Seandroid: Add policies to enable all QDCM functionalities
Address all SELinux denial messages related to QDCM tool
functionality and the color service SDK application.
Add policies to allow:
1- /persist/ read & write for display confid
2- /data/misc/display/ read & write
3- Allow access to colorservice for display sdk from android app.
4- Enable pp-daemon functionalities for the non user-debug and
eng builds, since OEMs actively use QDCM tool, and they require
full functionality.
Change-Id: I43545eaf8e63f0e43f40197cd01cddc8c6a5351a
diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te
index 5a62334..6c9ad16 100755
--- a/common/mm-pp-daemon.te
+++ b/common/mm-pp-daemon.te
@@ -8,14 +8,17 @@
allow mm-pp-daemon graphics_device:chr_file rw_file_perms;
allow mm-pp-daemon graphics_device:dir search;
-# Allow reading calibration data from persist
-allow mm-pp-daemon persist_file:file r_file_perms;
-allow mm-pp-daemon persist_file:dir search;
+# Allow reading/writing to persist
+# The color config file is dynamically created
+allow mm-pp-daemon persist_file:dir rw_dir_perms;
+allow mm-pp-daemon persist_file:file create_file_perms;
-# Allow pp daemon to save settings to /data
-allow mm-pp-daemon display_config:file rw_file_perms;
+# Allow reading/writing data config files
+allow mm-pp-daemon display_config:dir create_dir_perms;
+allow mm-pp-daemon display_config:file create_file_perms;
+
allow mm-pp-daemon system_prop:property_service set;
-#Calibration can only be done on userdebug or eng builds
+
userdebug_or_eng(`
# Display calibration service opens /dev/diag in order to communicate with the
# target device
@@ -32,12 +35,13 @@
allow mm-pp-daemon shell_exec:file rx_file_perms;
allow mm-pp-daemon system_file:file execute_no_trans;
allow mm-pp-daemon zygote_exec:file rx_file_perms;
-
- # Allow writing to persist
- allow mm-pp-daemon persist_file:file rw_file_perms;
-
- # Allow mm-pp-daemon to change the brightness of the target during display
- # calibration
- allow mm-pp-daemon sysfs:file rw_file_perms;
- unix_socket_connect(mm-pp-daemon, property, init)
+ allow mm-pp-daemon self:process ptrace;
')
+
+# Allow mm-pp-daemon to change the brightness of the target during display
+# calibration
+allow mm-pp-daemon sysfs:file rw_file_perms;
+
+# Allow socket calls in pp-daemon
+unix_socket_connect(mm-pp-daemon, property, init)
+unix_socket_connect(mm-pp-daemon, pps, init)
diff --git a/common/service.te b/common/service.te
index ec90dda..e662570 100644
--- a/common/service.te
+++ b/common/service.te
@@ -6,3 +6,4 @@
type dun_service, service_manager_type;
type digitalpen_service, service_manager_type;
type imscm_service, service_manager_type;
+type color_service, service_manager_type;
diff --git a/common/service_contexts b/common/service_contexts
index b29e165..eccd3fd 100644
--- a/common/service_contexts
+++ b/common/service_contexts
@@ -7,3 +7,4 @@
dun u:object_r:dun_service:s0
DigitalPen u:object_r:digitalpen_service:s0
qti.ims.connectionmanagerservice u:object_r:imscm_service:s0
+com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
index 9c984ac..854ff8c 100644
--- a/common/surfaceflinger.te
+++ b/common/surfaceflinger.te
@@ -2,10 +2,7 @@
allow surfaceflinger shell_data_file:dir search;
# Allows pp-daemon to refresh the screen in calibration mode
-userdebug_or_eng(`
- allow surfaceflinger mm-pp-daemon:dir search;
- allow surfaceflinger mm-pp-daemon:file r_file_perms;
-')
+r_dir_file(surfaceflinger, mm-pp-daemon)
binder_call(surfaceflinger, location)
binder_call(surfaceflinger, tee)
diff --git a/common/system_app.te b/common/system_app.te
index 3cb2008..02fb603 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -29,3 +29,6 @@
# access to time_daemon
allow system_app time_daemon:unix_stream_socket connectto;
+
+# access to color service SDK
+allow system_app color_service:service_manager add;