summaryrefslogtreecommitdiff
path: root/sepolicy
diff options
context:
space:
mode:
authornailyk-fr <nailyk_git@nailyk.fr>2017-02-12 13:31:17 +0100
committernailyk-fr <nailyk_git@nailyk.fr>2017-02-21 20:24:25 +0100
commit181043c8705f2f7576f1a1e21bafd7e14cde3f06 (patch)
tree79dd4d1b26ec6abe225c2a31c0ca321038973c79 /sepolicy
parent91b15b8584a12ebd8e321d32536ed8ced1e321d7 (diff)
shinano-common: sepolicies: Add camera related entries
Change-Id: Icfc6a998c6c5615351ed59111284858b9f27893c shinano-common: Rework credmgrd sepolicies Change-Id: Id922021b05ed0313b5cd7e506641632277a82105 shinano-common: Fix last camera denials Change-Id: Ibf96ebf0a136ffa40be85369896f57645c24157c
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/cameraserver_new.te18
-rw-r--r--sepolicy/cameraserver_old (renamed from sepolicy/cameraserver.te)5
-rw-r--r--sepolicy/credmgrd.te62
-rw-r--r--sepolicy/file_contexts20
-rw-r--r--sepolicy/idd.te43
-rw-r--r--sepolicy/workarounds.te149
-rw-r--r--sepolicy/workarounds_old232
7 files changed, 353 insertions, 176 deletions
diff --git a/sepolicy/cameraserver_new.te b/sepolicy/cameraserver_new.te
new file mode 100644
index 0000000..82196f2
--- /dev/null
+++ b/sepolicy/cameraserver_new.te
@@ -0,0 +1,18 @@
+
+
+allow mm-qcamerad camera_data_file:sock_file rw_file_perms;
+allow mm-qcamerad camera_data_file:unix_dgram_socket sendto;
+allow mm-qcamerad camera_data_file:unix_stream_socket connectto;
+allow mm-qcamerad system_prop:property_service set;
+
+allow cameraserver camera_data_file:unix_dgram_socket sendto;
+allow cameraserver camera_data_file:unix_stream_socket connectto;
+
+allow cameraserver ion_device:chr_file { ioctl open read };
+
+#============= cameraserver ==============
+allow cameraserver camera_device:chr_file { ioctl open read write };
+allow cameraserver mm-qcamerad:unix_stream_socket connectto;
+allow cameraserver credmgrd:unix_stream_socket connectto;
+allow cameraserver credmgrd_socket:sock_file write;
+
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver_old
index 7db63bf..2a27807 100644
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver_old
@@ -21,3 +21,8 @@ allow mm-qcamerad camera_data_file:unix_stream_socket connectto;
allow mm-qcamerad ion_device:chr_file { ioctl open read };
allow cameraserver ion_device:chr_file { ioctl open read };
+
+allow cameraserver secd_socket:unix_dgram_socket sendto;
+allow cameraserver secd_socket:unix_stream_socket connectto;
+allow mm-qcamerad secd_socket:unix_dgram_socket sendto;
+allow mm-qcamerad secd_socket:unix_stream_socket connectto;
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
new file mode 100644
index 0000000..82c4929
--- /dev/null
+++ b/sepolicy/credmgrd.te
@@ -0,0 +1,62 @@
+#credmgrd define
+type credmgrd, domain;
+type credmgrd_exec, exec_type, file_type;
+type credmgrd_data_file, file_type;
+type credmgrd_socket, file_type;
+init_daemon_domain(credmgrd);
+
+#credmgrd self
+allow credmgrd self:socket create_socket_perms;
+allow credmgrd self:file rw_file_perms;
+allow credmgrd self:dir rw_file_perms;
+allow credmgrd self:fifo_file rw_file_perms;
+allow credmgrd credmgrd_data_file:file { getattr lock open read setattr write };
+allow credmgrd cache_file:dir { remove_name write };
+allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write };
+allow credmgrd credmgrd_data_file:file { create unlink };
+
+
+#credmgdr tad
+allow credmgrd tad_block_device:blk_file { read write ioctl open };
+allow credmgrd tad_socket:unix_dgram_socket sendto;
+allow credmgrd tad_socket:unix_stream_socket connectto;
+allow credmgrd tad:unix_stream_socket connectto;
+allow credmgrd tad_socket:sock_file write;
+
+#credmgrd camera server
+allow credmgrd camera_socket:file { read write getattr open };
+allow credmgrd camera_socket:unix_stream_socket sendto;
+allow credmgrd camera_socket:unix_stream_socket connectto;
+
+#credmgrd mediaserver
+allow mediaserver credmgrd:unix_stream_socket connectto;
+
+#credmgrd mm-qcamera
+allow credmgrd mm-qcamerad:file { read write getattr open };
+allow credmgrd mm-qcamerad:unix_stream_socket sendto;
+allow credmgrd mm-qcamerad:unix_stream_socket connectto;
+
+#credmgrd qseecomd tee
+allow credmgrd tee_device:chr_file rw_file_perms;
+
+#credmgrd suntrold
+allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto;
+allow credmgrd suntrold_sock_socket:unix_stream_socket connectto;
+allow credmgrd suntrold_sock_socket:sock_file write;
+allow credmgrd suntrold:unix_stream_socket connectto;
+
+#credmgrd iddd
+allow credmgrd iddd:unix_dgram_socket sendto;
+allow credmgrd iddd_file:dir search;
+allow credmgrd iddd_file:sock_file write;
+allow credmgrd iddd_file:unix_stream_socket connectto;
+allow credmgrd iddd_file:unix_dgram_socket sendto;
+
+
+#/mnt/idd is tmpfs
+allow credmgrd tmpfs:lnk_file read;
+
+#credmgrd ion
+allow credmgrd ion_device:chr_file { ioctl open read };
+
+
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 07853c1..22d0c1a 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -14,8 +14,8 @@
#iddd
/system/bin/iddd u:object_r:iddd_exec:s0
/idd(/.*)? u:object_r:iddd_file:s0
-
-/system/bin/credmgrd u:object_r:credmgr_exec:s0
+/mnt/idd u:object_r:iddd_file:s0
+/system/bin/idd-logreader u:object_r:iddd_exec:s0
# Taimport
/data/etc(/.*) u:object_r:ta_data_file:s0
@@ -24,8 +24,6 @@
/dev/socket/secd_credmgr_sock u:object_r:secd_socket:s0
/dev/socket/secd_devsec_sock u:object_r:secd_socket:s0
/dev/socket/secd_ebl_sock u:object_r:secd_socket:s0
-/data/credmgr u:object_r:secd_data_file:s0
-/data/credmgr(/.*) u:object_r:secd_data_file:s0
/system/bin/scd u:object_r:scd_exec:s0
/data/scd u:object_r:scd_data:s0
@@ -34,6 +32,16 @@
/system/bin/wvkbd u:object_r:wv_exec:s0
+
+
+###########
+#credmgrd
+/system/bin/credmgrd u:object_r:credmgrd_exec:s0
+/dev/socket/credmgr u:object_r:credmgrd_socket:s0
+/data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0
+/cache/CredentialManagerData u:object_r:credmgrd_data_file:s0
+
+
#cam_socket
-/data/misc/camera/cam_socket1 u:object_r:camera_socket:s0
-/data/misc/camera/cam_socket2 u:object_r:camera_socket:s0
+/data/misc/camera(/.*) u:object_r:camera_data_file:s0
+/dev/block/mmcblk0p1 u:object_r:tad_block_device:s0
diff --git a/sepolicy/idd.te b/sepolicy/idd.te
index 7c8cf69..bb3ef03 100644
--- a/sepolicy/idd.te
+++ b/sepolicy/idd.te
@@ -7,6 +7,10 @@ allow iddd self:socket create_socket_perms;
allow iddd iddd_file:fifo_file rw_file_perms;
allow iddd iddd_file:file rw_file_perms;
allow iddd iddd_file:dir rw_file_perms;
+allow iddd iddd_file:dir { add_name remove_name search };
+allow iddd iddd_file:file { create rename unlink };
+allow iddd iddd_file:sock_file { create setattr unlink write };
+
type_transition iddd system_data_file:file iddd_file;
@@ -24,43 +28,16 @@ type wv,domain;
type wv_exec, exec_type, file_type;
init_daemon_domain(wv)
+#iddd logd
+allow iddd logd:unix_stream_socket connectto;
+allow iddd logdr_socket:sock_file write;
#============= system_server ==============
allow system_server credmgr_exec:dir search;
allow system_server credmgr_exec:file { getattr open read };
allow system_server iddd_exec:dir search;
allow system_server iddd_exec:file { getattr open read };
-
-#============= iddd_exec ==============
-allow iddd_exec default_prop:file { getattr open read };
-allow iddd_exec device:dir search;
-allow iddd_exec devpts:chr_file { open read write };
-allow iddd_exec iddd_file:dir search;
-allow iddd_exec iddd_file:file { lock open read write };
-allow iddd_exec init:fd use;
-allow iddd_exec init:process sigchld;
-allow iddd_exec kernel:system module_request;
-allow iddd_exec log_tag_prop:file { getattr open read };
-allow iddd_exec logd:unix_dgram_socket sendto;
-allow iddd_exec logd_prop:file { getattr open read };
-allow iddd_exec logdw_socket:sock_file write;
-allow iddd_exec null_device:chr_file { read write };
-allow iddd_exec proc:lnk_file read;
-allow iddd_exec properties_device:dir getattr;
-allow iddd_exec properties_serial:file { getattr open read };
-allow iddd_exec property_contexts:file { getattr open read };
-allow iddd_exec ptmx_device:chr_file { ioctl open read write };
-allow iddd_exec rootfs:lnk_file { getattr read };
-allow iddd_exec self:dir { read search };
-allow iddd_exec self:file { execute execute_no_trans getattr open read };
-allow iddd_exec self:lnk_file read;
-allow iddd_exec self:process { fork sigchld };
-allow iddd_exec self:unix_dgram_socket { connect create write };
-allow iddd_exec self:unix_stream_socket read;
-allow iddd_exec sysfs:dir search;
-allow iddd_exec sysfs_devices_system_cpu:dir search;
-allow iddd_exec sysfs_devices_system_cpu:file { getattr open read };
-allow iddd_exec system_file:dir getattr;
-#allow iddd_exec system_file:file { entrypoint execute getattr open read };
-allow iddd_exec urandom_device:chr_file { getattr ioctl open read };
+allow iddd tmpfs:lnk_file read;
+#============= iddd ==============
+allow iddd iddd_exec:file execute_no_trans;
diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te
index 52203d8..ded4c69 100644
--- a/sepolicy/workarounds.te
+++ b/sepolicy/workarounds.te
@@ -1,164 +1,39 @@
-allow cameraserver camera_socket:dir { search write add_name };
-allow cameraserver camera_socket:file { read write getattr open };
-allow mm-qcamerad camera_socket:dir { search write add_name };
-allow mm-qcamerad camera_socket:file { read write getattr open };
-
-#============= credmgr ==============
-allow credmgr iddd:unix_dgram_socket sendto;
-allow credmgr iddd_file:sock_file write;
-allow credmgr secd_data_file:file { write getattr setattr read lock open };
-allow credmgr self:capability dac_override;
-allow credmgr socket_device:sock_file write;
-allow credmgr suntrold:unix_stream_socket connectto;
-allow credmgr tad:unix_stream_socket connectto;
-allow credmgr tad_socket:sock_file write;
-allow credmgr tee_device:chr_file { read write open ioctl };
-
#============= iddd ==============
-allow iddd default_prop:property_service set;
-allow iddd iddd_file:dir { remove_name search add_name };
-allow iddd iddd_file:file { rename create };
-allow iddd init:unix_stream_socket connectto;
-allow iddd property_socket:sock_file write;
-allow iddd iddd_file:file unlink;
-allow iddd iddd_file:sock_file { write create unlink setattr };
-allow iddd logd:unix_stream_socket connectto;
-allow iddd logdr_socket:sock_file write;
-allow iddd self:netlink_socket { write bind create };
allow iddd system_file:file execute_no_trans;
-#============= mediaserver ==============
-allow mediaserver credmgr:unix_stream_socket connectto;
-allow mediaserver socket_device:sock_file write;
-
-#============= suntrold ==============
-allow suntrold self:capability dac_override;
-allow suntrold socket_device:dir add_name;
-allow suntrold socket_device:sock_file { create setattr };
-allow suntrold tad:unix_stream_socket connectto;
-allow suntrold tad_socket:sock_file write;
-allow suntrold tee_device:chr_file { read write ioctl open };
-
-#============= system_server ==============
-allow system_server ta_data_file:file { read open };
-
-#============= ta_qmi ==============
-allow ta_qmi self:capability { setuid setgid };
-
-#============= tad ==============
-allow tad block_device:blk_file { read write ioctl open };
-allow tad iddd:unix_dgram_socket sendto;
-allow tad iddd_file:sock_file write;
-
-#============= thermanager ==============
-allow thermanager sysfs_battery_supply:dir search;
-allow thermanager sysfs_battery_supply:file { read write open };
-
-
-
-
-#============= init ==============
-allow init block_device:blk_file setattr;
-allow init debugfs:dir mounton;
-allow init self:socket { read bind create write ioctl };
-allow init smem_log_device:chr_file { write ioctl };
-allow init socket_device:sock_file { create unlink setattr };
-
-#============= taimport ==============
-allow taimport ta_data_file:file unlink;
-
-
-#============= credmgr ==============
-allow credmgr ion_device:chr_file { ioctl open read };
-
#============= init ==============
allow init debugfs:file write;
+allow init tad_block_device:blk_file setattr;
#============= qti_init_shell ==============
+allow qti_init_shell iddd_file:dir { getattr open read remove_name rmdir write };
allow qti_init_shell tad:unix_stream_socket connectto;
allow qti_init_shell tad_socket:sock_file write;
+allow qti_init_shell toolbox_exec:file entrypoint;
-#============= scd ==============
-allow scd socket_device:dir { add_name write };
-allow scd socket_device:sock_file { create setattr };
-allow scd sysfs:file { getattr open read };
-
-#============= suntrold ==============
-allow suntrold ion_device:chr_file { ioctl open read };
-#============= tad ==============
-allow tad proc:file { open read };
-allow tad rootfs:file { entrypoint read };
-
-#============= taimport ==============
-allow taimport adbsecure_prop:property_service set;
-allow taimport init:unix_stream_socket connectto;
-allow taimport property_socket:sock_file write;
+#============= mm-qcamerad ==============
+allow mm-qcamerad camera_device:chr_file { ioctl open read write };
#============= thermanager ==============
allow thermanager sysfs:file { open read };
-
-#============= wv ==============
-allow wv ion_device:chr_file { ioctl open read };
-allow wv socket_device:sock_file write;
-allow wv suntrold:unix_stream_socket connectto;
-allow wv tad:unix_stream_socket connectto;
-allow wv tad_socket:sock_file write;
-allow wv tee_device:chr_file { ioctl open read write };
-
-
-
-
-
-#============= cameraserver ==============
-allow cameraserver ta_data_file:dir { getattr open read };
-allow cameraserver sudaemon:unix_dgram_socket sendto;
-allow cameraserver sudaemon:unix_stream_socket connectto;
-allow cameraserver mm-qcamerad:unix_stream_socket sendto;
-allow cameraserver mm-qcamerad:unix_stream_socket connectto;
-
-
-
-#============r credmgr ==============
-allow credmgr ion_device:chr_file { ioctl open read };
-
-#============= init ==============
-allow init debugfs:file write;
-
-#============= mm-qcamerad ==============
-allow mm-qcamerad system_file:file execmod;
-allow mm-qcamerad system_prop:property_service set;
-allow mm-qcamerad ta_data_file:dir { getattr open read };
-
-#============= qti_init_shell ==============
-allow qti_init_shell tad:unix_stream_socket connectto;
-allow qti_init_shell tad_socket:sock_file write;
+allow thermanager sysfs_battery_supply:dir search;
+allow thermanager sysfs_battery_supply:file { open read write };
#============= scd ==============
+allow scd scd_data:dir getattr;
+allow scd scd_data:file { getattr open read write };
allow scd socket_device:dir { add_name write };
allow scd socket_device:sock_file { create setattr };
allow scd sysfs:file { getattr open read };
-#============= suntrold ==============
-allow suntrold ion_device:chr_file { ioctl open read };
-
-#============= tad ==============
-allow tad proc:file { open read };
-allow tad rootfs:file { entrypoint read };
-
-#============= taimport ==============
-allow taimport adbsecure_prop:property_service set;
-allow taimport init:unix_stream_socket connectto;
-allow taimport property_socket:sock_file write;
-
-#============= thermanager ==============
-allow thermanager sysfs:file { open read };
-
#============= wv ==============
allow wv ion_device:chr_file { ioctl open read };
-allow wv socket_device:sock_file write;
allow wv suntrold:unix_stream_socket connectto;
+allow wv suntrold_sock_socket:sock_file write;
allow wv tad:unix_stream_socket connectto;
allow wv tad_socket:sock_file write;
allow wv tee_device:chr_file { ioctl open read write };
+#============= mediaserver ==============
+allow mediaserver sensorservice_service:service_manager find;
diff --git a/sepolicy/workarounds_old b/sepolicy/workarounds_old
new file mode 100644
index 0000000..310c2f1
--- /dev/null
+++ b/sepolicy/workarounds_old
@@ -0,0 +1,232 @@
+
+allow cameraserver camera_socket:dir { search write add_name };
+allow cameraserver camera_socket:file { read write getattr open };
+allow mm-qcamerad camera_socket:dir { search write add_name };
+allow mm-qcamerad camera_socket:file { read write getattr open };
+
+
+#============= credmgr ==============
+allow credmgr iddd_file:dir search;
+allow credmgr tmpfs:lnk_file read;
+
+#============= iddd ==============
+allow iddd tmpfs:lnk_file read;
+
+#============= mm-qcamerad ==============
+allow mm-qcamerad devpts:chr_file { open read write };
+allow mm-qcamerad mm-qcamerad_exec:file execute_no_trans;
+
+#============= qti_init_shell ==============
+allow qti_init_shell iddd_file:dir { getattr open read remove_name rmdir write };
+allow qti_init_shell toolbox_exec:file entrypoint;
+
+#============= scd ==============
+allow scd scd_data:dir getattr;
+allow scd scd_data:file { getattr open read write };
+
+#============= tad ==============
+allow tad proc:file getattr;
+
+#============= vold ==============
+allow vold iddd_file:dir { ioctl open read };
+
+
+
+#============= credmgr ==============
+allow credmgr iddd:unix_dgram_socket sendto;
+allow credmgr iddd_file:sock_file write;
+allow credmgr secd_data_file:file { write getattr setattr read lock open };
+allow credmgr self:capability dac_override;
+allow credmgr socket_device:sock_file write;
+allow credmgr suntrold:unix_stream_socket connectto;
+allow credmgr tad:unix_stream_socket connectto;
+allow credmgr tad_socket:sock_file write;
+allow credmgr tee_device:chr_file { read write open ioctl };
+
+#============= iddd ==============
+allow iddd default_prop:property_service set;
+allow iddd iddd_file:dir { remove_name search add_name };
+allow iddd iddd_file:file { rename create };
+allow iddd init:unix_stream_socket connectto;
+allow iddd property_socket:sock_file write;
+allow iddd iddd_file:file unlink;
+allow iddd iddd_file:sock_file { write create unlink setattr };
+allow iddd logd:unix_stream_socket connectto;
+allow iddd logdr_socket:sock_file write;
+allow iddd self:netlink_socket { write bind create };
+allow iddd system_file:file execute_no_trans;
+
+#============= mediaserver ==============
+allow mediaserver credmgr:unix_stream_socket connectto;
+allow mediaserver socket_device:sock_file write;
+
+#============= suntrold ==============
+allow suntrold self:capability dac_override;
+allow suntrold socket_device:dir add_name;
+allow suntrold socket_device:sock_file { create setattr };
+allow suntrold tad:unix_stream_socket connectto;
+allow suntrold tad_socket:sock_file write;
+allow suntrold tee_device:chr_file { read write ioctl open };
+
+#============= system_server ==============
+allow system_server ta_data_file:file { read open };
+
+#============= ta_qmi ==============
+allow ta_qmi self:capability { setuid setgid };
+
+#============= tad ==============
+allow tad block_device:blk_file { read write ioctl open };
+allow tad iddd:unix_dgram_socket sendto;
+allow tad iddd_file:sock_file write;
+
+#============= thermanager ==============
+allow thermanager sysfs_battery_supply:dir search;
+allow thermanager sysfs_battery_supply:file { read write open };
+
+
+
+
+#============= init ==============
+allow init block_device:blk_file setattr;
+allow init debugfs:dir mounton;
+allow init self:socket { read bind create write ioctl };
+allow init smem_log_device:chr_file { write ioctl };
+allow init socket_device:sock_file { create unlink setattr };
+
+#============= taimport ==============
+allow taimport ta_data_file:file unlink;
+
+
+#============= credmgr ==============
+allow credmgr ion_device:chr_file { ioctl open read };
+
+#============= init ==============
+allow init debugfs:file write;
+
+#============= qti_init_shell ==============
+allow qti_init_shell tad:unix_stream_socket connectto;
+allow qti_init_shell tad_socket:sock_file write;
+
+#============= scd ==============
+allow scd socket_device:dir { add_name write };
+allow scd socket_device:sock_file { create setattr };
+allow scd sysfs:file { getattr open read };
+
+#============= suntrold ==============
+allow suntrold ion_device:chr_file { ioctl open read };
+
+#============= tad ==============
+allow tad proc:file { open read };
+allow tad rootfs:file { entrypoint read };
+
+#============= taimport ==============
+allow taimport adbsecure_prop:property_service set;
+allow taimport init:unix_stream_socket connectto;
+allow taimport property_socket:sock_file write;
+
+#============= thermanager ==============
+allow thermanager sysfs:file { open read };
+
+#============= wv ==============
+allow wv ion_device:chr_file { ioctl open read };
+allow wv socket_device:sock_file write;
+allow wv suntrold:unix_stream_socket connectto;
+allow wv tad:unix_stream_socket connectto;
+allow wv tad_socket:sock_file write;
+allow wv tee_device:chr_file { ioctl open read write };
+
+
+
+
+
+#============= cameraserver ==============
+allow cameraserver ta_data_file:dir { getattr open read };
+allow cameraserver sudaemon:unix_dgram_socket sendto;
+allow cameraserver sudaemon:unix_stream_socket connectto;
+allow cameraserver mm-qcamerad:unix_stream_socket sendto;
+allow cameraserver mm-qcamerad:unix_stream_socket connectto;
+
+
+
+#============r credmgr ==============
+allow credmgr ion_device:chr_file { ioctl open read };
+
+#============= init ==============
+allow init debugfs:file write;
+
+#============= mm-qcamerad ==============
+allow mm-qcamerad system_file:file execmod;
+allow mm-qcamerad system_prop:property_service set;
+allow mm-qcamerad ta_data_file:dir { getattr open read };
+
+#============= qti_init_shell ==============
+allow qti_init_shell tad:unix_stream_socket connectto;
+allow qti_init_shell tad_socket:sock_file write;
+
+#============= scd ==============
+allow scd socket_device:dir { add_name write };
+allow scd socket_device:sock_file { create setattr };
+allow scd sysfs:file { getattr open read };
+
+#============= suntrold ==============
+allow suntrold ion_device:chr_file { ioctl open read };
+
+#============= tad ==============
+allow tad proc:file { open read };
+allow tad rootfs:file { entrypoint read };
+
+#============= taimport ==============
+allow taimport adbsecure_prop:property_service set;
+allow taimport init:unix_stream_socket connectto;
+allow taimport property_socket:sock_file write;
+
+#============= thermanager ==============
+allow thermanager sysfs:file { open read };
+
+#============= wv ==============
+allow wv ion_device:chr_file { ioctl open read };
+allow wv socket_device:sock_file write;
+allow wv suntrold:unix_stream_socket connectto;
+allow wv tad:unix_stream_socket connectto;
+allow wv tad_socket:sock_file write;
+allow wv tee_device:chr_file { ioctl open read write };
+
+
+#============= mm-qcamerad_exec ==============
+allow mm-qcamerad_exec camera_data_file:dir { add_name remove_name search write };
+allow mm-qcamerad_exec camera_data_file:sock_file { create unlink };
+allow mm-qcamerad_exec debug_prop:file { getattr open read };
+allow mm-qcamerad_exec debugfs:dir search;
+allow mm-qcamerad_exec debugfs_trace_marker:file { open write };
+allow mm-qcamerad_exec debugfs_tracing:dir search;
+allow mm-qcamerad_exec default_prop:file { getattr open read };
+allow mm-qcamerad_exec device:dir search;
+allow mm-qcamerad_exec init:fd use;
+allow mm-qcamerad_exec init:process sigchld;
+allow mm-qcamerad_exec ion_device:chr_file { open read };
+allow mm-qcamerad_exec kernel:system module_request;
+allow mm-qcamerad_exec null_device:chr_file { read write };
+allow mm-qcamerad_exec proc:lnk_file read;
+allow mm-qcamerad_exec properties_device:dir { getattr search };
+allow mm-qcamerad_exec properties_serial:file { getattr open read };
+allow mm-qcamerad_exec property_contexts:file { getattr open read };
+allow mm-qcamerad_exec rootfs:lnk_file { getattr read };
+allow mm-qcamerad_exec self:dir { read search };
+allow mm-qcamerad_exec self:file { getattr open read };
+allow mm-qcamerad_exec self:lnk_file read;
+allow mm-qcamerad_exec self:process { fork setsched };
+allow mm-qcamerad_exec self:unix_dgram_socket { bind create read };
+allow mm-qcamerad_exec self:unix_stream_socket { bind connect create listen write };
+allow mm-qcamerad_exec sysfs:dir search;
+allow mm-qcamerad_exec sysfs_devices_system_cpu:dir search;
+allow mm-qcamerad_exec sysfs_devices_system_cpu:file { getattr open read };
+allow mm-qcamerad_exec system_data_file:dir search;
+allow mm-qcamerad_exec urandom_device:chr_file { getattr ioctl open read };
+allow mm-qcamerad_exec video_device:chr_file { ioctl open read write };
+
+
+#============= cameraserver ==============
+allow cameraserver mm-qcamerad_exec:unix_dgram_socket sendto;
+allow cameraserver credmgr:unix_stream_socket connectto;
+allow cameraserver secd_socket:sock_file write;
+