diff options
| -rw-r--r-- | rootdir/init.qcom.rc | 49 | ||||
| -rw-r--r-- | sepolicy/cameraserver.te | 23 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 6 | ||||
| -rw-r--r-- | sepolicy/idd.te | 42 | ||||
| -rw-r--r-- | sepolicy/service_contexts | 63 | ||||
| -rw-r--r-- | sepolicy/workarounds.te | 100 |
6 files changed, 275 insertions, 8 deletions
diff --git a/rootdir/init.qcom.rc b/rootdir/init.qcom.rc index 4e8cf01..6b4af86 100644 --- a/rootdir/init.qcom.rc +++ b/rootdir/init.qcom.rc @@ -22,6 +22,7 @@ import /init.qcom.power.rc on early-init mount debugfs debugfs /sys/kernel/debug chown system system /sys/kernel/debug/kgsl/proc + echo 8 8 8 8 > /proc/sys/kernel/printk on init symlink /dev/block/platform/msm_sdcc.1 /dev/block/bootdevice @@ -45,7 +46,7 @@ on init mkdir /dev/bus 0755 root root mkdir /dev/bus/usb 0755 root root - mkdir /idd 0751 idd idd + mkdir /idd 0751 idd idd mkdir /rca 0750 idd idd wait /dev/block/mmcblk0p1 @@ -185,6 +186,22 @@ on boot chown system graphics /sys/class/graphics/fb1/hdcp/tp chmod 0664 /sys/devices/virtual/graphics/fb1/hdcp/tp + # PM8941 flash + chown cameraserver system /sys/class/misc/pm8941-flash/device/current1 + chown cameraserver system /sys/class/misc/pm8941-flash/device/current2 + chown cameraserver system /sys/class/misc/pm8941-flash/device/fault_status + chown cameraserver system /sys/class/misc/pm8941-flash/device/fine_current1 + chown cameraserver system /sys/class/misc/pm8941-flash/device/fine_current2 + chown cameraserver system /sys/class/misc/pm8941-flash/device/flash_timer + chown cameraserver system /sys/class/misc/pm8941-flash/device/mask_clamp_current + chown cameraserver system /sys/class/misc/pm8941-flash/device/mask_enable + chown cameraserver system /sys/class/misc/pm8941-flash/device/max_current + chown cameraserver system /sys/class/misc/pm8941-flash/device/mode + chown cameraserver system /sys/class/misc/pm8941-flash/device/startup_delay + chown cameraserver system /sys/class/misc/pm8941-flash/device/strobe + chown cameraserver system /sys/class/misc/pm8941-flash/device/vph_pwr_droop + + # create symlink for fb1 as HDMI symlink /dev/graphics/fb1 /dev/graphics/hdmi @@ -279,6 +296,10 @@ on post-fs # the insmod must be done before chargemon. insmod /system/lib/modules/mhl_sii8620_8061_drv.ko + # we will remap this as /mnt/sdcard with the sdcard fuse tool + mkdir /data/misc/camera 0770 camera camera + mkdir /data/misc/cameraserver 0700 cameraserver cameraserver + exec /system/bin/chargemon write /sys/class/power_supply/battery/shutdown_at_low_batt 1 @@ -384,7 +405,7 @@ on post-fs-data chmod 2770 /dev/socket/mpdecision # SONY: Create a dir on data partition not to be deleted during mr and wipedata - mkdir /data/persist 0770 persist_rw persist_rw + mkdir /data/persist 0770 system system # SONY: Create dir for Widevine keybox mkdir /data/persist/wv 0700 system system @@ -403,6 +424,14 @@ on post-fs-data chown media camera /sys/devices/sony_camera_1/info chmod 0770 /sys/devices/sony_camera_1/info + exec u:r:qti_init_shell:s0 -- /system/bin/rm -r /idd/lost+found + mkdir /idd/lost+found 0770 root root + mkdir /idd/output 0755 idd idd + mkdir /idd/socket 0711 idd idd + restorecon_recursive /idd + start wvkbd_installer + + # SONY: Import MiscTA to System properties exec -- /system/bin/taimport property @@ -528,10 +557,10 @@ service mpdecision /system/bin/mpdecision --avg_comp group system disabled -service iddd /system/bin/iddd -v +service iddd /system/bin/iddd class main user idd - group idd log inet trimarea credmgr_client system + group idd log inet on property:gsm.nitz.time=* start scdnotifier_nitz @@ -546,8 +575,8 @@ service suntrold /system/bin/suntrold # Start Credential manager daemon service credmgrd /system/bin/credmgrd user system - group credmgr_client trimarea idd log inet drmpc - socket credmgr stream 0777 system credmgr_client + group credmgr_client + socket credmgr stream 0660 system credmgr_client class main #doesn't exist on shinano. Keept for compat purpose @@ -627,7 +656,8 @@ service irsc_util /system/bin/irsc_util "/etc/sec_config" service qcamerasvr /system/bin/mm-qcamera-daemon class late_start user camera - group system inet input graphics camera credmgr_client + group camera system inet input graphics +# group camera system inet input graphics credmgr_client cameraserver service sensors /system/bin/sensors.qcom class main @@ -676,8 +706,11 @@ service audioserver /system/bin/audioserver service cameraserver /system/bin/cameraserver class main user cameraserver - group audio camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct credmgr_client trimarea + group camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct credmgr_client trimarea system audio +# group audio camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct credmgr_client ioprio rt 4 +# seclabel u:r:cameraserver:s0 + writepid /dev/cpuset/foreground/tasks service drm /system/bin/drmserver diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..7db63bf --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,23 @@ +allow cameraserver mm-qcamerad:unix_dgram_socket sendto; +allow cameraserver mm-qcamerad:unix_stream_socket connectto; +allow cameraserver camera_data_file:sock_file write; +allow mm-qcamerad cameraserver:unix_dgram_socket sendto; +allow mm-qcamerad cameraserver:unix_stream_socket connectto; +allow mm-qcamerad camera_data_file:sock_file rw_file_perms; +allow cameraserver gpu_device:chr_file rw_file_perms; +allow cameraserver rootfs:lnk_file getattr; +allow cameraserver sysfs_camera_torch:file rw_file_perms; +allow cameraserver sysfs_camera_torch:dir search; +allow cameraserver sysfs_camera_torch:lnk_file read; +allow cameraserver ta_data_file:dir search; +#allow cameraserver secd:unix_stream_socket connectto; +#allow cameraserver secd_socket:sock_file write; + +allow cameraserver camera_data_file:unix_dgram_socket sendto; +allow cameraserver camera_data_file:unix_stream_socket connectto; +allow mm-qcamerad camera_data_file:unix_dgram_socket sendto; +allow mm-qcamerad camera_data_file:unix_stream_socket connectto; + +allow mm-qcamerad ion_device:chr_file { ioctl open read }; +allow cameraserver ion_device:chr_file { ioctl open read }; + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 69b759b..07853c1 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -28,6 +28,12 @@ /data/credmgr(/.*) u:object_r:secd_data_file:s0 /system/bin/scd u:object_r:scd_exec:s0 +/data/scd u:object_r:scd_data:s0 +/data/scd(/.*) u:object_r:scd_data:s0 /system/bin/scdnotifier u:object_r:scd_exec:s0 /system/bin/wvkbd u:object_r:wv_exec:s0 + +#cam_socket +/data/misc/camera/cam_socket1 u:object_r:camera_socket:s0 +/data/misc/camera/cam_socket2 u:object_r:camera_socket:s0 diff --git a/sepolicy/idd.te b/sepolicy/idd.te index a840e9b..7c8cf69 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -17,8 +17,50 @@ init_daemon_domain(credmgr); type scd, domain; type scd_exec, exec_type, file_type; +type scd_data, file_type; init_daemon_domain(scd) type wv,domain; type wv_exec, exec_type, file_type; init_daemon_domain(wv) + + +#============= system_server ============== +allow system_server credmgr_exec:dir search; +allow system_server credmgr_exec:file { getattr open read }; +allow system_server iddd_exec:dir search; +allow system_server iddd_exec:file { getattr open read }; + +#============= iddd_exec ============== +allow iddd_exec default_prop:file { getattr open read }; +allow iddd_exec device:dir search; +allow iddd_exec devpts:chr_file { open read write }; +allow iddd_exec iddd_file:dir search; +allow iddd_exec iddd_file:file { lock open read write }; +allow iddd_exec init:fd use; +allow iddd_exec init:process sigchld; +allow iddd_exec kernel:system module_request; +allow iddd_exec log_tag_prop:file { getattr open read }; +allow iddd_exec logd:unix_dgram_socket sendto; +allow iddd_exec logd_prop:file { getattr open read }; +allow iddd_exec logdw_socket:sock_file write; +allow iddd_exec null_device:chr_file { read write }; +allow iddd_exec proc:lnk_file read; +allow iddd_exec properties_device:dir getattr; +allow iddd_exec properties_serial:file { getattr open read }; +allow iddd_exec property_contexts:file { getattr open read }; +allow iddd_exec ptmx_device:chr_file { ioctl open read write }; +allow iddd_exec rootfs:lnk_file { getattr read }; +allow iddd_exec self:dir { read search }; +allow iddd_exec self:file { execute execute_no_trans getattr open read }; +allow iddd_exec self:lnk_file read; +allow iddd_exec self:process { fork sigchld }; +allow iddd_exec self:unix_dgram_socket { connect create write }; +allow iddd_exec self:unix_stream_socket read; +allow iddd_exec sysfs:dir search; +allow iddd_exec sysfs_devices_system_cpu:dir search; +allow iddd_exec sysfs_devices_system_cpu:file { getattr open read }; +allow iddd_exec system_file:dir getattr; +#allow iddd_exec system_file:file { entrypoint execute getattr open read }; +allow iddd_exec urandom_device:chr_file { getattr ioctl open read }; + diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..d4a1246 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,63 @@ +#line 1 "system/sepolicy/service_contexts" +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts" +media.cameraextension u:object_r:mediaserver_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Crash_Handling/1_0_0/service_contexts" +#crashmonitornative u:object_r:crashmonitor_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Google_Analytics_Proxy/1.0.0/service_contexts" +#platform_analytics u:object_r:platform_analytics_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts" +media.cacao u:object_r:mediaserver_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Power_Save/1.0.0/service_contexts" +#xperiaappdepinfo u:object_r:xperiaappdepinfo_service:s0 +#xperia_power u:object_r:xperia_power_service:s0 +#stamina_qbd u:object_r:stamina_qbd_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Touch/1.0.0/tfsw/service_contexts" +#tfsw u:object_r:tfsw_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/WLAN_Miracast_sink/1.1.0/service_contexts" +#WfdSinkService u:object_r:wfd_sink_exec_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "device/somc/shinano/sepolicy/service_contexts" +#overlay u:object_r:overlay_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "device/qcom/sepolicy/common/service_contexts" +#android.apps.IQfpService u:object_r:iqfp_service:s0 +#AtCmdFwd u:object_r:atfwd_service:s0 +#dpmservice u:object_r:dpmservice:s0 +#listen.service u:object_r:mediaserver_service:s0 +#cneservice u:object_r:cne_service:s0 +#gbahttpauth u:object_r:gba_auth_service:s0 +#vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0 +#com.qualcomm.qti.auth.fidocryptodaemon u:object_r:fidodaemon_service:s0 +#wbc_service u:object_r:wbc_service:s0 +#STAProxyService u:object_r:STAProxyService:s0 +#dun u:object_r:dun_service:s0 +#qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 +#com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 +#wfdservice u:object_r:wfdservice_service:s0 +#DigitalPen u:object_r:usf_service:s0 +#dts_eagle_service u:object_r:dtseagleservice_service:s0 +#wfd.native.mm.service u:object_r:wfdservice_service:s0 +#extphone u:object_r:radio_service:s0 +#com.qualcomm.location.izat.IzatService u:object_r:izat_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "device/qcom/sepolicy/test/service_contexts" +#com.qualcomm.qti.auth.securesampleauthdaemon u:object_r:fidotest_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te index 1a776d3..52203d8 100644 --- a/sepolicy/workarounds.te +++ b/sepolicy/workarounds.te @@ -1,3 +1,8 @@ +allow cameraserver camera_socket:dir { search write add_name }; +allow cameraserver camera_socket:file { read write getattr open }; +allow mm-qcamerad camera_socket:dir { search write add_name }; +allow mm-qcamerad camera_socket:file { read write getattr open }; + #============= credmgr ============== allow credmgr iddd:unix_dgram_socket sendto; allow credmgr iddd_file:sock_file write; @@ -62,3 +67,98 @@ allow init socket_device:sock_file { create unlink setattr }; #============= taimport ============== allow taimport ta_data_file:file unlink; + +#============= credmgr ============== +allow credmgr ion_device:chr_file { ioctl open read }; + +#============= init ============== +allow init debugfs:file write; + +#============= qti_init_shell ============== +allow qti_init_shell tad:unix_stream_socket connectto; +allow qti_init_shell tad_socket:sock_file write; + +#============= scd ============== +allow scd socket_device:dir { add_name write }; +allow scd socket_device:sock_file { create setattr }; +allow scd sysfs:file { getattr open read }; + +#============= suntrold ============== +allow suntrold ion_device:chr_file { ioctl open read }; + +#============= tad ============== +allow tad proc:file { open read }; +allow tad rootfs:file { entrypoint read }; + +#============= taimport ============== +allow taimport adbsecure_prop:property_service set; +allow taimport init:unix_stream_socket connectto; +allow taimport property_socket:sock_file write; + +#============= thermanager ============== +allow thermanager sysfs:file { open read }; + +#============= wv ============== +allow wv ion_device:chr_file { ioctl open read }; +allow wv socket_device:sock_file write; +allow wv suntrold:unix_stream_socket connectto; +allow wv tad:unix_stream_socket connectto; +allow wv tad_socket:sock_file write; +allow wv tee_device:chr_file { ioctl open read write }; + + + + + +#============= cameraserver ============== +allow cameraserver ta_data_file:dir { getattr open read }; +allow cameraserver sudaemon:unix_dgram_socket sendto; +allow cameraserver sudaemon:unix_stream_socket connectto; +allow cameraserver mm-qcamerad:unix_stream_socket sendto; +allow cameraserver mm-qcamerad:unix_stream_socket connectto; + + + +#============r credmgr ============== +allow credmgr ion_device:chr_file { ioctl open read }; + +#============= init ============== +allow init debugfs:file write; + +#============= mm-qcamerad ============== +allow mm-qcamerad system_file:file execmod; +allow mm-qcamerad system_prop:property_service set; +allow mm-qcamerad ta_data_file:dir { getattr open read }; + +#============= qti_init_shell ============== +allow qti_init_shell tad:unix_stream_socket connectto; +allow qti_init_shell tad_socket:sock_file write; + +#============= scd ============== +allow scd socket_device:dir { add_name write }; +allow scd socket_device:sock_file { create setattr }; +allow scd sysfs:file { getattr open read }; + +#============= suntrold ============== +allow suntrold ion_device:chr_file { ioctl open read }; + +#============= tad ============== +allow tad proc:file { open read }; +allow tad rootfs:file { entrypoint read }; + +#============= taimport ============== +allow taimport adbsecure_prop:property_service set; +allow taimport init:unix_stream_socket connectto; +allow taimport property_socket:sock_file write; + +#============= thermanager ============== +allow thermanager sysfs:file { open read }; + +#============= wv ============== +allow wv ion_device:chr_file { ioctl open read }; +allow wv socket_device:sock_file write; +allow wv suntrold:unix_stream_socket connectto; +allow wv tad:unix_stream_socket connectto; +allow wv tad_socket:sock_file write; +allow wv tee_device:chr_file { ioctl open read write }; + |