summaryrefslogtreecommitdiff
path: root/sepolicy
AgeCommit message (Collapse)Author
2019-10-25shinano: sepolicy: move rw_dir_file definition to msm8974SpiritCroc
Change-Id: Ife08e9c41024331ca190ff6612ae8be5764a4ceb
2019-10-07Remove duplicate sepolicy definitionSpiritCroc
Already defined in device/aicp/sepolicy
2019-10-07shinano: sepolicy: Allow WIFI service to read the FW files.Alexander Diewald
... The policy file was missing from commit https://github.com/omnirom/android_device_sony_shinano-common/commit/c9d825a67a3074f100a9c8486a1acdedccdbbb78 Change-Id: I530e10c1a4e41d718cf2f80f3fb91e07579c63b5 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: sepolicy: label the dumpstate service.Alexander Diewald
Change-Id: Id6dd04a1c7c5fa5ce6d0158ace578c614c0e1639 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: sepolicy: Fix UIM denials.Alexander Diewald
* Grand access to qseecomd. * Grant access to bluetooth properties. Change-Id: Iacd41d8c313e1137c66e76da2ee2c4db7b3f4883 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: sepolicy: Allow mlog_qmi to access its own socket.Alexander Diewald
I mlog_qmi_servic: type=1400 audit(0.0:37): avc: denied { create } for scontext=u:r:mlog_qmi:s0 tcontext=u:r:mlog_qmi:s0 tclass=socket permissive=1 Change-Id: Ic659f526a436afd4509dea0a3780aa38f78b4875 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: Allow init to access qseecom.Alexander Diewald
Change-Id: I553837282f0a785162b7799b65a3a6b2d406599f Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: sepolicy: Fix wifi related denials.Alexander Diewald
* Label FW path (for the communication with the kernel). * Allow the HAL (Treble) service to read the FW files. Change-Id: I50c43882bf1837e87cc4609de74caf4ed7aa78c5 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: init: Adjust vendor service path.Alexander Diewald
* In order to be compliant with the proprietary file locations, adjust the path to the binaries in the init files. The blob binaries have been moved from "/system/bin" to "/system/vendor/bin" * The idea behind the move is to profit from qcom's sepolicy file labelling. Change-Id: I78b96730638258ffd54640f7951ceebc7f503fc4 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: Resolve mlog_qmi related denials.Alexander Diewald
* Create socket perms for the own socket. * Allow access to qseecom. Change-Id: Ifbd5f08f1d9bbbadc3ba94ad79d1e8f7f5286635 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: Define SEpolicy for adsprpcd.Alexander Diewald
* Define the ioctls and grant access to the socket. * Allow access to qseecom socket. * Label adsprpcd service appropriately. Change-Id: I4a0ccd322b16c30e7f10dccc1278ed17507d56e2 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: Allow reading the BT firmware.Alexander Diewald
Change-Id: Ie7d708e2457928de0fe2e75054bda0dc3d66afa6 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano-common: sepolicy: Allow self mlog socketnailyk-fr
Change-Id: Ia33c2b403922198847da9773c0cf1c02e2c62597
2019-10-07SEPolicy: Add ioctl whitelist for UIM.Alexander Diewald
Adds a list of ioctls, which are emitted by the UIM service. This service setups the broadcom BT/FM driver. Change-Id: Ib37674796a5e2d677a4bb3f596110f906f290b74 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>
2019-10-07shinano: Import hci attach.teMax Weffers
Change-Id: Ie6d0fdba3a2c06e5d2852a41c0c84ca1f65f7b07
2019-10-07shinano-common: sepolicy: Remove ioctl refsnailyk-fr
* A new way exist for ioctl management. Remove all old refs. Change-Id: I52f9c0e8f115ea26e22a93566c24cbd8a7b3a58f
2019-10-07shinano: sepolicy: remove vibration dev typeMax Weffers
Change-Id: I413e7dc177b0f47742c9ac4ab032cc61a490d573
2019-10-07shinano-common: move common sepolicy to msm8974-commonNikhil Punathil
Change-Id: I270a673ac8c13dd192799e2513ec377919653458 Signed-off-by: Nikhil Punathil <nikhilpe@gmail.com>
2019-10-07shinano-common: sepolicy: Allow credmgrd to create files in cacheArian
2019-10-07shinano-common: Drop sudaemon sepolicyArian
2017-08-04shinano: Rework In Device Diagnostics sepolicyKeita Espinoza
- Fix symlinking and reading denials for iddd and credmgrd Change-Id: I786301f2cb4f2aaa76e8f5b96a036ada0563463b
2017-07-24shinano: Address rild denial from .291 blobsKeita Espinoza
avc denied {read} for name="u:object_r:ta_prop:s0" dev="tmpfs" ino=7216 scontext=u:r:rild:s0 tcontext=u:object_r:ta_prop:s0 tclass=file permissive=0 avc denied {open} for name="u:object_r:ta_prop:s0" dev="tmpfs" ino=7212 scontext=u:r:rild:s0 tcontext=u:object_r:ta_prop:s0 tclass=file permissive=0 avc: denied {getattr} for pid=403 comm="rild" path="/dev/__properties__/ u:object_r:ta_prop:s0" dev="tmpfs" ino=9225 scontext=u:r:rild:s0 tcontext=u:object_r:ta_prop:s0 tclass=file permissive=0 Change-Id: I4fa966bfe7fdb97fe3123e0915f74f7843534979
2017-07-21shinano-common: fix selinux denial in credmgrdSteven Lay
Fixes the denial: avc: denied { append } for pid=327 comm="credmgrfirstboo" name= "credmgr.log" dev="mmcblk0p24" ino=12 scontext=u:r:credmgrd:s0 tcontext=u:object_r:cache_file:s0 tclass=file permissive=0 Also fixes issue with camera not working on first boot on aries. Change-Id: I726ff6a30745929f01f62d8504e0e0621e414ad7
2017-06-28shinano: Address TFA amp sepolicy denialxkeita
Change-Id: I6e93799b92a66b514da186b249155795408b2e08
2017-05-10shinano-common: spolicy: Add priv_app rightsnailyk-fr
* The auto backup at 3.AM fail because of missing permissions. Change-Id: I8db1471e7a7dd1426ebbf3a5269b35d30d215e75
2017-05-10shinano-common: sepolicy: Rework credmgr initnailyk-fr
* Credmgrdinit script had some mistakes. Adjust policies according to the new changes. Change-Id: I6e865f756225a1d8decdbc1833123dced27e75de
2017-05-10shinano-common: sepolicy: Solve encryptionnailyk-fr
Change-Id: I078576ec339adcf935b47034f6c5faed429339f5
2017-05-01shinano-common: sepolicy: Reorganise policiesnailyk-fr
* No policies added or removed, only moved between files to improve se linux management. Change-Id: Ifa7cb9ce84f75c99f2d96dd0a71ced26f2580ba9
2017-04-21sepolicy: fix more scd denialstunturn
Change-Id: I1bdee42245e2cbf22ff030e0879064880ba90c0c
2017-04-05shinano-common: fix more selinux denialsDerfElot
from logcat: 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:7): avc: denied { unlink } for name="log" dev="mmcblk0p24" ino=6403 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:8): avc: denied { unlink } for name=".version" dev="mmcblk0p24" ino=6404 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:9): avc: denied { unlink } for name="recovery.fstab" dev="mmcblk0p24" ino=6405 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:10): avc: denied { unlink } for name="storage.fstab" dev="mmcblk0p24" ino=6406 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:11): avc: denied { unlink } for name="intent" dev="mmcblk0p24" ino=6408 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 21:05:50.971 E/SELinux (317): avc: denied { find } for service=account pid=7644 uid=0 scontext=u:r:sudaemon:s0 tcontext=u:object_r:account_service:s0 tclass=service_manager permissive=1 04-03 21:05:50.973 E/SELinux (317): avc: denied { find } for service=user pid=7644 uid=0 scontext=u:r:sudaemon:s0 tcontext=u:object_r:user_service:s0 tclass=service_manager permissive=1 04-03 21:05:50.973 E/SELinux (317): avc: denied { find } for service=package pid=7644 uid=0 scontext=u:r:sudaemon:s0 tcontext=u:object_r:package_service:s0 tclass=service_manager permissive=1 Change-Id: If600b150dd004a5f7fb5336b1ab6b76e2a6ec5b3
2017-04-05shinano-common: fix several selinux denialsDerfElot
when it is set to enforced (from logcat and dmesg): 04-01 22:29:40.566 W/macaddrsetup(362): type=1400 audit(0.0:302): avc: denied { dac_override } for capability=1 scontext=u:r:addrsetup:s0 tcontext=u:r:addrsetup:s0 tclass=capability permissive=0 04-01 22:31:46.119 W/credmgrd(333): type=1400 audit(0.0:380): avc: denied { search } for name="suntory" dev="tmpfs" ino=6960 scontext=u:r:credmgrd:s0 tcontext=u:object_r:suntrold_sock_socket:s0 tclass=dir permissive=0 04-01 22:31:46.123 W/credmgrd(333): type=1400 audit(0.0:381): avc: denied { search } for name="/" dev="tmpfs" ino=7367 scontext=u:r:credmgrd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 04-01 22:31:41.186 W/iddd (12977): type=1400 audit(0.0:378): avc: denied { search } for name="/" dev="tmpfs" ino=7367 scontext=u:r:iddd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 04-01 22:31:46.249 W/scd (13064): type=1400 audit(0.0:382): avc: denied { getattr } for path="/dev/socket/scd/scd.sock" dev="tmpfs" ino=9384 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0 04-02 01:54:06.328 W/scd (7200): type=1400 audit(0.0:47): avc: denied { remove_name } for name="scd.sock" dev="tmpfs" ino=8437 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=dir permissive=0 04-02 02:36:47.050 W/scd (6544): type=1400 audit(0.0:53): avc: denied { unlink } for name="scd.sock" dev="tmpfs" ino=8369 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0 04-02 03:09:36.677 W/scd (7902): type=1400 audit(0.0:72): avc: denied { search } for name="scd" dev="mmcblk0p25" ino=382769 scontext=u:r:scd:s0 tcontext=u:object_r:scd_data:s0 tclass=dir permissive=0 04-02 03:42:10.207 W/excal:HalCtrl(6497): type=1400 audit(0.0:16): avc: denied { write } for name="current1" dev="sysfs" ino=19887 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 29.029135] type=1400 audit(7343886.976:11): avc: denied { search } for pid=365 comm="mm-qcamera-daem" name="etc" dev="mmcblk0p25" ino=716673 scontext=u:r:mm-qcamerad:s0 tcontext=u:object_r:ta_data_file:s0 tclass=dir permissive=0 [ 27.905847] type=1400 audit(7343885.850:6): avc: denied { search } for pid=254 comm="wvkbd" name="suntory" dev="tmpfs" ino=7537 scontext=u:r:wv:s0 tcontext=u:object_r:suntrold_sock_socket:s0 tclass=dir permissive=0 04-02 13:20:48.566 W/excal:ExposureC(7212): type=1400 audit(0.0:18): avc: denied { search } for name="battery" dev="sysfs" ino=18957 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=dir permissive=0 04-02 14:03:30.945 W/excal:ExposureC(6244): type=1400 audit(0.0:14): avc: denied { read } for name="voltage_now" dev="sysfs" ino=18973 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 14:35:55.034 W/excal:ExposureC(6197): type=1400 audit(0.0:17): avc: denied { open } for name="voltage_now" dev="sysfs" ino=18870 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 15:05:29.858 W/excal:ExposureC(5947): type=1400 audit(0.0:15): avc: denied { getattr } for path="/sys/devices/qpnp-charger-14/power_supply/battery/technology" dev="sysfs" ino=18969 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 17:38:33.610 W/Binder:5021_3(5299): type=1400 audit(0.0:11): avc: denied { read } for name="/" dev="tmpfs" ino=6614 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0 04-02 18:27:24.996 W/Binder:5251_1(5266): type=1400 audit(0.0:13): avc: denied { open } for name="/" dev="tmpfs" ino=7203 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0 Change-Id: Ifbc5ef57cadea4d3f35d52dce23c1b56966bd981
2017-03-27shinano-common: sepolicies: Solve camera related denialsnailyk-fr
Change-Id: I542625f5be637dbad4a40498eca69bfec0fe8ab1
2017-03-27shinano-common: sepolicies: Remove obsoletes filesnailyk-fr
Change-Id: If833437e19f05e24a448caec9c7e569d34ba6c82
2017-03-27shinano-common: vendor: Camera initnailyk-fr
Change-Id: I0b85560bb56beee0d21751fe55587c2de4b8ff00
2017-03-27Delete unneeded file context for secdMax Weffers
2017-03-27sepolicy: avoid macaddrsetup denialsMax Weffers
Change-Id: I0e726ca654ac6758569b6c754461872dcc9e60c0
2017-03-27Remove uneeded sepolicy linesMax Weffers
2017-03-27Build and use macaddrsetupChirayu Desai
Change-Id: I6f81296829673f66bcb27f444945b9bddd54929c This fixes random mac adress at boot
2017-03-14sepolicy: changes for bluetooth denialstunturn
Change-Id: I2ca85cd2c555b74f8de63c05e1e6dd2cc292dac9
2017-03-14sepolicy: update contextstunturn
Change-Id: Ie6504c205fa9fbe54803331f5f40c765ace1a1e8
2017-03-14Fix bluetooth SE denialsNickolay Semendyaev
Change-Id: Ife9e06092421bffc0b77ef38b68df3196938f788
2017-03-09shinano-common: Add ril stuffsnailyk-fr
Change-Id: Idc6306fc79c34969fbb84dab87c42d4305169037
2017-02-21shinano-common: sepolicies: Add camera related entriesnailyk-fr
Change-Id: Icfc6a998c6c5615351ed59111284858b9f27893c shinano-common: Rework credmgrd sepolicies Change-Id: Id922021b05ed0313b5cd7e506641632277a82105 shinano-common: Fix last camera denials Change-Id: Ibf96ebf0a136ffa40be85369896f57645c24157c
2017-02-21shinano-common: Solve camera denialsnailyk-fr
Change-Id: I62e1e9b87e48b0f5d436ef44bb816eedf5328347 shinano-common: Solve camera services denials Change-Id: I36479598ada099da4949d999f7485b69ccd59c19
2017-02-21shinano-common: Adjust idd permsnailyk-fr
Change-Id: If920b5e5265aca89020bd000904d586cd879cc85
2017-02-21shinano-common: sepolicies: Rework for new vendorsnailyk-fr
Change-Id: Id559336a2e89951c1c17f7e9bce5b0c23ce162b9
2017-02-21shinano-common: sepolicies: Add idd policy contextnailyk-fr
Change-Id: I38050b1701c4bf3ee3929c17a1e8dad849b9e815
2017-01-30SELinux: Fix errors from mlog_qmi daemonJulien Bolard
[ 975.964842] type=1400 audit(1446642899.043:386): avc: denied { net_bind_service } for pid=9887 comm=mlog_qmi_servic capability=10 scontext=u:r:mlog_qmi:s0 tcontext=u:r:mlog_qmi:s0 tclass=capability permissive=0 [ 980.851345] type=1400 audit(1446642903.923:387): avc: denied { net_raw } for pid=9916 comm=mlog_qmi_servic capability=13 scontext=u:r:mlog_qmi:s0 tcontext=u:r:mlog_qmi:s0 tclass=capability permissive=0 Signed-off-by: Humberto Borba <humberos@gmail.com> Signed-off-by: Julien Bolard <jbolard@genymobile.com> Change-Id: If7e31433325dd607877bd5110a8936024584ff28
2015-03-07sepolicy: modifications for CmHardwareServiceDavid Viteri
Change-Id: I7e5db804524dca6cb3da52d3997525911dac66f7
2015-02-02Add SELinux policy for the TFA amp serviceChirayu Desai
Change-Id: I698f56bca42ffef6e83f46dbdf6e8b798267028a
2015-02-02sepolicy: Label the vibrator sysfs nodeChirayu Desai
Change-Id: Ib7d69d95adbef765429a7ba9f7112b6296bc6f1b
2015-01-31Remove CMHW CABC controlChirayu Desai
Change-Id: I42971cd8dc77655c066aabfb198b7eac033cd484
2015-01-20init: Add mlog_qmi serviceShane Francis
All Z3 series need this service to keep modem alive Change-Id: Iba8ac16083d878a9a9864472d350ee4868f20c6a
2015-01-15Add SELinux policy for hardware tunablesdavid
Change-Id: Ie58527ef6ca5b9aed48e68d0ec74a6453b3b4643
2014-11-21Re-add family-specific SELinux policyChirayu Desai
This partially reverts commit 21ae2255e1cd2e17a4b9e7766aa1f86eec2f18a6 Change-Id: Ic4e063ef166466843f2f0708c6531cf68c7074ef
2014-11-14Move SELinux policy to msm8974-commonChirayu Desai
Change-Id: I312eb2c2eec3787809a9aff767cca24c6695bdcf
2014-04-27Initial Shinano importGiulio Cervera
based on rhine-common 7e2a33e