diff options
author | nailyk-fr <nailyk_git@nailyk.fr> | 2017-02-12 13:31:17 +0100 |
---|---|---|
committer | nailyk-fr <nailyk_git@nailyk.fr> | 2017-02-21 20:24:25 +0100 |
commit | 181043c8705f2f7576f1a1e21bafd7e14cde3f06 (patch) | |
tree | 79dd4d1b26ec6abe225c2a31c0ca321038973c79 /sepolicy | |
parent | 91b15b8584a12ebd8e321d32536ed8ced1e321d7 (diff) |
shinano-common: sepolicies: Add camera related entries
Change-Id: Icfc6a998c6c5615351ed59111284858b9f27893c
shinano-common: Rework credmgrd sepolicies
Change-Id: Id922021b05ed0313b5cd7e506641632277a82105
shinano-common: Fix last camera denials
Change-Id: Ibf96ebf0a136ffa40be85369896f57645c24157c
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/cameraserver_new.te | 18 | ||||
-rw-r--r-- | sepolicy/cameraserver_old (renamed from sepolicy/cameraserver.te) | 5 | ||||
-rw-r--r-- | sepolicy/credmgrd.te | 62 | ||||
-rw-r--r-- | sepolicy/file_contexts | 20 | ||||
-rw-r--r-- | sepolicy/idd.te | 43 | ||||
-rw-r--r-- | sepolicy/workarounds.te | 149 | ||||
-rw-r--r-- | sepolicy/workarounds_old | 232 |
7 files changed, 353 insertions, 176 deletions
diff --git a/sepolicy/cameraserver_new.te b/sepolicy/cameraserver_new.te new file mode 100644 index 0000000..82196f2 --- /dev/null +++ b/sepolicy/cameraserver_new.te @@ -0,0 +1,18 @@ + + +allow mm-qcamerad camera_data_file:sock_file rw_file_perms; +allow mm-qcamerad camera_data_file:unix_dgram_socket sendto; +allow mm-qcamerad camera_data_file:unix_stream_socket connectto; +allow mm-qcamerad system_prop:property_service set; + +allow cameraserver camera_data_file:unix_dgram_socket sendto; +allow cameraserver camera_data_file:unix_stream_socket connectto; + +allow cameraserver ion_device:chr_file { ioctl open read }; + +#============= cameraserver ============== +allow cameraserver camera_device:chr_file { ioctl open read write }; +allow cameraserver mm-qcamerad:unix_stream_socket connectto; +allow cameraserver credmgrd:unix_stream_socket connectto; +allow cameraserver credmgrd_socket:sock_file write; + diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver_old index 7db63bf..2a27807 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/cameraserver_old @@ -21,3 +21,8 @@ allow mm-qcamerad camera_data_file:unix_stream_socket connectto; allow mm-qcamerad ion_device:chr_file { ioctl open read }; allow cameraserver ion_device:chr_file { ioctl open read }; + +allow cameraserver secd_socket:unix_dgram_socket sendto; +allow cameraserver secd_socket:unix_stream_socket connectto; +allow mm-qcamerad secd_socket:unix_dgram_socket sendto; +allow mm-qcamerad secd_socket:unix_stream_socket connectto; diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te new file mode 100644 index 0000000..82c4929 --- /dev/null +++ b/sepolicy/credmgrd.te @@ -0,0 +1,62 @@ +#credmgrd define +type credmgrd, domain; +type credmgrd_exec, exec_type, file_type; +type credmgrd_data_file, file_type; +type credmgrd_socket, file_type; +init_daemon_domain(credmgrd); + +#credmgrd self +allow credmgrd self:socket create_socket_perms; +allow credmgrd self:file rw_file_perms; +allow credmgrd self:dir rw_file_perms; +allow credmgrd self:fifo_file rw_file_perms; +allow credmgrd credmgrd_data_file:file { getattr lock open read setattr write }; +allow credmgrd cache_file:dir { remove_name write }; +allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write }; +allow credmgrd credmgrd_data_file:file { create unlink }; + + +#credmgdr tad +allow credmgrd tad_block_device:blk_file { read write ioctl open }; +allow credmgrd tad_socket:unix_dgram_socket sendto; +allow credmgrd tad_socket:unix_stream_socket connectto; +allow credmgrd tad:unix_stream_socket connectto; +allow credmgrd tad_socket:sock_file write; + +#credmgrd camera server +allow credmgrd camera_socket:file { read write getattr open }; +allow credmgrd camera_socket:unix_stream_socket sendto; +allow credmgrd camera_socket:unix_stream_socket connectto; + +#credmgrd mediaserver +allow mediaserver credmgrd:unix_stream_socket connectto; + +#credmgrd mm-qcamera +allow credmgrd mm-qcamerad:file { read write getattr open }; +allow credmgrd mm-qcamerad:unix_stream_socket sendto; +allow credmgrd mm-qcamerad:unix_stream_socket connectto; + +#credmgrd qseecomd tee +allow credmgrd tee_device:chr_file rw_file_perms; + +#credmgrd suntrold +allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto; +allow credmgrd suntrold_sock_socket:unix_stream_socket connectto; +allow credmgrd suntrold_sock_socket:sock_file write; +allow credmgrd suntrold:unix_stream_socket connectto; + +#credmgrd iddd +allow credmgrd iddd:unix_dgram_socket sendto; +allow credmgrd iddd_file:dir search; +allow credmgrd iddd_file:sock_file write; +allow credmgrd iddd_file:unix_stream_socket connectto; +allow credmgrd iddd_file:unix_dgram_socket sendto; + + +#/mnt/idd is tmpfs +allow credmgrd tmpfs:lnk_file read; + +#credmgrd ion +allow credmgrd ion_device:chr_file { ioctl open read }; + + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 07853c1..22d0c1a 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -14,8 +14,8 @@ #iddd /system/bin/iddd u:object_r:iddd_exec:s0 /idd(/.*)? u:object_r:iddd_file:s0 - -/system/bin/credmgrd u:object_r:credmgr_exec:s0 +/mnt/idd u:object_r:iddd_file:s0 +/system/bin/idd-logreader u:object_r:iddd_exec:s0 # Taimport /data/etc(/.*) u:object_r:ta_data_file:s0 @@ -24,8 +24,6 @@ /dev/socket/secd_credmgr_sock u:object_r:secd_socket:s0 /dev/socket/secd_devsec_sock u:object_r:secd_socket:s0 /dev/socket/secd_ebl_sock u:object_r:secd_socket:s0 -/data/credmgr u:object_r:secd_data_file:s0 -/data/credmgr(/.*) u:object_r:secd_data_file:s0 /system/bin/scd u:object_r:scd_exec:s0 /data/scd u:object_r:scd_data:s0 @@ -34,6 +32,16 @@ /system/bin/wvkbd u:object_r:wv_exec:s0 + + +########### +#credmgrd +/system/bin/credmgrd u:object_r:credmgrd_exec:s0 +/dev/socket/credmgr u:object_r:credmgrd_socket:s0 +/data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0 +/cache/CredentialManagerData u:object_r:credmgrd_data_file:s0 + + #cam_socket -/data/misc/camera/cam_socket1 u:object_r:camera_socket:s0 -/data/misc/camera/cam_socket2 u:object_r:camera_socket:s0 +/data/misc/camera(/.*) u:object_r:camera_data_file:s0 +/dev/block/mmcblk0p1 u:object_r:tad_block_device:s0 diff --git a/sepolicy/idd.te b/sepolicy/idd.te index 7c8cf69..bb3ef03 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -7,6 +7,10 @@ allow iddd self:socket create_socket_perms; allow iddd iddd_file:fifo_file rw_file_perms; allow iddd iddd_file:file rw_file_perms; allow iddd iddd_file:dir rw_file_perms; +allow iddd iddd_file:dir { add_name remove_name search }; +allow iddd iddd_file:file { create rename unlink }; +allow iddd iddd_file:sock_file { create setattr unlink write }; + type_transition iddd system_data_file:file iddd_file; @@ -24,43 +28,16 @@ type wv,domain; type wv_exec, exec_type, file_type; init_daemon_domain(wv) +#iddd logd +allow iddd logd:unix_stream_socket connectto; +allow iddd logdr_socket:sock_file write; #============= system_server ============== allow system_server credmgr_exec:dir search; allow system_server credmgr_exec:file { getattr open read }; allow system_server iddd_exec:dir search; allow system_server iddd_exec:file { getattr open read }; - -#============= iddd_exec ============== -allow iddd_exec default_prop:file { getattr open read }; -allow iddd_exec device:dir search; -allow iddd_exec devpts:chr_file { open read write }; -allow iddd_exec iddd_file:dir search; -allow iddd_exec iddd_file:file { lock open read write }; -allow iddd_exec init:fd use; -allow iddd_exec init:process sigchld; -allow iddd_exec kernel:system module_request; -allow iddd_exec log_tag_prop:file { getattr open read }; -allow iddd_exec logd:unix_dgram_socket sendto; -allow iddd_exec logd_prop:file { getattr open read }; -allow iddd_exec logdw_socket:sock_file write; -allow iddd_exec null_device:chr_file { read write }; -allow iddd_exec proc:lnk_file read; -allow iddd_exec properties_device:dir getattr; -allow iddd_exec properties_serial:file { getattr open read }; -allow iddd_exec property_contexts:file { getattr open read }; -allow iddd_exec ptmx_device:chr_file { ioctl open read write }; -allow iddd_exec rootfs:lnk_file { getattr read }; -allow iddd_exec self:dir { read search }; -allow iddd_exec self:file { execute execute_no_trans getattr open read }; -allow iddd_exec self:lnk_file read; -allow iddd_exec self:process { fork sigchld }; -allow iddd_exec self:unix_dgram_socket { connect create write }; -allow iddd_exec self:unix_stream_socket read; -allow iddd_exec sysfs:dir search; -allow iddd_exec sysfs_devices_system_cpu:dir search; -allow iddd_exec sysfs_devices_system_cpu:file { getattr open read }; -allow iddd_exec system_file:dir getattr; -#allow iddd_exec system_file:file { entrypoint execute getattr open read }; -allow iddd_exec urandom_device:chr_file { getattr ioctl open read }; +allow iddd tmpfs:lnk_file read; +#============= iddd ============== +allow iddd iddd_exec:file execute_no_trans; diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te index 52203d8..ded4c69 100644 --- a/sepolicy/workarounds.te +++ b/sepolicy/workarounds.te @@ -1,164 +1,39 @@ -allow cameraserver camera_socket:dir { search write add_name }; -allow cameraserver camera_socket:file { read write getattr open }; -allow mm-qcamerad camera_socket:dir { search write add_name }; -allow mm-qcamerad camera_socket:file { read write getattr open }; - -#============= credmgr ============== -allow credmgr iddd:unix_dgram_socket sendto; -allow credmgr iddd_file:sock_file write; -allow credmgr secd_data_file:file { write getattr setattr read lock open }; -allow credmgr self:capability dac_override; -allow credmgr socket_device:sock_file write; -allow credmgr suntrold:unix_stream_socket connectto; -allow credmgr tad:unix_stream_socket connectto; -allow credmgr tad_socket:sock_file write; -allow credmgr tee_device:chr_file { read write open ioctl }; - #============= iddd ============== -allow iddd default_prop:property_service set; -allow iddd iddd_file:dir { remove_name search add_name }; -allow iddd iddd_file:file { rename create }; -allow iddd init:unix_stream_socket connectto; -allow iddd property_socket:sock_file write; -allow iddd iddd_file:file unlink; -allow iddd iddd_file:sock_file { write create unlink setattr }; -allow iddd logd:unix_stream_socket connectto; -allow iddd logdr_socket:sock_file write; -allow iddd self:netlink_socket { write bind create }; allow iddd system_file:file execute_no_trans; -#============= mediaserver ============== -allow mediaserver credmgr:unix_stream_socket connectto; -allow mediaserver socket_device:sock_file write; - -#============= suntrold ============== -allow suntrold self:capability dac_override; -allow suntrold socket_device:dir add_name; -allow suntrold socket_device:sock_file { create setattr }; -allow suntrold tad:unix_stream_socket connectto; -allow suntrold tad_socket:sock_file write; -allow suntrold tee_device:chr_file { read write ioctl open }; - -#============= system_server ============== -allow system_server ta_data_file:file { read open }; - -#============= ta_qmi ============== -allow ta_qmi self:capability { setuid setgid }; - -#============= tad ============== -allow tad block_device:blk_file { read write ioctl open }; -allow tad iddd:unix_dgram_socket sendto; -allow tad iddd_file:sock_file write; - -#============= thermanager ============== -allow thermanager sysfs_battery_supply:dir search; -allow thermanager sysfs_battery_supply:file { read write open }; - - - - -#============= init ============== -allow init block_device:blk_file setattr; -allow init debugfs:dir mounton; -allow init self:socket { read bind create write ioctl }; -allow init smem_log_device:chr_file { write ioctl }; -allow init socket_device:sock_file { create unlink setattr }; - -#============= taimport ============== -allow taimport ta_data_file:file unlink; - - -#============= credmgr ============== -allow credmgr ion_device:chr_file { ioctl open read }; - #============= init ============== allow init debugfs:file write; +allow init tad_block_device:blk_file setattr; #============= qti_init_shell ============== +allow qti_init_shell iddd_file:dir { getattr open read remove_name rmdir write }; allow qti_init_shell tad:unix_stream_socket connectto; allow qti_init_shell tad_socket:sock_file write; +allow qti_init_shell toolbox_exec:file entrypoint; -#============= scd ============== -allow scd socket_device:dir { add_name write }; -allow scd socket_device:sock_file { create setattr }; -allow scd sysfs:file { getattr open read }; - -#============= suntrold ============== -allow suntrold ion_device:chr_file { ioctl open read }; -#============= tad ============== -allow tad proc:file { open read }; -allow tad rootfs:file { entrypoint read }; - -#============= taimport ============== -allow taimport adbsecure_prop:property_service set; -allow taimport init:unix_stream_socket connectto; -allow taimport property_socket:sock_file write; +#============= mm-qcamerad ============== +allow mm-qcamerad camera_device:chr_file { ioctl open read write }; #============= thermanager ============== allow thermanager sysfs:file { open read }; - -#============= wv ============== -allow wv ion_device:chr_file { ioctl open read }; -allow wv socket_device:sock_file write; -allow wv suntrold:unix_stream_socket connectto; -allow wv tad:unix_stream_socket connectto; -allow wv tad_socket:sock_file write; -allow wv tee_device:chr_file { ioctl open read write }; - - - - - -#============= cameraserver ============== -allow cameraserver ta_data_file:dir { getattr open read }; -allow cameraserver sudaemon:unix_dgram_socket sendto; -allow cameraserver sudaemon:unix_stream_socket connectto; -allow cameraserver mm-qcamerad:unix_stream_socket sendto; -allow cameraserver mm-qcamerad:unix_stream_socket connectto; - - - -#============r credmgr ============== -allow credmgr ion_device:chr_file { ioctl open read }; - -#============= init ============== -allow init debugfs:file write; - -#============= mm-qcamerad ============== -allow mm-qcamerad system_file:file execmod; -allow mm-qcamerad system_prop:property_service set; -allow mm-qcamerad ta_data_file:dir { getattr open read }; - -#============= qti_init_shell ============== -allow qti_init_shell tad:unix_stream_socket connectto; -allow qti_init_shell tad_socket:sock_file write; +allow thermanager sysfs_battery_supply:dir search; +allow thermanager sysfs_battery_supply:file { open read write }; #============= scd ============== +allow scd scd_data:dir getattr; +allow scd scd_data:file { getattr open read write }; allow scd socket_device:dir { add_name write }; allow scd socket_device:sock_file { create setattr }; allow scd sysfs:file { getattr open read }; -#============= suntrold ============== -allow suntrold ion_device:chr_file { ioctl open read }; - -#============= tad ============== -allow tad proc:file { open read }; -allow tad rootfs:file { entrypoint read }; - -#============= taimport ============== -allow taimport adbsecure_prop:property_service set; -allow taimport init:unix_stream_socket connectto; -allow taimport property_socket:sock_file write; - -#============= thermanager ============== -allow thermanager sysfs:file { open read }; - #============= wv ============== allow wv ion_device:chr_file { ioctl open read }; -allow wv socket_device:sock_file write; allow wv suntrold:unix_stream_socket connectto; +allow wv suntrold_sock_socket:sock_file write; allow wv tad:unix_stream_socket connectto; allow wv tad_socket:sock_file write; allow wv tee_device:chr_file { ioctl open read write }; +#============= mediaserver ============== +allow mediaserver sensorservice_service:service_manager find; diff --git a/sepolicy/workarounds_old b/sepolicy/workarounds_old new file mode 100644 index 0000000..310c2f1 --- /dev/null +++ b/sepolicy/workarounds_old @@ -0,0 +1,232 @@ + +allow cameraserver camera_socket:dir { search write add_name }; +allow cameraserver camera_socket:file { read write getattr open }; +allow mm-qcamerad camera_socket:dir { search write add_name }; +allow mm-qcamerad camera_socket:file { read write getattr open }; + + +#============= credmgr ============== +allow credmgr iddd_file:dir search; +allow credmgr tmpfs:lnk_file read; + +#============= iddd ============== +allow iddd tmpfs:lnk_file read; + +#============= mm-qcamerad ============== +allow mm-qcamerad devpts:chr_file { open read write }; +allow mm-qcamerad mm-qcamerad_exec:file execute_no_trans; + +#============= qti_init_shell ============== +allow qti_init_shell iddd_file:dir { getattr open read remove_name rmdir write }; +allow qti_init_shell toolbox_exec:file entrypoint; + +#============= scd ============== +allow scd scd_data:dir getattr; +allow scd scd_data:file { getattr open read write }; + +#============= tad ============== +allow tad proc:file getattr; + +#============= vold ============== +allow vold iddd_file:dir { ioctl open read }; + + + +#============= credmgr ============== +allow credmgr iddd:unix_dgram_socket sendto; +allow credmgr iddd_file:sock_file write; +allow credmgr secd_data_file:file { write getattr setattr read lock open }; +allow credmgr self:capability dac_override; +allow credmgr socket_device:sock_file write; +allow credmgr suntrold:unix_stream_socket connectto; +allow credmgr tad:unix_stream_socket connectto; +allow credmgr tad_socket:sock_file write; +allow credmgr tee_device:chr_file { read write open ioctl }; + +#============= iddd ============== +allow iddd default_prop:property_service set; +allow iddd iddd_file:dir { remove_name search add_name }; +allow iddd iddd_file:file { rename create }; +allow iddd init:unix_stream_socket connectto; +allow iddd property_socket:sock_file write; +allow iddd iddd_file:file unlink; +allow iddd iddd_file:sock_file { write create unlink setattr }; +allow iddd logd:unix_stream_socket connectto; +allow iddd logdr_socket:sock_file write; +allow iddd self:netlink_socket { write bind create }; +allow iddd system_file:file execute_no_trans; + +#============= mediaserver ============== +allow mediaserver credmgr:unix_stream_socket connectto; +allow mediaserver socket_device:sock_file write; + +#============= suntrold ============== +allow suntrold self:capability dac_override; +allow suntrold socket_device:dir add_name; +allow suntrold socket_device:sock_file { create setattr }; +allow suntrold tad:unix_stream_socket connectto; +allow suntrold tad_socket:sock_file write; +allow suntrold tee_device:chr_file { read write ioctl open }; + +#============= system_server ============== +allow system_server ta_data_file:file { read open }; + +#============= ta_qmi ============== +allow ta_qmi self:capability { setuid setgid }; + +#============= tad ============== +allow tad block_device:blk_file { read write ioctl open }; +allow tad iddd:unix_dgram_socket sendto; +allow tad iddd_file:sock_file write; + +#============= thermanager ============== +allow thermanager sysfs_battery_supply:dir search; +allow thermanager sysfs_battery_supply:file { read write open }; + + + + +#============= init ============== +allow init block_device:blk_file setattr; +allow init debugfs:dir mounton; +allow init self:socket { read bind create write ioctl }; +allow init smem_log_device:chr_file { write ioctl }; +allow init socket_device:sock_file { create unlink setattr }; + +#============= taimport ============== +allow taimport ta_data_file:file unlink; + + +#============= credmgr ============== +allow credmgr ion_device:chr_file { ioctl open read }; + +#============= init ============== +allow init debugfs:file write; + +#============= qti_init_shell ============== +allow qti_init_shell tad:unix_stream_socket connectto; +allow qti_init_shell tad_socket:sock_file write; + +#============= scd ============== +allow scd socket_device:dir { add_name write }; +allow scd socket_device:sock_file { create setattr }; +allow scd sysfs:file { getattr open read }; + +#============= suntrold ============== +allow suntrold ion_device:chr_file { ioctl open read }; + +#============= tad ============== +allow tad proc:file { open read }; +allow tad rootfs:file { entrypoint read }; + +#============= taimport ============== +allow taimport adbsecure_prop:property_service set; +allow taimport init:unix_stream_socket connectto; +allow taimport property_socket:sock_file write; + +#============= thermanager ============== +allow thermanager sysfs:file { open read }; + +#============= wv ============== +allow wv ion_device:chr_file { ioctl open read }; +allow wv socket_device:sock_file write; +allow wv suntrold:unix_stream_socket connectto; +allow wv tad:unix_stream_socket connectto; +allow wv tad_socket:sock_file write; +allow wv tee_device:chr_file { ioctl open read write }; + + + + + +#============= cameraserver ============== +allow cameraserver ta_data_file:dir { getattr open read }; +allow cameraserver sudaemon:unix_dgram_socket sendto; +allow cameraserver sudaemon:unix_stream_socket connectto; +allow cameraserver mm-qcamerad:unix_stream_socket sendto; +allow cameraserver mm-qcamerad:unix_stream_socket connectto; + + + +#============r credmgr ============== +allow credmgr ion_device:chr_file { ioctl open read }; + +#============= init ============== +allow init debugfs:file write; + +#============= mm-qcamerad ============== +allow mm-qcamerad system_file:file execmod; +allow mm-qcamerad system_prop:property_service set; +allow mm-qcamerad ta_data_file:dir { getattr open read }; + +#============= qti_init_shell ============== +allow qti_init_shell tad:unix_stream_socket connectto; +allow qti_init_shell tad_socket:sock_file write; + +#============= scd ============== +allow scd socket_device:dir { add_name write }; +allow scd socket_device:sock_file { create setattr }; +allow scd sysfs:file { getattr open read }; + +#============= suntrold ============== +allow suntrold ion_device:chr_file { ioctl open read }; + +#============= tad ============== +allow tad proc:file { open read }; +allow tad rootfs:file { entrypoint read }; + +#============= taimport ============== +allow taimport adbsecure_prop:property_service set; +allow taimport init:unix_stream_socket connectto; +allow taimport property_socket:sock_file write; + +#============= thermanager ============== +allow thermanager sysfs:file { open read }; + +#============= wv ============== +allow wv ion_device:chr_file { ioctl open read }; +allow wv socket_device:sock_file write; +allow wv suntrold:unix_stream_socket connectto; +allow wv tad:unix_stream_socket connectto; +allow wv tad_socket:sock_file write; +allow wv tee_device:chr_file { ioctl open read write }; + + +#============= mm-qcamerad_exec ============== +allow mm-qcamerad_exec camera_data_file:dir { add_name remove_name search write }; +allow mm-qcamerad_exec camera_data_file:sock_file { create unlink }; +allow mm-qcamerad_exec debug_prop:file { getattr open read }; +allow mm-qcamerad_exec debugfs:dir search; +allow mm-qcamerad_exec debugfs_trace_marker:file { open write }; +allow mm-qcamerad_exec debugfs_tracing:dir search; +allow mm-qcamerad_exec default_prop:file { getattr open read }; +allow mm-qcamerad_exec device:dir search; +allow mm-qcamerad_exec init:fd use; +allow mm-qcamerad_exec init:process sigchld; +allow mm-qcamerad_exec ion_device:chr_file { open read }; +allow mm-qcamerad_exec kernel:system module_request; +allow mm-qcamerad_exec null_device:chr_file { read write }; +allow mm-qcamerad_exec proc:lnk_file read; +allow mm-qcamerad_exec properties_device:dir { getattr search }; +allow mm-qcamerad_exec properties_serial:file { getattr open read }; +allow mm-qcamerad_exec property_contexts:file { getattr open read }; +allow mm-qcamerad_exec rootfs:lnk_file { getattr read }; +allow mm-qcamerad_exec self:dir { read search }; +allow mm-qcamerad_exec self:file { getattr open read }; +allow mm-qcamerad_exec self:lnk_file read; +allow mm-qcamerad_exec self:process { fork setsched }; +allow mm-qcamerad_exec self:unix_dgram_socket { bind create read }; +allow mm-qcamerad_exec self:unix_stream_socket { bind connect create listen write }; +allow mm-qcamerad_exec sysfs:dir search; +allow mm-qcamerad_exec sysfs_devices_system_cpu:dir search; +allow mm-qcamerad_exec sysfs_devices_system_cpu:file { getattr open read }; +allow mm-qcamerad_exec system_data_file:dir search; +allow mm-qcamerad_exec urandom_device:chr_file { getattr ioctl open read }; +allow mm-qcamerad_exec video_device:chr_file { ioctl open read write }; + + +#============= cameraserver ============== +allow cameraserver mm-qcamerad_exec:unix_dgram_socket sendto; +allow cameraserver credmgr:unix_stream_socket connectto; +allow cameraserver secd_socket:sock_file write; + |