From bad9906576b3cc04e9f4c807321457ab240ae430 Mon Sep 17 00:00:00 2001 From: nailyk-fr Date: Sat, 11 Feb 2017 14:56:11 +0100 Subject: shinano-common: Solve camera denials Change-Id: I62e1e9b87e48b0f5d436ef44bb816eedf5328347 shinano-common: Solve camera services denials Change-Id: I36479598ada099da4949d999f7485b69ccd59c19 --- sepolicy/cameraserver.te | 23 +++++++++++ sepolicy/file_contexts | 6 +++ sepolicy/idd.te | 42 +++++++++++++++++++ sepolicy/service_contexts | 63 +++++++++++++++++++++++++++++ sepolicy/workarounds.te | 100 ++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 234 insertions(+) create mode 100644 sepolicy/cameraserver.te create mode 100644 sepolicy/service_contexts (limited to 'sepolicy') diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..7db63bf --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,23 @@ +allow cameraserver mm-qcamerad:unix_dgram_socket sendto; +allow cameraserver mm-qcamerad:unix_stream_socket connectto; +allow cameraserver camera_data_file:sock_file write; +allow mm-qcamerad cameraserver:unix_dgram_socket sendto; +allow mm-qcamerad cameraserver:unix_stream_socket connectto; +allow mm-qcamerad camera_data_file:sock_file rw_file_perms; +allow cameraserver gpu_device:chr_file rw_file_perms; +allow cameraserver rootfs:lnk_file getattr; +allow cameraserver sysfs_camera_torch:file rw_file_perms; +allow cameraserver sysfs_camera_torch:dir search; +allow cameraserver sysfs_camera_torch:lnk_file read; +allow cameraserver ta_data_file:dir search; +#allow cameraserver secd:unix_stream_socket connectto; +#allow cameraserver secd_socket:sock_file write; + +allow cameraserver camera_data_file:unix_dgram_socket sendto; +allow cameraserver camera_data_file:unix_stream_socket connectto; +allow mm-qcamerad camera_data_file:unix_dgram_socket sendto; +allow mm-qcamerad camera_data_file:unix_stream_socket connectto; + +allow mm-qcamerad ion_device:chr_file { ioctl open read }; +allow cameraserver ion_device:chr_file { ioctl open read }; + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 69b759b..07853c1 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -28,6 +28,12 @@ /data/credmgr(/.*) u:object_r:secd_data_file:s0 /system/bin/scd u:object_r:scd_exec:s0 +/data/scd u:object_r:scd_data:s0 +/data/scd(/.*) u:object_r:scd_data:s0 /system/bin/scdnotifier u:object_r:scd_exec:s0 /system/bin/wvkbd u:object_r:wv_exec:s0 + +#cam_socket +/data/misc/camera/cam_socket1 u:object_r:camera_socket:s0 +/data/misc/camera/cam_socket2 u:object_r:camera_socket:s0 diff --git a/sepolicy/idd.te b/sepolicy/idd.te index a840e9b..7c8cf69 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -17,8 +17,50 @@ init_daemon_domain(credmgr); type scd, domain; type scd_exec, exec_type, file_type; +type scd_data, file_type; init_daemon_domain(scd) type wv,domain; type wv_exec, exec_type, file_type; init_daemon_domain(wv) + + +#============= system_server ============== +allow system_server credmgr_exec:dir search; +allow system_server credmgr_exec:file { getattr open read }; +allow system_server iddd_exec:dir search; +allow system_server iddd_exec:file { getattr open read }; + +#============= iddd_exec ============== +allow iddd_exec default_prop:file { getattr open read }; +allow iddd_exec device:dir search; +allow iddd_exec devpts:chr_file { open read write }; +allow iddd_exec iddd_file:dir search; +allow iddd_exec iddd_file:file { lock open read write }; +allow iddd_exec init:fd use; +allow iddd_exec init:process sigchld; +allow iddd_exec kernel:system module_request; +allow iddd_exec log_tag_prop:file { getattr open read }; +allow iddd_exec logd:unix_dgram_socket sendto; +allow iddd_exec logd_prop:file { getattr open read }; +allow iddd_exec logdw_socket:sock_file write; +allow iddd_exec null_device:chr_file { read write }; +allow iddd_exec proc:lnk_file read; +allow iddd_exec properties_device:dir getattr; +allow iddd_exec properties_serial:file { getattr open read }; +allow iddd_exec property_contexts:file { getattr open read }; +allow iddd_exec ptmx_device:chr_file { ioctl open read write }; +allow iddd_exec rootfs:lnk_file { getattr read }; +allow iddd_exec self:dir { read search }; +allow iddd_exec self:file { execute execute_no_trans getattr open read }; +allow iddd_exec self:lnk_file read; +allow iddd_exec self:process { fork sigchld }; +allow iddd_exec self:unix_dgram_socket { connect create write }; +allow iddd_exec self:unix_stream_socket read; +allow iddd_exec sysfs:dir search; +allow iddd_exec sysfs_devices_system_cpu:dir search; +allow iddd_exec sysfs_devices_system_cpu:file { getattr open read }; +allow iddd_exec system_file:dir getattr; +#allow iddd_exec system_file:file { entrypoint execute getattr open read }; +allow iddd_exec urandom_device:chr_file { getattr ioctl open read }; + diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..d4a1246 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,63 @@ +#line 1 "system/sepolicy/service_contexts" +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts" +media.cameraextension u:object_r:mediaserver_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Crash_Handling/1_0_0/service_contexts" +#crashmonitornative u:object_r:crashmonitor_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Google_Analytics_Proxy/1.0.0/service_contexts" +#platform_analytics u:object_r:platform_analytics_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts" +media.cacao u:object_r:mediaserver_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Power_Save/1.0.0/service_contexts" +#xperiaappdepinfo u:object_r:xperiaappdepinfo_service:s0 +#xperia_power u:object_r:xperia_power_service:s0 +#stamina_qbd u:object_r:stamina_qbd_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/Touch/1.0.0/tfsw/service_contexts" +#tfsw u:object_r:tfsw_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "vendor/semc/system/sepolicy/WLAN_Miracast_sink/1.1.0/service_contexts" +#WfdSinkService u:object_r:wfd_sink_exec_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "device/somc/shinano/sepolicy/service_contexts" +#overlay u:object_r:overlay_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "device/qcom/sepolicy/common/service_contexts" +#android.apps.IQfpService u:object_r:iqfp_service:s0 +#AtCmdFwd u:object_r:atfwd_service:s0 +#dpmservice u:object_r:dpmservice:s0 +#listen.service u:object_r:mediaserver_service:s0 +#cneservice u:object_r:cne_service:s0 +#gbahttpauth u:object_r:gba_auth_service:s0 +#vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0 +#com.qualcomm.qti.auth.fidocryptodaemon u:object_r:fidodaemon_service:s0 +#wbc_service u:object_r:wbc_service:s0 +#STAProxyService u:object_r:STAProxyService:s0 +#dun u:object_r:dun_service:s0 +#qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 +#com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 +#wfdservice u:object_r:wfdservice_service:s0 +#DigitalPen u:object_r:usf_service:s0 +#dts_eagle_service u:object_r:dtseagleservice_service:s0 +#wfd.native.mm.service u:object_r:wfdservice_service:s0 +#extphone u:object_r:radio_service:s0 +#com.qualcomm.location.izat.IzatService u:object_r:izat_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + +#line 1 "device/qcom/sepolicy/test/service_contexts" +#com.qualcomm.qti.auth.securesampleauthdaemon u:object_r:fidotest_service:s0 +#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" + diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te index 1a776d3..52203d8 100644 --- a/sepolicy/workarounds.te +++ b/sepolicy/workarounds.te @@ -1,3 +1,8 @@ +allow cameraserver camera_socket:dir { search write add_name }; +allow cameraserver camera_socket:file { read write getattr open }; +allow mm-qcamerad camera_socket:dir { search write add_name }; +allow mm-qcamerad camera_socket:file { read write getattr open }; + #============= credmgr ============== allow credmgr iddd:unix_dgram_socket sendto; allow credmgr iddd_file:sock_file write; @@ -62,3 +67,98 @@ allow init socket_device:sock_file { create unlink setattr }; #============= taimport ============== allow taimport ta_data_file:file unlink; + +#============= credmgr ============== +allow credmgr ion_device:chr_file { ioctl open read }; + +#============= init ============== +allow init debugfs:file write; + +#============= qti_init_shell ============== +allow qti_init_shell tad:unix_stream_socket connectto; +allow qti_init_shell tad_socket:sock_file write; + +#============= scd ============== +allow scd socket_device:dir { add_name write }; +allow scd socket_device:sock_file { create setattr }; +allow scd sysfs:file { getattr open read }; + +#============= suntrold ============== +allow suntrold ion_device:chr_file { ioctl open read }; + +#============= tad ============== +allow tad proc:file { open read }; +allow tad rootfs:file { entrypoint read }; + +#============= taimport ============== +allow taimport adbsecure_prop:property_service set; +allow taimport init:unix_stream_socket connectto; +allow taimport property_socket:sock_file write; + +#============= thermanager ============== +allow thermanager sysfs:file { open read }; + +#============= wv ============== +allow wv ion_device:chr_file { ioctl open read }; +allow wv socket_device:sock_file write; +allow wv suntrold:unix_stream_socket connectto; +allow wv tad:unix_stream_socket connectto; +allow wv tad_socket:sock_file write; +allow wv tee_device:chr_file { ioctl open read write }; + + + + + +#============= cameraserver ============== +allow cameraserver ta_data_file:dir { getattr open read }; +allow cameraserver sudaemon:unix_dgram_socket sendto; +allow cameraserver sudaemon:unix_stream_socket connectto; +allow cameraserver mm-qcamerad:unix_stream_socket sendto; +allow cameraserver mm-qcamerad:unix_stream_socket connectto; + + + +#============r credmgr ============== +allow credmgr ion_device:chr_file { ioctl open read }; + +#============= init ============== +allow init debugfs:file write; + +#============= mm-qcamerad ============== +allow mm-qcamerad system_file:file execmod; +allow mm-qcamerad system_prop:property_service set; +allow mm-qcamerad ta_data_file:dir { getattr open read }; + +#============= qti_init_shell ============== +allow qti_init_shell tad:unix_stream_socket connectto; +allow qti_init_shell tad_socket:sock_file write; + +#============= scd ============== +allow scd socket_device:dir { add_name write }; +allow scd socket_device:sock_file { create setattr }; +allow scd sysfs:file { getattr open read }; + +#============= suntrold ============== +allow suntrold ion_device:chr_file { ioctl open read }; + +#============= tad ============== +allow tad proc:file { open read }; +allow tad rootfs:file { entrypoint read }; + +#============= taimport ============== +allow taimport adbsecure_prop:property_service set; +allow taimport init:unix_stream_socket connectto; +allow taimport property_socket:sock_file write; + +#============= thermanager ============== +allow thermanager sysfs:file { open read }; + +#============= wv ============== +allow wv ion_device:chr_file { ioctl open read }; +allow wv socket_device:sock_file write; +allow wv suntrold:unix_stream_socket connectto; +allow wv tad:unix_stream_socket connectto; +allow wv tad_socket:sock_file write; +allow wv tee_device:chr_file { ioctl open read write }; + -- cgit v1.2.3