shinano-common: Solve camera denials

Change-Id: I62e1e9b87e48b0f5d436ef44bb816eedf5328347 shinano-common: Solve camera services denials Change-Id: I36479598ada099da4949d999f7485b69ccd59c19
author: nailyk-fr <nailyk_git@nailyk.fr> 2017-02-11 14:56:11 +0100
committer: nailyk-fr <nailyk_git@nailyk.fr> 2017-02-21 20:15:18 +0100
commit: bad9906576b3cc04e9f4c807321457ab240ae430 (patch)
tree: b672c5e8853759ab7fc4be259b7e2a09f81199bb /sepolicy
parent: b286cc9e9453297e668ce342e39bf48a1afd9f92 (diff)
5 files changed, 234 insertions, 0 deletions
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
new file mode 100644
index 0000000..7db63bf
--- /dev/null
+++ b/sepolicy/cameraserver.te
@@ -0,0 +1,23 @@
+allow cameraserver mm-qcamerad:unix_dgram_socket sendto;
+allow cameraserver mm-qcamerad:unix_stream_socket connectto;
+allow cameraserver camera_data_file:sock_file write;
+allow mm-qcamerad cameraserver:unix_dgram_socket sendto;
+allow mm-qcamerad cameraserver:unix_stream_socket connectto;
+allow mm-qcamerad camera_data_file:sock_file rw_file_perms;
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver rootfs:lnk_file getattr;
+allow cameraserver sysfs_camera_torch:file rw_file_perms;
+allow cameraserver sysfs_camera_torch:dir search;
+allow cameraserver sysfs_camera_torch:lnk_file read;
+allow cameraserver ta_data_file:dir search;
+#allow cameraserver secd:unix_stream_socket connectto;
+#allow cameraserver secd_socket:sock_file write;
+
+allow cameraserver camera_data_file:unix_dgram_socket sendto;
+allow cameraserver camera_data_file:unix_stream_socket connectto;
+allow mm-qcamerad camera_data_file:unix_dgram_socket sendto;
+allow mm-qcamerad camera_data_file:unix_stream_socket connectto;
+
+allow mm-qcamerad ion_device:chr_file { ioctl open read };
+allow cameraserver ion_device:chr_file { ioctl open read };
+
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 69b759b..07853c1 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -28,6 +28,12 @@
 /data/credmgr(/.*)                       u:object_r:secd_data_file:s0
 
 /system/bin/scd 						u:object_r:scd_exec:s0
+/data/scd								u:object_r:scd_data:s0
+/data/scd(/.*)							u:object_r:scd_data:s0
 /system/bin/scdnotifier					u:object_r:scd_exec:s0
 
 /system/bin/wvkbd						u:object_r:wv_exec:s0
+
+#cam_socket
+/data/misc/camera/cam_socket1			u:object_r:camera_socket:s0
+/data/misc/camera/cam_socket2			u:object_r:camera_socket:s0
diff --git a/sepolicy/idd.te b/sepolicy/idd.te
index a840e9b..7c8cf69 100644
--- a/sepolicy/idd.te
+++ b/sepolicy/idd.te
@@ -17,8 +17,50 @@ init_daemon_domain(credmgr);
 
 type scd, domain;
 type scd_exec, exec_type, file_type;
+type scd_data, file_type;
 init_daemon_domain(scd)
 
 type wv,domain;
 type wv_exec, exec_type, file_type;
 init_daemon_domain(wv)
+
+
+#============= system_server ==============
+allow system_server credmgr_exec:dir search;
+allow system_server credmgr_exec:file { getattr open read };
+allow system_server iddd_exec:dir search;
+allow system_server iddd_exec:file { getattr open read };
+
+#============= iddd_exec ==============
+allow iddd_exec default_prop:file { getattr open read };
+allow iddd_exec device:dir search;
+allow iddd_exec devpts:chr_file { open read write };
+allow iddd_exec iddd_file:dir search;
+allow iddd_exec iddd_file:file { lock open read write };
+allow iddd_exec init:fd use;
+allow iddd_exec init:process sigchld;
+allow iddd_exec kernel:system module_request;
+allow iddd_exec log_tag_prop:file { getattr open read };
+allow iddd_exec logd:unix_dgram_socket sendto;
+allow iddd_exec logd_prop:file { getattr open read };
+allow iddd_exec logdw_socket:sock_file write;
+allow iddd_exec null_device:chr_file { read write };
+allow iddd_exec proc:lnk_file read;
+allow iddd_exec properties_device:dir getattr;
+allow iddd_exec properties_serial:file { getattr open read };
+allow iddd_exec property_contexts:file { getattr open read };
+allow iddd_exec ptmx_device:chr_file { ioctl open read write };
+allow iddd_exec rootfs:lnk_file { getattr read };
+allow iddd_exec self:dir { read search };
+allow iddd_exec self:file { execute execute_no_trans getattr open read };
+allow iddd_exec self:lnk_file read;
+allow iddd_exec self:process { fork sigchld };
+allow iddd_exec self:unix_dgram_socket { connect create write };
+allow iddd_exec self:unix_stream_socket read;
+allow iddd_exec sysfs:dir search;
+allow iddd_exec sysfs_devices_system_cpu:dir search;
+allow iddd_exec sysfs_devices_system_cpu:file { getattr open read };
+allow iddd_exec system_file:dir getattr;
+#allow iddd_exec system_file:file { entrypoint execute getattr open read };
+allow iddd_exec urandom_device:chr_file { getattr ioctl open read };
+
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
new file mode 100644
index 0000000..d4a1246
--- /dev/null
+++ b/sepolicy/service_contexts
@@ -0,0 +1,63 @@
+#line 1 "system/sepolicy/service_contexts"
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts"
+media.cameraextension                     u:object_r:mediaserver_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Crash_Handling/1_0_0/service_contexts"
+#crashmonitornative u:object_r:crashmonitor_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Google_Analytics_Proxy/1.0.0/service_contexts"
+#platform_analytics u:object_r:platform_analytics_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts"
+media.cacao                               u:object_r:mediaserver_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Power_Save/1.0.0/service_contexts"
+#xperiaappdepinfo                                       u:object_r:xperiaappdepinfo_service:s0
+#xperia_power                                           u:object_r:xperia_power_service:s0
+#stamina_qbd                                            u:object_r:stamina_qbd_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/Touch/1.0.0/tfsw/service_contexts"
+#tfsw                                      u:object_r:tfsw_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "vendor/semc/system/sepolicy/WLAN_Miracast_sink/1.1.0/service_contexts"
+#WfdSinkService u:object_r:wfd_sink_exec_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "device/somc/shinano/sepolicy/service_contexts"
+#overlay                                   u:object_r:overlay_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "device/qcom/sepolicy/common/service_contexts"
+#android.apps.IQfpService                       u:object_r:iqfp_service:s0
+#AtCmdFwd                                       u:object_r:atfwd_service:s0
+#dpmservice                                     u:object_r:dpmservice:s0
+#listen.service                                 u:object_r:mediaserver_service:s0
+#cneservice                                     u:object_r:cne_service:s0
+#gbahttpauth                                    u:object_r:gba_auth_service:s0
+#vendor.qcom.PeripheralManager                  u:object_r:per_mgr_service:s0
+#com.qualcomm.qti.auth.fidocryptodaemon         u:object_r:fidodaemon_service:s0
+#wbc_service                                    u:object_r:wbc_service:s0
+#STAProxyService                                u:object_r:STAProxyService:s0
+#dun                                            u:object_r:dun_service:s0
+#qti.ims.connectionmanagerservice               u:object_r:imscm_service:s0
+#com.qti.snapdragon.sdk.display.IColorService   u:object_r:color_service:s0
+#wfdservice                                     u:object_r:wfdservice_service:s0
+#DigitalPen                                     u:object_r:usf_service:s0
+#dts_eagle_service                              u:object_r:dtseagleservice_service:s0
+#wfd.native.mm.service                          u:object_r:wfdservice_service:s0
+#extphone                                       u:object_r:radio_service:s0
+#com.qualcomm.location.izat.IzatService         u:object_r:izat_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
+#line 1 "device/qcom/sepolicy/test/service_contexts"
+#com.qualcomm.qti.auth.securesampleauthdaemon   u:object_r:fidotest_service:s0
+#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl"
+
diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te
index 1a776d3..52203d8 100644
--- a/sepolicy/workarounds.te
+++ b/sepolicy/workarounds.te
@@ -1,3 +1,8 @@
+allow cameraserver camera_socket:dir { search write add_name };
+allow cameraserver camera_socket:file { read write getattr open };
+allow mm-qcamerad camera_socket:dir { search write add_name };
+allow mm-qcamerad camera_socket:file { read write getattr open };
+
 #============= credmgr ==============
 allow credmgr iddd:unix_dgram_socket sendto;
 allow credmgr iddd_file:sock_file write;
@@ -62,3 +67,98 @@ allow init socket_device:sock_file { create unlink setattr };
 #============= taimport ==============
 allow taimport ta_data_file:file unlink;
 
+
+#============= credmgr ==============
+allow credmgr ion_device:chr_file { ioctl open read };
+
+#============= init ==============
+allow init debugfs:file write;
+
+#============= qti_init_shell ==============
+allow qti_init_shell tad:unix_stream_socket connectto;
+allow qti_init_shell tad_socket:sock_file write;
+
+#============= scd ==============
+allow scd socket_device:dir { add_name write };
+allow scd socket_device:sock_file { create setattr };
+allow scd sysfs:file { getattr open read };
+
+#============= suntrold ==============
+allow suntrold ion_device:chr_file { ioctl open read };
+
+#============= tad ==============
+allow tad proc:file { open read };
+allow tad rootfs:file { entrypoint read };
+
+#============= taimport ==============
+allow taimport adbsecure_prop:property_service set;
+allow taimport init:unix_stream_socket connectto;
+allow taimport property_socket:sock_file write;
+
+#============= thermanager ==============
+allow thermanager sysfs:file { open read };
+
+#============= wv ==============
+allow wv ion_device:chr_file { ioctl open read };
+allow wv socket_device:sock_file write;
+allow wv suntrold:unix_stream_socket connectto;
+allow wv tad:unix_stream_socket connectto;
+allow wv tad_socket:sock_file write;
+allow wv tee_device:chr_file { ioctl open read write };
+
+
+
+
+
+#============= cameraserver ==============
+allow cameraserver ta_data_file:dir { getattr open read };
+allow cameraserver sudaemon:unix_dgram_socket sendto;
+allow cameraserver sudaemon:unix_stream_socket connectto;
+allow cameraserver mm-qcamerad:unix_stream_socket sendto;
+allow cameraserver mm-qcamerad:unix_stream_socket connectto;
+
+
+
+#============r credmgr ==============
+allow credmgr ion_device:chr_file { ioctl open read };
+
+#============= init ==============
+allow init debugfs:file write;
+
+#============= mm-qcamerad ==============
+allow mm-qcamerad system_file:file execmod;
+allow mm-qcamerad system_prop:property_service set;
+allow mm-qcamerad ta_data_file:dir { getattr open read };
+
+#============= qti_init_shell ==============
+allow qti_init_shell tad:unix_stream_socket connectto;
+allow qti_init_shell tad_socket:sock_file write;
+
+#============= scd ==============
+allow scd socket_device:dir { add_name write };
+allow scd socket_device:sock_file { create setattr };
+allow scd sysfs:file { getattr open read };
+
+#============= suntrold ==============
+allow suntrold ion_device:chr_file { ioctl open read };
+
+#============= tad ==============
+allow tad proc:file { open read };
+allow tad rootfs:file { entrypoint read };
+
+#============= taimport ==============
+allow taimport adbsecure_prop:property_service set;
+allow taimport init:unix_stream_socket connectto;
+allow taimport property_socket:sock_file write;
+
+#============= thermanager ==============
+allow thermanager sysfs:file { open read };
+
+#============= wv ==============
+allow wv ion_device:chr_file { ioctl open read };
+allow wv socket_device:sock_file write;
+allow wv suntrold:unix_stream_socket connectto;
+allow wv tad:unix_stream_socket connectto;
+allow wv tad_socket:sock_file write;
+allow wv tee_device:chr_file { ioctl open read write };
+
author	nailyk-fr <nailyk_git@nailyk.fr>	2017-02-11 14:56:11 +0100
committer	nailyk-fr <nailyk_git@nailyk.fr>	2017-02-21 20:15:18 +0100
commit	bad9906576b3cc04e9f4c807321457ab240ae430 (patch)
tree	b672c5e8853759ab7fc4be259b7e2a09f81199bb /sepolicy
parent	b286cc9e9453297e668ce342e39bf48a1afd9f92 (diff)