aboutsummaryrefslogtreecommitdiff
path: root/sepolicy (follow)
Commit message (Collapse)AuthorAge
* msm8996-common: Update mac addresses pathsDavide Garberi2019-05-17
| | | | | | | * Switch to /persist for bt_mac to make so that it's kept even after a factory reset * Also update the path of wlan_mac.bin in wlan.sh to write to the real mount point instead of the bind one Change-Id: I250358484a8c8a8ef7f01941eea798c11d6ac4e7
* msm8996-common: sepolicy: Label sysfs_rtc filesDavide Garberi2019-05-16
| | | | | | | * log: [ 11.659088] type=1400 audit(1558020697.976:30): avc: denied { read } for pid=995 comm="system_server" name="hctosys" dev="sysfs" ino=36303 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Change-Id: Ica5355a1f30eaaf04e4b842d824897bc3c6df335
* msm8996-common: sepolicy: Allow netmgrd to set persist.net.doxlatDemon Singur2019-05-16
| | | | | | | | | * Solves the following denial. avc: denied { set } for property=persist.net.doxlat pid=837 uid=1001 gid=1001 scontext=u:r:netmgrd:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1 * We need this again after having switched back to Oreo RIL in 4d1a575a1900797720c957c40898a1bdebecfe55 Change-Id: I30db8b7aa6017dfdea1c874f69b7b8b90bcc8800
* msm8996-common: sepolicy: Allow ims to set ctl_stop_propDavide Garberi2019-05-16
| | | | | | | | * log: [ 26.216198] selinux: avc: denied { set } for property=ctl.stop$imsrcsd pid=824 uid=1000 gid=1000 scontext=u:r:ims:s0 tcontext=u:object_r:ctl_stop_prop:s0 tclass=property_service permissive=0\x0a [ 26.216278] init: Unable to set property 'ctl.stop' to 'imsrcsd' from uid:1000 gid:1000 pid:824: Invalid permissions to perform 'stop' on 'imsrcsd' Change-Id: I15868bd0dd1ef2cfa1003441e2553abe474ae365
* msm8996-common: sepolicy: Update perf sepolicyDavide Garberi2019-05-16
| | | | | | | | | | | | * Log: [ 24.377749] selinux: avc: denied { set } for property=vendor.min_freq_0 pid=522 uid=0 gid=0 scontext=u:r:hal_perf_default:s0 tcontext=u:object_r:vendor_mpctl_prop:s0 tclass=property_service permissive=0\x0a [ 24.377791] init: Unable to set property 'vendor.min_freq_0' to '384000' from uid:0 gid:0 pid:522: SELinux permission check failed [ 24.378820] selinux: avc: denied { set } for property=vendor.min_freq_4 pid=522 uid=0 gid=0 scontext=u:r:hal_perf_default:s0 tcontext=u:object_r:vendor_mpctl_prop:s0 tclass=property_service permissive=0\x0a [ 24.378850] init: Unable to set property 'vendor.min_freq_4' to '384000' from uid:0 gid:0 pid:522: SELinux permission check failed * Also cleanup the old sepolicy not needed anymore Change-Id: I2c5237540f8933f890818a58b4f61165c80cb93e
* msm8996-common: Remove wcg_mac_toolDavide Garberi2019-05-16
| | | | | | | * Turns out we don't actually need to use this as /proc/mac_wifi and mac_bt can turn into normal mac address values just with hex dumping * Remove bt_mac_prop as we can just set the mac path in vendor_prop.mk Change-Id: I23665cdd5d39d5e090694cff5a63f55ecb9ea334
* msm8996-common: Correct BT mac address with non zui blobsDavide Garberi2019-05-15
| | | | Change-Id: Ibc6eed2018314e79f3f18749cedd9852c82a8a66
* Revert "msm8996-common: sepolicy: Label sys.post_boot.parsed"LuK13372019-05-15
| | | | | | This reverts commit 6b5e38c35a519487048cb66ce65086d4673e53bd. Change-Id: I811a7c04d35e27d74057f310c05aab008d434aae
* msm8996-common: sepolicy: bluetooth: Adding permission for rfkill failureRajshekar Eashwarappa2019-05-11
| | | | | | | | - Create label for RFKILL node and add sepolicy for its access. Change-Id: Id16dce0818aa1f6233b75f35344b4eca9259c7b1 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: pocketmode: Allow control over PocketMode serviceBruno Martins2019-05-10
| | | | | | | | | | | | | | | | * Once the service is running, proximity sensor is constantly active when the display is turned off, resulting into a residual increase in battery consumption. Add a toggle so that users can decide whether they accept that and prefer to prevent accidental wake-ups triggered by the fingerprint sensor. * Keep the receiver that listens for the screen status registered only if the fingerprint wake-up feature is enabled at the same time as the accidental wake-up prevention feature. * Set PocketMode as a required module of ConfigPanel, to make sure it is only shipped on devices building the latter. * The configpanel part is integrated in b07a633bdeda835867aa3dc5a033529d7bd712dc Change-Id: Icfa23d2aef971e368476b6f1f7612493c2b69a20
* msm8996-common: Conditionally remove the OEM unlocking optionDavide Garberi2019-05-09
| | | | | | * It would get disabled anyway when bootloader is unlocked, but this way makes safetynet pass even when unlocked Change-Id: I2dfe641bf60e0409f290b7b31492df00568c9916
* msm8996-common: sepolicy: CleanupDavide Garberi2019-05-02
| | | | | | | | * Add back the fstab contexts to prevent some vfat denials * Remove a lot of not needed addresses * Create a domain for double tap to wake to not let the powerhal access all the sysfs files Change-Id: I44dfc5e9903eb562748215541f2d71f9a3d111d7
* msm8996-common: sepolicy: Give vendor_file the permission to write to sysfsDavide Garberi2019-04-11
| | | | Change-Id: Ie210f27a1dd3d79c50a49c6b024019464227bdd7
* msm8996-common: sepolicy: Remove duplicated CNE typesDavide Garberi2019-03-30
| | | | | | * Added in platform by https://github.com/LineageOS/android_device_qcom_sepolicy/commit/a7143aa372d9004eeeb69a50221a5324d59cb5b6 Change-Id: I328a46b45d651aeb54665c2453390adbb767de20
* msm8996-common: sepolicy: Don't audit dac_override for hal_perf_default eitherDavide Garberi2019-03-24
| | | | Change-Id: I790167bf413bb1166e63972ab321e2278cbabbfc
* msm8996-common: sepolicy: Silence hal_perf_default dac_* denialsdianlujitao2019-03-22
| | | | Change-Id: Icaefcf91ea08813bb84ce33effec44d037bd5145
* msm8996-common: Remove irq related labelsDavide Garberi2019-03-21
| | | | | | * This is useful without msm_irqbalance Change-Id: I500abb9dab85a4132210a9557f7ce3febaceadbb
* msm8996-common: sepolicy: Changes needed for CAF's new haptics driverSubhajeet Muhuri2019-03-17
| | | | | Change-Id: Ib8cbdbd0088ffb9b74e27404937f0387e728e229 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: remove useless NFC referenceskubersharma0012019-03-08
| | | | | | | * z2_plus/row do not support NFC so its useless to have these * fixes random log saying this device has no NFC Change-Id: Idc0d97b42dff1f826efb35808b3998f40be98a7b
* msm8996-common: sepolicy: CleanupDavide Garberi2019-03-03
| | | | | | | | | | * genfs_context cleanup after b5b41d341dd744c40d3908550daaafcee6fe7b4b in which it has randomly been imported from Marlin * Slightly cleanup indentation * Remove a lot of domains which were being used in genfs_context as most of it is already labelled differently in qcom common sepolicy and already addressed * Remove violators where not needed * Remove some old properties we're not using anymore Change-Id: Ic72853dfaf71ba3f0596e75d1bdd5b5c93cd70be
* msm8996-common: Set the hardware wlan mac using wcg_mac_toolDavide Garberi2019-03-02
| | | | | | | | | * Bin extracted from ZUI * Add init.wlan.sh to check if the mac address in wlan_mac.bin is already correct, if not correct it * Run both the bins on boot completed as wcg can't run earlier * Label both the bins and address their denials Change-Id: I7a8001465ec9c3d69bd228efa57dddfdd8e3c6f3
* msm8996-common: Remove readmacDavide Garberi2019-03-02
| | | | | | * We don't need this anymore, no random mac because the real hardware wlan mac works now Change-Id: I13f85f4eb438b2230408d5bad1c694b2cd39a25b
* msm8996-common: Remove aptx supportDavide Garberi2019-02-24
| | | | | | * We don't support this on stoct. Change-Id: Ic690330d1c063cec7f3bca049c0bf27967e7e36c
* msm8996-common: sepolicy: Address healthd denial on offline chargingWang Han2019-02-19
| | | | Change-Id: Ib5d3a671d94012fdcf8926e59821470857d41811
* msm8996-common: Fix a charger neverallowDavide Garberi2019-02-19
| | | | Change-Id: I050c47c495625cc769a2f6549f8f68ed8be07d6a
* msm8996-common: sepolicy: Update for touch HALDavide Garberi2019-02-11
| | | | | Change-Id: Ifec612cc608fcd4b7d72892e7921e238be4672e0 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: Replace KeyDisabler class with Touch HALBruno Martins2019-02-11
| | | | | Change-Id: I7b87ae0ad834ba02a78696afe393d9d4f8920fbd Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy: Make healthd permissiveDavide Garberi2019-02-07
| | | | | | | | | * Not the best solution but I can't think of any other solution at the moment * It shouldn't anyway be a security problem as this domain is used only for charger * Fixes offline charging completely Signed-off-by: Davide Garberi <dade.garberi@gmail.com> Change-Id: I7379724a0550553e0fd6ab4f470bd9439c093936
* msm8996-common: sepolicy: Address some denialsDavide Garberi2019-02-06
| | | | | | | | * Don't break any neverallows this time * Still healthd missing to fix Signed-off-by: Davide Garberi <dade.garberi@gmail.com> Change-Id: I861eb5dc1f91e7cdea2e7b55c617e55a24ec2e02
* msm8996-common: sepolicy: Label custom camera socketsMichael Bestas2019-02-06
| | | | | | | | | * Normal path is /data/vendor/camera, defined in device/qcom/sepolicy * We have hex edited 6.0 blobs from /data/misc/camera to /data/vendor/qcam because of the new path string being longer than the old one Signed-off-by: Davide Garberi <dade.garberi@gmail.com> Change-Id: Ib96191dd55aea0c20c58a16bf1a91a46f07367e6
* msm8996-common: sepolicy: Nuke the neverallowsDavide Garberi2019-02-06
| | | | | | | * Also fix other general sepolicy errors after stopping to ignore the neverallows Change-Id: I1af3d9f57a0ca6e37420094a53f1c52127f3e187 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy: Address some denialsDavide Garberi2019-01-27
| | | | | Signed-off-by: Davide Garberi <dade.garberi@gmail.com> Change-Id: Ibd1ea0a8b32fc4e87bf912a87339f7bc2a31d423
* msm8996-common: sepolicy: Resolve health denials after upreving to 2.0Subhajeet Muhuri2019-01-26
| | | | Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy: Remove a location adressDavide Garberi2019-01-26
| | | | | | Signed-off-by: Davide Garberi <dade.garberi@gmail.com> Change-Id: Ic8c90812fd61ec921b0bec5ddc2f20555afa4c0c Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: Remove CNE HAL entries.Devi Sandeep Endluri V V2019-01-19
| | | | | | | | | CNE Hals moved to Factory Hal implementation. Removing the Hal entries for the same. CRs-Fixed: 2295302 Change-Id: Ifd7b605e3b9824951e111108c664ec0cde37fe83 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy: Nuke some charger neverallowsDavide Garberi2019-01-19
| | | | | Change-Id: Ia01969378d79aa6ca1a81ad3bf9cf2acd39be051 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy: Remove most neverallowsDavide Garberi2018-12-27
| | | | | Change-Id: Ie5569ba587b47e23aab07108cf5bb483d7177f50 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: Address a dpmQmiMgr denialdavidevinavil2018-12-04
| | | | | Change-Id: Ie829e0ec1e640578bd7c0aa92c32a1caee62dab9 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: Rename Widevine HIDL service to v1.1.Edwin Wong2018-11-20
| | | | | | | | | | | | | | | Widevine HIDL service added new v1.1 media APIs, the service version is updated to 1.1. Test: Netflix and Play Movies & TV (streaming and offline playback) Test: GTS WidevineH264PlaybackTests test e.g. ANDROID_BUILD_TOP= ./android-gts/toolsefed run gts -m GtsMediaTestCases --test com.google.android.media.gts.WidevineH264PlaybackTests#testL1With480P30 bug: 69674645 Change-Id: I7b8966c5fe2c2ded4a86b4358511548426de76dc Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy: CleanupDavide Garberi2018-10-31
| | | | | | | * Mostly squash the various macros Change-Id: I1e71a6d728cd4d7e7be057604978264c429aed90 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy: Address some denialsDavide Garberi2018-10-31
| | | | | | | * No new neverallows generated Change-Id: If50b0f173fe858470fb98e83d8b7621bcffb64ff Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy: Move neverallows to neverallows.teDavide Garberi2018-10-19
| | | | | Change-Id: Ie067c2f0f6ec96edd110c79d143de36b20708b47 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: sepolicy Address init denialsCosme Domínguez Díaz2018-10-19
| | | | | | | | | avc: denied { setattr } for pid=1 comm="init" name="scheduler" dev="sysfs" ino=36476 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 avc: denied { setattr } for pid=1 comm="init" name="scheduler" dev="sysfs" ino=36476 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 avc: denied { write } for pid=1 comm="init" name="scheduler" dev="sysfs" ino=36476 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 avc: denied { write } for pid=1 comm="init" name="scheduler" dev="sysfs" ino=36476 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 avc: denied { write } for pid=1 comm="init" name="slice_idle" dev="sysfs" ino=44595 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 avc: denied { write } for pid=1 comm="init" name="slice_idle" dev="sysfs" ino=44595 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0
* msm8996-common: sepolicy: Address charger denialsCosme Domínguez Díaz2018-10-19
| | | | | | | | | | | | | avc: denied { dac_override } for pid=463 comm="chargeonlymode" capability=1 scontext=u:r:charger:s0 tcontext=u:r:charger:s0 tclass=capability permissive=1 avc: denied { write } for pid=463 comm="chargeonlymode" name="persist" dev="rootfs" ino=938 scontext=u:r:charger:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 avc: denied { add_name } for pid=463 comm="chargeonlymode" name="subsys" scontext=u:r:charger:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 avc: denied { create } for pid=463 comm="chargeonlymode" name="subsys" scontext=u:r:charger:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 avc: denied { create } for pid=463 comm="chargeonlyiode" name="batt_info.bin" scontext=u:r:charger:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=file permissive=1 avc: denied { write open } for pid=463 comm="chargeonlymode" path="/persist/subsys/batt_info.bin" dev="rootfs" ino=948 scontext=u:r:charger:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=file permissive=1 avc: denied { setattr } for pid=463 comm="chargeonlymode" name="batt_info.bin" dev="rootfs" ino=948 scontext=u:r:charger:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=file permissive=1 avc: denied { chown } for pid=463 comm="chargeonlymode" capability=0 scontext=u:r:charger:s0 tcontext=u:r:charger:s0 tclass=capability permissive=1 avc: denied { read } for pid=463 comm="chargeonlymode" name="type" dev="sysfs" ino=42537 scontext=u:r:charger:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=1 avc: denied { open } for pid=463 comm="chargeonlymode" path="/sys/devices/soc/qpnp-smbcharger-16/pnwer_supply/dc/type" dev="sysfs" ino=42537 scontext=u:r:charger:s0 tcontext=u:objectOr:sysfs_battery_supply:s0 tclass=file permissive=1
* msm8996-common: sepolicy: Address hal_audio_default denialsCosme Domínguez Díaz2018-10-19
| | | | | | Change-Id: I79f4f3270de21ea070edc085b12c0d3d64285a3a avc: denied { write } for pid=528 comm="audio@2.0-servi" name="delta" dev="sda10" ino=1410 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=1 avc: denied { write } for pid=528 comm="audio@2.0-servi" name="delta" dev="sda10" ino=1410 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=
* msm8996-common: sepolicy: Address rmt_storage denialsCosme Domínguez Díaz2018-10-07
| | | | | | | avc: denied { read } for pid=595 comm="rmt_storage" name="name" dev="sysfs" ino=42161 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1 avc: denied { read } for pid=595 comm="rmt_storage" name="name" dev="sysfs" ino=42161 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1 avc: denied { open } for pid=595 comm="rmt_storage" path="/sys/devices/soc/9300000.qcom,lpass/subsys3/name" dev="sysfs" ino=42161 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1 avc: denied { open } for pid=595 comm="rmt_storage" path="/sys/devices/soc/9300000.qcom,lpass/subsys3/name" dev="sysfs" ino=42161 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1
* msm8996-common: sepolicy: Address time_daemon denialsCosme Domínguez Díaz2018-10-07
| | | | | | | | | | | | | | | avc: denied { write } for pid=673 comm="time_daemon" name="time" dev="sda10" ino=15159 scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir permissive=1 avc: denied { write } for pid=673 comm="time_daemon" name="time" dev="sda10" ino=15159 scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir permissive=1 avc: denied { add_name } for pid=673 comm="time_daemon" name="ats_15" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir permissive=1 avc: denied { add_name } for pid=673 comm="time_daemon" name="ats_15" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir permissive=1 avc: denied { create } for pid=673 comm="time_daemon" name="ats_15" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=file permissive=1 avc: denied { create } for pid=673 comm="time_daemon" name="ats_15" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=file permissive=1 avc: denied { write } for pid=673 comm="time_daemon" name="time" dev="sda10" ino=15159 scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir permissive=1 avc: denied { write } for pid=673 comm="time_daemon" name="time" dev="sda10" ino=15159 scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir permissive=1 avc: denied { add_name } for pid=673 comm="time_daemon" name="ats_2" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir permissive=1 avc: denied { add_name } for pid=673 comm="time_daemon" name="ats_2" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir permissive=1 avc: denied { create } for pid=673 comm="time_daemon" name="ats_2" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=file permissive=1 avc: denied { create } for pid=673 comm="time_daemon" name="ats_2" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=file permissive=1
* msm8996-common: sepolicy: Address hal_audio_default denialsCosme Domínguez Díaz2018-10-07
| | | | * From marlin's sepolicy. Adapted to work with device/qcom/sepolicy.
* msm8996-common: Update rmt_storage and tftp_serverDavide Garberi2018-10-07
| | | | | | | | * From LA.UM.7.2.r1-04000-sdm660.0 - B2N_sprout:9/PPR1.180610.011/00WW_3_22C * libqsocket and libqrtr are dependencies of tftp_server Change-Id: Ia88230d5ad5287825e624df337c37aa06a3d9edd Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
* msm8996-common: neverallows: Nuke priv-app and qti denialsDavide Garberi2018-10-07
| | | | | Change-Id: Ifc66eb447953aaa312b7c3a9230a72b70fb78ea7 Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-19 20:14:22 +0000