Merge "sepolicy: allow cneservice for platform apps"
diff --git a/common/file.te b/common/file.te
index 66e7b58..e3f1b3a 100644
--- a/common/file.te
+++ b/common/file.te
@@ -170,3 +170,6 @@
# subsystem_ramdump files
type ssr_ramdump_data_file, file_type, data_file_type;
+
+# qtitetherservice files
+type qtitetherservice_app_data_file, file_type, data_file_type;
diff --git a/common/init_shell.te b/common/init_shell.te
index 70abe0b..28e4d3a 100644
--- a/common/init_shell.te
+++ b/common/init_shell.te
@@ -25,6 +25,9 @@
#give permission to read/write fm dir for calibration file
allow qti_init_shell fm_data_file: dir rw_dir_perms;
+#allow shell to access /dev/vm_bms
+allow qti_init_shell vm_bms_device:chr_file getattr;
+
# create/open, read/write permission for fm calibration file.
allow qti_init_shell fm_data_file: file create_file_perms;
@@ -77,6 +80,8 @@
userdebug_or_eng(`ctl_console_prop coresight_prop')
rmnet_mux_prop
ctl_hbtp_prop
+ #Needed for starting vm_bms executable post-boot
+ vm_bms_prop
}:property_service set;
allow qti_init_shell efs_boot_dev:blk_file r_file_perms;
diff --git a/common/installd.te b/common/installd.te
index a337fb9..b59cff6 100644
--- a/common/installd.te
+++ b/common/installd.te
@@ -1,3 +1,3 @@
-allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file} :dir { create_dir_perms relabelfrom relabelto };
-allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file} :lnk_file { create_file_perms relabelfrom relabelto };
-allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file} :{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
+allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qtitetherservice_app_data_file} :dir { create_dir_perms relabelfrom relabelto };
+allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qtitetherservice_app_data_file} :lnk_file { create_file_perms relabelfrom relabelto };
+allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qtitetherservice_app_data_file} :{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
diff --git a/common/location_app.te b/common/location_app.te
index a2ef569..7bc7a5a 100644
--- a/common/location_app.te
+++ b/common/location_app.te
@@ -6,6 +6,7 @@
#Permissions for JDWP
userdebug_or_eng(`
+ net_domain(location_app)
allow location_app { adbd su }:unix_stream_socket connectto;
allow location_app surfaceflinger_service:service_manager find;
')
diff --git a/common/netd.te b/common/netd.te
index 7074114..680d499 100644
--- a/common/netd.te
+++ b/common/netd.te
@@ -10,7 +10,7 @@
allow netd wfdservice:tcp_socket rw_socket_perms;
binder_use(netd);
-binder_call(netd, system_app);
+binder_call(netd, qtitetherservice_app);
# allow to read /data/misc/ipa/tether_stats file
allow netd ipacm_data_file:dir r_dir_perms;
diff --git a/common/property.te b/common/property.te
index 2bd7191..e7a1205 100644
--- a/common/property.te
+++ b/common/property.te
@@ -10,6 +10,7 @@
type freq_prop, property_type;
type perfd_prop, property_type;
+type vm_bms_prop, property_type; #To start vm_bms
type qti_prop, property_type;
type ipacm_prop, property_type;
type ipacm-diag_prop, property_type;
diff --git a/common/property_contexts b/common/property_contexts
index 1289583..3222ff1 100644
--- a/common/property_contexts
+++ b/common/property_contexts
@@ -14,6 +14,7 @@
min_freq_4 u:object_r:freq_prop:s0
ctl.perfd u:object_r:perfd_prop:s0
ctl.iop u:object_r:perfd_prop:s0
+ctl.vm_bms u:object_r:vm_bms_prop:s0
qualcomm.bluetooth. u:object_r:bluetooth_prop:s0
ctl.ipacm u:object_r:ipacm_prop:s0
ctl.ipacm-diag u:object_r:ipacm-diag_prop:s0
diff --git a/common/qtitetherservice_app.te b/common/qtitetherservice_app.te
new file mode 100644
index 0000000..24f35e8
--- /dev/null
+++ b/common/qtitetherservice_app.te
@@ -0,0 +1,45 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qtitetherservice_app, domain;
+app_domain(qtitetherservice_app)
+
+allow qtitetherservice_app qtitetherservices_service:service_manager add;
+allow qtitetherservice_app { app_api_service system_api_service }:service_manager find;
+
+allow qtitetherservice_app self:socket create_socket_perms;
+
+allow qtitetherservice_app ipa_dev:chr_file rw_file_perms;
+
+unix_socket_connect(qtitetherservice_app, netd, netd);
+
+qmux_socket(qtitetherservice_app);
+
+allow qtitetherservice_app qtitetherservice_app_data_file:dir create_dir_perms;
+allow qtitetherservice_app qtitetherservice_app_data_file:{ file lnk_file } create_file_perms;
+
+allow qtitetherservice_app wcnss_service_exec:file rx_file_perms;
diff --git a/common/seapp_contexts b/common/seapp_contexts
index 27f8514..3bf7e05 100644
--- a/common/seapp_contexts
+++ b/common/seapp_contexts
@@ -12,3 +12,6 @@
#Add new domain for MDTP services
user=system seinfo=platform name=com.qualcomm.qti.securemsm.mdtp.MdtpService domain=mdtpservice_app type=mdtp_svc_app_data_file
+
+#Add new domain for QtiTetherService
+user=system seinfo=platform name=com.qualcomm.qti.tetherservice domain=qtitetherservice_app type=qtitetherservice_app_data_file
diff --git a/common/system_app.te b/common/system_app.te
index b40bd27..8673d1e 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -16,7 +16,6 @@
# access to color service SDK
color_service
STAProxyService
- qtitetherservices_service
}:service_manager add;
# access to perflock
@@ -96,15 +95,10 @@
# allow gba auth service to add itself as system service
allow system_app gba_auth_service:service_manager add;
-#allow access to netd
-allow system_app netd_socket:sock_file write;
-allow system_app wcnss_service_exec:file rx_file_perms;
# allow access to system_app for wbc_service
allow system_app wbc_service:service_manager add;
allow system_app self:netlink_kobject_uevent_socket { read bind setopt create };
-#allow access to ipa
-allow system_app ipa_dev:chr_file rw_file_perms;
# allow system_app to interact with mdtp daemon
binder_call(system_app, mdtpdaemon)
diff --git a/common/system_server.te b/common/system_server.te
index 07a288f..86888b0 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -25,7 +25,6 @@
# Allow system_server to add digital pen system service
usf_service
dpmservice
- qtitetherservices_service
}:service_manager add;
allow system_server qtitetherservices_service:service_manager{add find};
@@ -55,8 +54,8 @@
allow system_server location:unix_stream_socket connectto;
allow system_server location_data_file:{ file fifo_file } create_file_perms;
allow system_server location_data_file:dir create_dir_perms;
-allow system_server { dpmd_app_data_file location_app_data_file mdtp_svc_app_data_file } :file rw_file_perms;
-allow system_server { dpmd_app_data_file location_app_data_file mdtp_svc_app_data_file } :dir r_dir_perms;
+allow system_server { dpmd_app_data_file location_app_data_file mdtp_svc_app_data_file qtitetherservice_app_data_file } :file rw_file_perms;
+allow system_server { dpmd_app_data_file location_app_data_file mdtp_svc_app_data_file qtitetherservice_app_data_file } :dir r_dir_perms;
allow system_server location_socket:sock_file create_file_perms;
allow system_server location_prop:property_service set;