Merge "file_contexts: Adding context to block devices"
diff --git a/apq8084/file_contexts b/apq8084/file_contexts
index 19361f7..ac2402e 100644
--- a/apq8084/file_contexts
+++ b/apq8084/file_contexts
@@ -32,7 +32,7 @@
/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_partition:s0
/dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0
/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0
diff --git a/common/bluetooth.te b/common/bluetooth.te
index 8e234ed..f2b9f06 100644
--- a/common/bluetooth.te
+++ b/common/bluetooth.te
@@ -46,6 +46,10 @@
binder_use(bluetooth);
binder_call(bluetooth, system_app);
binder_call(bluetooth, servicemanager);
+allow bluetooth dun_service:service_manager find;
#sapd requires interaction with qmux sockets
qmux_socket(bluetooth);
+
+# for finding wbc_service
+allow bluetooth wbc_service:service_manager find;
diff --git a/common/device.te b/common/device.te
index 8f80031..de87f73 100644
--- a/common/device.te
+++ b/common/device.te
@@ -79,8 +79,6 @@
type wcnss_device, dev_type;
-type mmc_block_device, dev_type;
-
# Define QDSS devices
type qdss_device, dev_type;
diff --git a/common/energyawareness.te b/common/energyawareness.te
index 8aa3cb4..43bd0ee 100755
--- a/common/energyawareness.te
+++ b/common/energyawareness.te
@@ -10,3 +10,5 @@
allow energyawareness self:netlink_kobject_uevent_socket create_socket_perms;
allow energyawareness self:capability net_admin;
+
+allow energyawareness sysfs:file w_file_perms;
diff --git a/common/file.te b/common/file.te
index d9e7869..0ce64e6 100644
--- a/common/file.te
+++ b/common/file.te
@@ -161,3 +161,9 @@
# used for /dsp files
type adsprpcd_file, file_type, mlstrustedobject;
+
+# audio pp notifier files
+type audio_pp_data_file, file_type, data_file_type;
+
+# subsystem_ramdump files
+type ssr_ramdump_data_file, file_type, data_file_type;
diff --git a/common/file_contexts b/common/file_contexts
index bdc35db..8dedc7e 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -147,7 +147,7 @@
/system/bin/sensors.qcom u:object_r:sensors_exec:s0
/system/bin/sns.* u:object_r:sensors_test_exec:s0
/system/bin/test_diag u:object_r:diag_exec:s0
-/system/bin/thermal-engine u:object_r:thermal-engine_exec:s0
+/system/vendor/bin/thermal-engine u:object_r:thermal-engine_exec:s0
/system/bin/vm_bms u:object_r:vm_bms_exec:s0
/system/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0
/system/bin/qfp-daemon u:object_r:qfp-daemon_exec:s0
@@ -295,6 +295,8 @@
/data/misc/radio(/.*)? u:object_r:radio_data_file:s0
/data/misc/port_bridge(/.*)? u:object_r:port_bridge_data_file:s0
/data/misc/fm(/.*)? u:object_r:fm_data_file:s0
+/data/misc/audio_pp(/.*)? u:object_r:audio_pp_data_file:s0
+/data/ramdump(/.*)? u:object_r:ssr_ramdump_data_file:s0
###################################
# persist files
diff --git a/common/hostapd.te b/common/hostapd.te
index f20d78d..09a24c2 100644
--- a/common/hostapd.te
+++ b/common/hostapd.te
@@ -31,4 +31,14 @@
unix_socket_send(hostapd, wpa, su)
')
+binder_call(hostapd, cnd)
+unix_socket_connect(hostapd, cnd, cnd)
+unix_socket_send(hostapd, cnd, cnd)
+allow hostapd cnd:{
+ fifo_file
+ netlink_route_socket
+ netlink_tcpdiag_socket
+ unix_stream_socket} { read write };
+allow hostapd cnd:fifo_file r_file_perms;
+allow hostapd smem_log_device:chr_file rw_file_perms;
allow hostapd fstman:unix_dgram_socket sendto;
diff --git a/common/init_shell.te b/common/init_shell.te
index 8ea5278..c74d6ce 100644
--- a/common/init_shell.te
+++ b/common/init_shell.te
@@ -20,16 +20,17 @@
allow qti_init_shell { system_file rootfs shell_exec }:file execute_no_trans;
# For accessing fmradio device node
-# For accessing qdss_device device node
-allow qti_init_shell { fm_radio_device qdss_device }:chr_file r_file_perms;
+allow qti_init_shell fm_radio_device:chr_file r_file_perms;
+
#give permission to read/write fm dir for calibration file
allow qti_init_shell fm_data_file: dir rw_dir_perms;
+
# create/open, read/write permission for fm calibration file.
allow qti_init_shell fm_data_file: file create_file_perms;
# for insmod of iris ko, this is needed.
-#dac_read/override is needed for scripts to do chown/mkdir which is
-#needed by most of the services
+# dac_read/override is needed for scripts to do chown/mkdir which is
+# needed by most of the services
# fowner and fsetid are needed for chmod display nodes.
allow qti_init_shell self:capability {
sys_module
@@ -48,6 +49,7 @@
# bluetooth_prop - for setting bt related properties from postboot script
# uicc_prop - for access to UICC property
# ctl_qmuxd_prop/ctl_netmgrd_prop - Needed in order to set properties on qmuxd and netmgrd processes
+# rmnet_mux_prop - Needed to set persist.rmnet.mux property
allow qti_init_shell {
system_prop
freq_prop
@@ -71,13 +73,14 @@
usf_prop
qemu_hw_mainkeys_prop
# Needed for starting console in userdebug mode
- userdebug_or_eng(`ctl_console_prop')
+ userdebug_or_eng(`ctl_console_prop coresight_prop')
+ rmnet_mux_prop
}:property_service set;
allow qti_init_shell efs_boot_dev:blk_file r_file_perms;
# For hci_comm_init
-allow qti_init_shell serial_device:chr_file rw_file_perms;
+allow qti_init_shell { serial_device userdebug_or_eng(`qdss_device') }:chr_file rw_file_perms;
# Allow property changes
unix_socket_connect(qti_init_shell, property, init)
@@ -105,6 +108,7 @@
r_dir_file(qti_init_shell, usf_data_file)
allow qti_init_shell usf_data_file:file w_file_perms;
r_dir_file(qti_init_shell, persist_usf_file)
+allow qti_init_shell persist_usf_file:dir w_dir_perms;
allow qti_init_shell usf_data_file:dir create_dir_perms;
allow qti_init_shell usf_data_file:{ file lnk_file } create_file_perms;
@@ -132,3 +136,6 @@
# To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio
allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr };
+
+# core-ctl
+allow qti_init_shell cgroup:dir add_name;
diff --git a/common/iop.te b/common/iop.te
index f4c12eb..c35fc47 100644
--- a/common/iop.te
+++ b/common/iop.te
@@ -33,7 +33,6 @@
allow dumpstate app_data_file:file r_file_perms ;
r_dir_file( dumpstate, appdomain );
r_dir_file( dumpstate, apk_data_file );
-r_dir_file( dumpstate, system_server );
#Create a socket for receiving info from IOP
type_transition dumpstate iop_data_file:sock_file iop_socket "iop";
diff --git a/common/kernel.te b/common/kernel.te
index 095a853..7ebab1e 100755
--- a/common/kernel.te
+++ b/common/kernel.te
@@ -4,3 +4,6 @@
allow kernel self:capability { dac_read_search dac_override };
allow kernel self:socket create_socket_perms;
')
+
+# Access firmware_file
+r_dir_file(kernel, firmware_file)
diff --git a/common/mediaserver.te b/common/mediaserver.te
index 4e9572f..21c8f3d 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -51,6 +51,10 @@
allow mediaserver audio_data_file:sock_file { create setattr unlink };
allow mediaserver audio_data_file:dir remove_name;
+# Allow mediaserver to create audio pp files
+allow mediaserver audio_pp_data_file:dir rw_dir_perms;
+allow mediaserver audio_pp_data_file:file create_file_perms;
+
#Allow mediaserver to set camera properties
allow mediaserver camera_prop:property_service set;
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
index c32a76f..ef9f8f1 100644
--- a/common/mm-qcamerad.te
+++ b/common/mm-qcamerad.te
@@ -44,3 +44,6 @@
#allow mm-qcamerad to access /dsp
r_dir_file(mm-qcamerad, adsprpcd_file);
+
+r_dir_file(mm-qcamerad, firmware_file)
+allow mm-qcamerad graphics_device:dir r_file_perms;
diff --git a/common/mmi.te b/common/mmi.te
index cdf006d..6badeab 100644
--- a/common/mmi.te
+++ b/common/mmi.te
@@ -97,3 +97,4 @@
#Allow mmi to use IPC
binder_use(mmi)
+binder_call(mmi,surfaceflinger)
diff --git a/common/ppp.te b/common/ppp.te
new file mode 100644
index 0000000..d5bb363
--- /dev/null
+++ b/common/ppp.te
@@ -0,0 +1,29 @@
+#Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+#* Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#* Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+#* Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# allow VPN connection via L2TP
+allow ppp mtp:unix_stream_socket rw_socket_perms;
diff --git a/common/property.te b/common/property.te
index 7476989..d674729 100644
--- a/common/property.te
+++ b/common/property.te
@@ -30,4 +30,7 @@
type location_prop, property_type;
#properites for init.qcom.sh script
+type rmnet_mux_prop, property_type;
type qemu_hw_mainkeys_prop, property_type;
+
+type coresight_prop, property_type;
diff --git a/common/property_contexts b/common/property_contexts
index f23e47d..c3106c4 100644
--- a/common/property_contexts
+++ b/common/property_contexts
@@ -13,6 +13,7 @@
min_freq_0 u:object_r:freq_prop:s0
min_freq_4 u:object_r:freq_prop:s0
ctl.perfd u:object_r:perfd_prop:s0
+ctl.iop u:object_r:perfd_prop:s0
qualcomm.bluetooth. u:object_r:bluetooth_prop:s0
ctl.ipacm u:object_r:ipacm_prop:s0
ctl.ipacm-diag u:object_r:ipacm-diag_prop:s0
@@ -28,4 +29,6 @@
qualcomm.perf.cores_online u:object_r:mpdecision_prop:s0
netd.fstman. u:object_r:netd_prop:s0
location. u:object_r:location_prop:s0
+persist.rmnet.mux u:object_r:rmnet_mux_prop:s0
qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0
+dbg.coresight.cfg_file u:object_r:coresight_prop:s0
diff --git a/common/qseecomd.te b/common/qseecomd.te
index 5f58005..6b8fd44 100644
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -47,6 +47,8 @@
allow tee graphics_device:dir r_dir_perms;
allow tee graphics_device:chr_file r_file_perms;
+allow tee surfaceflinger_service : service_manager find;
+
binder_call(tee, surfaceflinger)
binder_use(tee)
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
index b0b7fb4..7647fec 100644
--- a/common/rmt_storage.te
+++ b/common/rmt_storage.te
@@ -5,7 +5,7 @@
allow rmt_storage {
modem_efs_partition_device
- mmc_block_device
+ root_block_device
ssd_device
}:blk_file rw_file_perms;
allow rmt_storage block_device:dir r_dir_perms;
@@ -31,4 +31,3 @@
allow rmt_storage self:socket create_socket_perms;
allow rmt_storage uio_device:chr_file rw_file_perms;
-allow rmt_storage mmc_block_device:blk_file r_file_perms;
\ No newline at end of file
diff --git a/common/subsystem_ramdump.te b/common/subsystem_ramdump.te
index 6113b0a..3678eb9 100755
--- a/common/subsystem_ramdump.te
+++ b/common/subsystem_ramdump.te
@@ -5,4 +5,7 @@
userdebug_or_eng(`
allow subsystem_ramdump ramdump_device:chr_file r_file_perms;
allow subsystem_ramdump sysfs:file w_file_perms;
+ allow subsystem_ramdump device:dir r_dir_perms;
+ allow subsystem_ramdump ssr_ramdump_data_file:file create_file_perms;
+ allow subsystem_ramdump ssr_ramdump_data_file:dir rw_dir_perms;
')
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
index bbbbef0..556f5eb 100644
--- a/common/surfaceflinger.te
+++ b/common/surfaceflinger.te
@@ -29,3 +29,5 @@
# Allows access to dpps daemon in calibration mode
unix_socket_connect(surfaceflinger, pps, mm-pp-daemon)
+
+r_dir_file(surfaceflinger, firmware_file)
diff --git a/common/system_app.te b/common/system_app.te
index ae8ec8e..86ca2be 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -97,3 +97,6 @@
allow system_app self:netlink_kobject_uevent_socket { read bind setopt create };
#allow access to ipa
allow system_app ipa_dev:chr_file rw_file_perms;
+
+# allow access to system_app for audio pp files
+r_dir_file(system_app, audio_pp_data_file);
diff --git a/common/system_server.te b/common/system_server.te
index b2832fd..6627409 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -54,7 +54,7 @@
type_transition system_server location_data_file:sock_file location_socket "alarm_svc";
allow system_server location:unix_stream_socket connectto;
allow system_server location_data_file:{ file fifo_file } create_file_perms;
-allow system_server location_data_file:dir rw_dir_perms;
+allow system_server location_data_file:dir create_dir_perms;
allow system_server { dpmd_app_data_file location_app_data_file } :file rw_file_perms;
allow system_server { dpmd_app_data_file location_app_data_file } :dir r_dir_perms;
allow system_server location_socket:sock_file create_file_perms;
diff --git a/msm8226/file_contexts b/msm8226/file_contexts
index af71c04..ae2c3a7 100644
--- a/msm8226/file_contexts
+++ b/msm8226/file_contexts
@@ -34,5 +34,5 @@
/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_partition:s0
/dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
diff --git a/msm8909/file_contexts b/msm8909/file_contexts
index c367ac8..071b83d 100644
--- a/msm8909/file_contexts
+++ b/msm8909/file_contexts
@@ -34,5 +34,5 @@
/dev/block/platform/soc.0/7824900.sdhci/by-name/ssd u:object_r:ssd_device:s0
/dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_partition:s0
/dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
diff --git a/msm8916/file_contexts b/msm8916/file_contexts
index a15a0eb..54b6ca7 100644
--- a/msm8916/file_contexts
+++ b/msm8916/file_contexts
@@ -35,5 +35,5 @@
/dev/block/platform/soc.0/7824900.sdhci/by-name/ssd u:object_r:ssd_device:s0
/dev/block/platform/soc.0/7824900.sdhci/by-name/misc u:object_r:misc_partition:s0
/dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
-/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
+/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
diff --git a/msm8952/file_contexts b/msm8952/file_contexts
index 45abb70..85ae278 100644
--- a/msm8952/file_contexts
+++ b/msm8952/file_contexts
@@ -37,5 +37,5 @@
/dev/block/platform/soc.0/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/soc.0/7824900.sdhci/by-name/dip u:object_r:dip_device:s0
/dev/block/platform/soc.0/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
diff --git a/msm8974/file_contexts b/msm8974/file_contexts
index bb71b7a..7fbc703 100644
--- a/msm8974/file_contexts
+++ b/msm8974/file_contexts
@@ -34,5 +34,5 @@
/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_partition:s0
/dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
diff --git a/msm8992/file_contexts b/msm8992/file_contexts
index 31431fb..4f77e79 100644
--- a/msm8992/file_contexts
+++ b/msm8992/file_contexts
@@ -39,4 +39,4 @@
/dev/block/platform/soc.0/f9824900.sdhci/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/soc.0/f9824900.sdhci/by-name/frp u:object_r:frp_block_device:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
diff --git a/msm8994/file_contexts b/msm8994/file_contexts
index 9679c17..99a7620 100644
--- a/msm8994/file_contexts
+++ b/msm8994/file_contexts
@@ -29,7 +29,7 @@
# common
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
# UFS devices
/dev/block/platform/soc.0/fc594000.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0
diff --git a/msm8996/file_contexts b/msm8996/file_contexts
index 17a16a7..dc41368 100644
--- a/msm8996/file_contexts
+++ b/msm8996/file_contexts
@@ -29,7 +29,7 @@
# common
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
-/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
# UFS devices
/dev/block/platform/soc/624000.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0