summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornailyk-fr <nailyk_git@nailyk.fr>2017-02-11 14:56:11 +0100
committernailyk-fr <nailyk_git@nailyk.fr>2017-02-21 20:15:18 +0100
commitbad9906576b3cc04e9f4c807321457ab240ae430 (patch)
treeb672c5e8853759ab7fc4be259b7e2a09f81199bb
parentb286cc9e9453297e668ce342e39bf48a1afd9f92 (diff)
shinano-common: Solve camera denials
Change-Id: I62e1e9b87e48b0f5d436ef44bb816eedf5328347 shinano-common: Solve camera services denials Change-Id: I36479598ada099da4949d999f7485b69ccd59c19
-rw-r--r--rootdir/init.qcom.rc49
-rw-r--r--sepolicy/cameraserver.te23
-rw-r--r--sepolicy/file_contexts6
-rw-r--r--sepolicy/idd.te42
-rw-r--r--sepolicy/service_contexts63
-rw-r--r--sepolicy/workarounds.te100
6 files changed, 275 insertions, 8 deletions
diff --git a/rootdir/init.qcom.rc b/rootdir/init.qcom.rc
index 4e8cf01..6b4af86 100644
--- a/rootdir/init.qcom.rc
+++ b/rootdir/init.qcom.rc
@@ -22,6 +22,7 @@ import /init.qcom.power.rc
on early-init
mount debugfs debugfs /sys/kernel/debug
chown system system /sys/kernel/debug/kgsl/proc
+ echo 8 8 8 8 > /proc/sys/kernel/printk
on init
symlink /dev/block/platform/msm_sdcc.1 /dev/block/bootdevice
@@ -45,7 +46,7 @@ on init
mkdir /dev/bus 0755 root root
mkdir /dev/bus/usb 0755 root root
- mkdir /idd 0751 idd idd
+ mkdir /idd 0751 idd idd
mkdir /rca 0750 idd idd
wait /dev/block/mmcblk0p1
@@ -185,6 +186,22 @@ on boot
chown system graphics /sys/class/graphics/fb1/hdcp/tp
chmod 0664 /sys/devices/virtual/graphics/fb1/hdcp/tp
+ # PM8941 flash
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/current1
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/current2
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/fault_status
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/fine_current1
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/fine_current2
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/flash_timer
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/mask_clamp_current
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/mask_enable
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/max_current
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/mode
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/startup_delay
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/strobe
+ chown cameraserver system /sys/class/misc/pm8941-flash/device/vph_pwr_droop
+
+
# create symlink for fb1 as HDMI
symlink /dev/graphics/fb1 /dev/graphics/hdmi
@@ -279,6 +296,10 @@ on post-fs
# the insmod must be done before chargemon.
insmod /system/lib/modules/mhl_sii8620_8061_drv.ko
+ # we will remap this as /mnt/sdcard with the sdcard fuse tool
+ mkdir /data/misc/camera 0770 camera camera
+ mkdir /data/misc/cameraserver 0700 cameraserver cameraserver
+
exec /system/bin/chargemon
write /sys/class/power_supply/battery/shutdown_at_low_batt 1
@@ -384,7 +405,7 @@ on post-fs-data
chmod 2770 /dev/socket/mpdecision
# SONY: Create a dir on data partition not to be deleted during mr and wipedata
- mkdir /data/persist 0770 persist_rw persist_rw
+ mkdir /data/persist 0770 system system
# SONY: Create dir for Widevine keybox
mkdir /data/persist/wv 0700 system system
@@ -403,6 +424,14 @@ on post-fs-data
chown media camera /sys/devices/sony_camera_1/info
chmod 0770 /sys/devices/sony_camera_1/info
+ exec u:r:qti_init_shell:s0 -- /system/bin/rm -r /idd/lost+found
+ mkdir /idd/lost+found 0770 root root
+ mkdir /idd/output 0755 idd idd
+ mkdir /idd/socket 0711 idd idd
+ restorecon_recursive /idd
+ start wvkbd_installer
+
+
# SONY: Import MiscTA to System properties
exec -- /system/bin/taimport property
@@ -528,10 +557,10 @@ service mpdecision /system/bin/mpdecision --avg_comp
group system
disabled
-service iddd /system/bin/iddd -v
+service iddd /system/bin/iddd
class main
user idd
- group idd log inet trimarea credmgr_client system
+ group idd log inet
on property:gsm.nitz.time=*
start scdnotifier_nitz
@@ -546,8 +575,8 @@ service suntrold /system/bin/suntrold
# Start Credential manager daemon
service credmgrd /system/bin/credmgrd
user system
- group credmgr_client trimarea idd log inet drmpc
- socket credmgr stream 0777 system credmgr_client
+ group credmgr_client
+ socket credmgr stream 0660 system credmgr_client
class main
#doesn't exist on shinano. Keept for compat purpose
@@ -627,7 +656,8 @@ service irsc_util /system/bin/irsc_util "/etc/sec_config"
service qcamerasvr /system/bin/mm-qcamera-daemon
class late_start
user camera
- group system inet input graphics camera credmgr_client
+ group camera system inet input graphics
+# group camera system inet input graphics credmgr_client cameraserver
service sensors /system/bin/sensors.qcom
class main
@@ -676,8 +706,11 @@ service audioserver /system/bin/audioserver
service cameraserver /system/bin/cameraserver
class main
user cameraserver
- group audio camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct credmgr_client trimarea
+ group camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct credmgr_client trimarea system audio
+# group audio camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct credmgr_client
ioprio rt 4
+# seclabel u:r:cameraserver:s0
+ writepid /dev/cpuset/foreground/tasks
service drm /system/bin/drmserver
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
new file mode 100644
index 0000000..7db63bf
--- /dev/null
+++ b/sepolicy/cameraserver.te
@@ -0,0 +1,23 @@
+allow cameraserver mm-qcamerad:unix_dgram_socket sendto;
+allow cameraserver mm-qcamerad:unix_stream_socket connectto;
+allow cameraserver camera_data_file:sock_file write;
+allow mm-qcamerad cameraserver:unix_dgram_socket sendto;
+allow mm-qcamerad cameraserver:unix_stream_socket connectto;
+allow mm-qcamerad camera_data_file:sock_file rw_file_perms;
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver rootfs:lnk_file getattr;
+allow cameraserver sysfs_camera_torch:file rw_file_perms;
+allow cameraserver sysfs_camera_torch:dir search;
+allow cameraserver sysfs_camera_torch:lnk_file read;
+allow cameraserver ta_data_file:dir search;
+#allow cameraserver secd:unix_stream_socket connectto;
+#allow cameraserver secd_socket:sock_file write;
+
+allow cameraserver camera_data_file:unix_dgram_socket sendto;
+allow cameraserver camera_data_file:unix_stream_socket connectto;
+allow mm-qcamerad camera_data_file:unix_dgram_socket sendto;
+allow mm-qcamerad camera_data_file:unix_stream_socket connectto;
+
+allow mm-qcamerad ion_device:chr_file { ioctl open read };
+allow cameraserver ion_device:chr_file { ioctl open read };
+
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 69b759b..07853c1 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -28,6 +28,12 @@
/data/credmgr(/.*) u:object_r:secd_data_file:s0
/system/bin/scd u:object_r:scd_exec:s0
+/data/scd u:object_r:scd_data:s0
+/data/scd(/.*) u:object_r:scd_data:s0
/system/bin/scdnotifier u:object_r:scd_exec:s0
/system/bin/wvkbd u:object_r:wv_exec:s0
+
+#cam_socket
+/data/misc/camera/cam_socket1 u:object_r:camera_socket:s0
+/data/misc/camera/cam_socket2 u:object_r:camera_socket:s0
diff --git a/sepolicy/idd.te b/sepolicy/idd.te
index a840e9b..7c8cf69 100644
--- a/sepolicy/idd.te
+++ b/sepolicy/idd.te
@@ -17,8 +17,50 @@ init_daemon_domain(credmgr);
type scd, domain;
type scd_exec, exec_type, file_type;
+type scd_data, file_type;
init_daemon_domain(scd)
type wv,domain;
type wv_exec, exec_type, file_type;
init_daemon_domain(wv)
+
+
+#============= system_server ==============
+allow system_server credmgr_exec:dir search;
+allow system_server credmgr_exec:file { getattr open read };
+allow system_server iddd_exec:dir search;
+allow system_server iddd_exec:file { getattr open read };
+
+#============= iddd_exec ==============
+allow iddd_exec default_prop:file { getattr open read };
+allow iddd_exec device:dir search;
+allow iddd_exec devpts:chr_file { open read write };
+allow iddd_exec iddd_file:dir search;
+allow iddd_exec iddd_file:file { lock open read write };
+allow iddd_exec init:fd use;
+allow iddd_exec init:process sigchld;
+allow iddd_exec kernel:system module_request;
+allow iddd_exec log_tag_prop:file { getattr open read };
+allow iddd_exec logd:unix_dgram_socket sendto;
+allow iddd_exec logd_prop:file { getattr open read };
+allow iddd_exec logdw_socket:sock_file write;
+allow iddd_exec null_device:chr_file { read write };
+allow iddd_exec proc:lnk_file read;
+allow iddd_exec properties_device:dir getattr;
+allow iddd_exec properties_serial:file { getattr open read };
+allow iddd_exec property_contexts:file { getattr open read };
+allow iddd_exec ptmx_device:chr_file { ioctl open read write };
+allow iddd_exec rootfs:lnk_file { getattr read };
+allow iddd_exec self:dir { read search };
+allow iddd_exec self:file { execute execute_no_trans getattr open read };
+allow iddd_exec self:lnk_file read;
+allow iddd_exec self:process { fork sigchld };
+allow iddd_exec self:unix_dgram_socket { connect create write };
+allow iddd_exec self:unix_stream_socket read;
+allow iddd_exec sysfs:dir search;
+allow iddd_exec sysfs_devices_system_cpu:dir search;
+allow iddd_exec sysfs_devices_system_cpu:file { getattr open read };
+allow iddd_exec system_file:dir getattr;
+#allow iddd_exec system_file:file { entrypoint execute getattr open read };
+allow iddd_exec urandom_device:chr_file { getattr ioctl open read };
+
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
new file mode 100644
index 0000000..d4a1246
--- /dev/null
+++ b/sepolicy/service_contexts
@@ -0,0 +1,63 @@
+#line 1 "system/sepolicy/service_contexts"
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts"
+media.cameraextension u:object_r:mediaserver_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Crash_Handling/1_0_0/service_contexts"
+#crashmonitornative u:object_r:crashmonitor_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Google_Analytics_Proxy/1.0.0/service_contexts"
+#platform_analytics u:object_r:platform_analytics_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts"
+media.cacao u:object_r:mediaserver_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Power_Save/1.0.0/service_contexts"
+#xperiaappdepinfo u:object_r:xperiaappdepinfo_service:s0
+#xperia_power u:object_r:xperia_power_service:s0
+#stamina_qbd u:object_r:stamina_qbd_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Touch/1.0.0/tfsw/service_contexts"
+#tfsw u:object_r:tfsw_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/WLAN_Miracast_sink/1.1.0/service_contexts"
+#WfdSinkService u:object_r:wfd_sink_exec_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "device/somc/shinano/sepolicy/service_contexts"
+#overlay u:object_r:overlay_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "device/qcom/sepolicy/common/service_contexts"
+#android.apps.IQfpService u:object_r:iqfp_service:s0
+#AtCmdFwd u:object_r:atfwd_service:s0
+#dpmservice u:object_r:dpmservice:s0
+#listen.service u:object_r:mediaserver_service:s0
+#cneservice u:object_r:cne_service:s0
+#gbahttpauth u:object_r:gba_auth_service:s0
+#vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0
+#com.qualcomm.qti.auth.fidocryptodaemon u:object_r:fidodaemon_service:s0
+#wbc_service u:object_r:wbc_service:s0
+#STAProxyService u:object_r:STAProxyService:s0
+#dun u:object_r:dun_service:s0
+#qti.ims.connectionmanagerservice u:object_r:imscm_service:s0
+#com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0
+#wfdservice u:object_r:wfdservice_service:s0
+#DigitalPen u:object_r:usf_service:s0
+#dts_eagle_service u:object_r:dtseagleservice_service:s0
+#wfd.native.mm.service u:object_r:wfdservice_service:s0
+#extphone u:object_r:radio_service:s0
+#com.qualcomm.location.izat.IzatService u:object_r:izat_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "device/qcom/sepolicy/test/service_contexts"
+#com.qualcomm.qti.auth.securesampleauthdaemon u:object_r:fidotest_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te
index 1a776d3..52203d8 100644
--- a/sepolicy/workarounds.te
+++ b/sepolicy/workarounds.te
@@ -1,3 +1,8 @@
+allow cameraserver camera_socket:dir { search write add_name };
+allow cameraserver camera_socket:file { read write getattr open };
+allow mm-qcamerad camera_socket:dir { search write add_name };
+allow mm-qcamerad camera_socket:file { read write getattr open };
+
#============= credmgr ==============
allow credmgr iddd:unix_dgram_socket sendto;
allow credmgr iddd_file:sock_file write;
@@ -62,3 +67,98 @@ allow init socket_device:sock_file { create unlink setattr };
#============= taimport ==============
allow taimport ta_data_file:file unlink;
+
+#============= credmgr ==============
+allow credmgr ion_device:chr_file { ioctl open read };
+
+#============= init ==============
+allow init debugfs:file write;
+
+#============= qti_init_shell ==============
+allow qti_init_shell tad:unix_stream_socket connectto;
+allow qti_init_shell tad_socket:sock_file write;
+
+#============= scd ==============
+allow scd socket_device:dir { add_name write };
+allow scd socket_device:sock_file { create setattr };
+allow scd sysfs:file { getattr open read };
+
+#============= suntrold ==============
+allow suntrold ion_device:chr_file { ioctl open read };
+
+#============= tad ==============
+allow tad proc:file { open read };
+allow tad rootfs:file { entrypoint read };
+
+#============= taimport ==============
+allow taimport adbsecure_prop:property_service set;
+allow taimport init:unix_stream_socket connectto;
+allow taimport property_socket:sock_file write;
+
+#============= thermanager ==============
+allow thermanager sysfs:file { open read };
+
+#============= wv ==============
+allow wv ion_device:chr_file { ioctl open read };
+allow wv socket_device:sock_file write;
+allow wv suntrold:unix_stream_socket connectto;
+allow wv tad:unix_stream_socket connectto;
+allow wv tad_socket:sock_file write;
+allow wv tee_device:chr_file { ioctl open read write };
+
+
+
+
+
+#============= cameraserver ==============
+allow cameraserver ta_data_file:dir { getattr open read };
+allow cameraserver sudaemon:unix_dgram_socket sendto;
+allow cameraserver sudaemon:unix_stream_socket connectto;
+allow cameraserver mm-qcamerad:unix_stream_socket sendto;
+allow cameraserver mm-qcamerad:unix_stream_socket connectto;
+
+
+
+#============r credmgr ==============
+allow credmgr ion_device:chr_file { ioctl open read };
+
+#============= init ==============
+allow init debugfs:file write;
+
+#============= mm-qcamerad ==============
+allow mm-qcamerad system_file:file execmod;
+allow mm-qcamerad system_prop:property_service set;
+allow mm-qcamerad ta_data_file:dir { getattr open read };
+
+#============= qti_init_shell ==============
+allow qti_init_shell tad:unix_stream_socket connectto;
+allow qti_init_shell tad_socket:sock_file write;
+
+#============= scd ==============
+allow scd socket_device:dir { add_name write };
+allow scd socket_device:sock_file { create setattr };
+allow scd sysfs:file { getattr open read };
+
+#============= suntrold ==============
+allow suntrold ion_device:chr_file { ioctl open read };
+
+#============= tad ==============
+allow tad proc:file { open read };
+allow tad rootfs:file { entrypoint read };
+
+#============= taimport ==============
+allow taimport adbsecure_prop:property_service set;
+allow taimport init:unix_stream_socket connectto;
+allow taimport property_socket:sock_file write;
+
+#============= thermanager ==============
+allow thermanager sysfs:file { open read };
+
+#============= wv ==============
+allow wv ion_device:chr_file { ioctl open read };
+allow wv socket_device:sock_file write;
+allow wv suntrold:unix_stream_socket connectto;
+allow wv tad:unix_stream_socket connectto;
+allow wv tad_socket:sock_file write;
+allow wv tee_device:chr_file { ioctl open read write };
+