8 100644
--- a/sepolicy/wcnss_service.te
+++ b/sepolicy/wcnss_service.te
@@ -1 +1,7 @@
-allow wcnss_service self:capability { setgid setuid };
+allow wcnss_service self:capability {
+ setgid
+ setuid
+ dac_override
+ net_raw
+};
+get_prop(wcnss_service, diag_prop);
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-19 23:31:42 +0000