sepolicy: add contexts for the audio devices
Added the context for the various audio devices to operate with other domains. We have also added context for audiod. Change-Id: Ibaa2beb2fc5ff4cc16481d8764b1d8c0bcfce16c
This commit is contained in:
Avijit Kanti Das
@@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS := \
|
||||
device/qcom/sepolicy/test
|
||||
|
||||
BOARD_SEPOLICY_UNION := \
|
||||
genfs_contexts \
|
||||
file_contexts \
|
||||
device.te \
|
||||
vold.te \
|
||||
@@ -28,4 +29,8 @@ BOARD_SEPOLICY_UNION := \
|
||||
netd.te \
|
||||
rild.te \
|
||||
diag.te \
|
||||
diag_test.te
|
||||
diag_test.te \
|
||||
audiod.te \
|
||||
sensors.te \
|
||||
sensors_test.te \
|
||||
system_app.te
|
||||
|
||||
8
audiod.te
Normal file
8
audiod.te
Normal file
@@ -0,0 +1,8 @@
|
||||
# audio deamon
|
||||
type audiod, domain;
|
||||
type audiod_exec, exec_type, file_type;
|
||||
init_daemon_domain(audiod)
|
||||
allow audiod proc_audiod:file r_file_perms;
|
||||
allow audiod audio_device:chr_file rw_file_perms;
|
||||
binder_use(audiod)
|
||||
binder_call(audiod, mediaserver)
|
||||
9
file.te
9
file.te
@@ -24,3 +24,12 @@ type sysrq_trigger_proc, fs_type, mlstrustedobject;
|
||||
type persist_file, file_type;
|
||||
|
||||
type diag_data_file, file_type;
|
||||
|
||||
#file type for restricting proc read by audiod
|
||||
type proc_audiod, fs_type;
|
||||
|
||||
# Sensor file types
|
||||
type sensors_system_file, file_type;
|
||||
type sensors_socket, file_type;
|
||||
type sensors_data_file, file_type, data_file_type;
|
||||
type sensors_persist_file, file_type;
|
||||
|
||||
@@ -50,8 +50,49 @@
|
||||
/persist(/.*)? u:object_r:persist_file:s0
|
||||
|
||||
/dev/subsys_esoc0 u:object_r:subsys_esoc0_device:s0
|
||||
|
||||
#Context for cnd
|
||||
/dev/socket/cnd u:object_r:cnd_socket:s0
|
||||
/system/bin/cnd u:object_r:cnd_exec:s0
|
||||
/dev/socket/nims u:object_r:cnd_socket:s0
|
||||
/data/connectivity(/.*)? u:object_r:cnd_data_file:s0
|
||||
|
||||
#context for audio devices
|
||||
/dev/msm_aac u:object_r:audio_device:s0
|
||||
/dev/msm_acdb u:object_r:audio_device:s0
|
||||
/dev/msm_aac_in u:object_r:audio_device:s0
|
||||
/dev/msm_amrnb u:object_r:audio_device:s0
|
||||
/dev/msm_amrnb_in u:object_r:audio_device:s0
|
||||
/dev/msm_amrwb u:object_r:audio_device:s0
|
||||
/dev/msm_amrwb_in u:object_r:audio_device:s0
|
||||
/dev/msm_amrwbplus u:object_r:audio_device:s0
|
||||
/dev/msm_evrc u:object_r:audio_device:s0
|
||||
/dev/msm_evrc_in u:object_r:audio_device:s0
|
||||
/dev/msm_mp3 u:object_r:audio_device:s0
|
||||
/dev/msm_multi_aac u:object_r:audio_device:s0
|
||||
/dev/msm_qcelp u:object_r:audio_device:s0
|
||||
/dev/msm_qcelp_in u:object_r:audio_device:s0
|
||||
/dev/msm_rtac u:object_r:audio_device:s0
|
||||
/dev/msm_wma u:object_r:audio_device:s0
|
||||
/dev/msm_wmapro u:object_r:audio_device:s0
|
||||
/system/bin/audiod u:object_r:audiod_exec:s0
|
||||
|
||||
# Context for sensor objects
|
||||
# Sensor devices
|
||||
/dev/sensors u:object_r:sensors_device:s0
|
||||
/dev/msm_dsps u:object_r:sensors_device:s0
|
||||
|
||||
# Sensor socket
|
||||
/dev/socket/sensor_ctl_socket u:object_r:sensors_socket:s0
|
||||
|
||||
# Sensor system files
|
||||
/system/bin/sensors.qcom u:object_r:sensors_exec:s0
|
||||
/system/bin/sns.* u:object_r:sensors_test_exec:s0
|
||||
/system/etc/sensors(/.*)? u:object_r:sensors_system_file:s0
|
||||
/system/etc/sensor_def_qcomdev.conf u:object_r:sensors_system_file:s0
|
||||
|
||||
# Sensor data files
|
||||
/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
|
||||
|
||||
# Sensor persist files
|
||||
/persist/sensors(/.*)? u:object_r:sensors_persist_file:s0
|
||||
|
||||
1
genfs_contexts
Normal file
1
genfs_contexts
Normal file
@@ -0,0 +1 @@
|
||||
genfscon proc /asound/card0/state u:object_r:proc_audiod:s0
|
||||
37
sensors.te
Normal file
37
sensors.te
Normal file
@@ -0,0 +1,37 @@
|
||||
# Policy for sensor daemon
|
||||
type sensors, domain;
|
||||
type sensors_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(sensors)
|
||||
|
||||
type_transition sensors apk_data_file:sock_file sensors_socket;
|
||||
type_transition sensors persist_file:{ dir file } sensors_persist_file;
|
||||
type_transition sensors socket_device:{ dir sock_file } sensors_socket;
|
||||
type_transition sensors system_data_file:{ dir file } sensors_data_file;
|
||||
|
||||
userdebug_or_eng(`
|
||||
domain_auto_trans(shell, sensors_exec, sensors)
|
||||
domain_auto_trans(su, sensors_exec, sensors)
|
||||
domain_auto_trans(adbd, sensors_exec, sensors)
|
||||
')
|
||||
|
||||
#============= sensors ==============
|
||||
allow sensors apk_data_file:dir { write add_name remove_name };
|
||||
allow sensors cgroup:dir { create add_name };
|
||||
allow sensors diag_device:chr_file { read write ioctl open };
|
||||
allow sensors persist_file:dir { search getattr };
|
||||
allow sensors self:capability { setuid chown setgid dac_override };
|
||||
allow sensors self:capability2 block_suspend;
|
||||
allow sensors self:socket { read bind create write ioctl };
|
||||
allow sensors sensors_data_file:dir { write getattr setattr read create open add_name };
|
||||
allow sensors sensors_data_file:file { write getattr setattr read create open append };
|
||||
allow sensors sensors_device:chr_file { read ioctl open };
|
||||
allow sensors sensors_persist_file:dir search;
|
||||
allow sensors sensors_persist_file:file { read open };
|
||||
allow sensors sensors_socket:sock_file { write create getattr setattr unlink };
|
||||
allow sensors sensors_system_file:dir { read search open };
|
||||
allow sensors sensors_system_file:file { read getattr open };
|
||||
allow sensors smd_device:chr_file { read open append };
|
||||
allow sensors smem_log_device:chr_file { read write ioctl open };
|
||||
allow sensors socket_device:dir { write add_name };
|
||||
allow sensors sysfs_wake_lock:file { open append };
|
||||
@@ -1,6 +1,10 @@
|
||||
#============= system_server ==============
|
||||
# allow system_server to communicate with cnd process over cnd_socket
|
||||
unix_socket_connect(system_server, cnd, cnd)
|
||||
# allow system/framework applications to update the cnd configuration files
|
||||
allow system_server cnd_data_file:dir { read open write getattr add_name };
|
||||
allow system_server cnd_data_file:file { create write getattr setattr read lock open };
|
||||
|
||||
# allow system_server to communicate with sensors daemon over sensors_socket
|
||||
allow system_server sensors:unix_stream_socket connectto;
|
||||
allow system_server sensors_socket:sock_file write;
|
||||
|
||||
17
test/sensors_test.te
Normal file
17
test/sensors_test.te
Normal file
@@ -0,0 +1,17 @@
|
||||
# Policy for sensor test binaries
|
||||
type sensors_test_exec, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
type sensors_test, domain;
|
||||
|
||||
domain_auto_trans(shell, sensors_test_exec, sensors_test)
|
||||
domain_auto_trans(su, sensors_test_exec, sensors_test)
|
||||
domain_auto_trans(adbd, sensors_test_exec, sensors_test)
|
||||
|
||||
allow sensors_test devpts:chr_file { open read write ioctl getattr };
|
||||
allow sensors_test sensors:unix_stream_socket connectto;
|
||||
allow sensors_test sensors_device:chr_file { getattr read };
|
||||
allow sensors_test sensors_socket:sock_file { read write };
|
||||
allow sensors_test smd_device:chr_file { read write open };
|
||||
allow sensors_test socket_device:dir read;
|
||||
')
|
||||
8
test/system_app.te
Normal file
8
test/system_app.te
Normal file
@@ -0,0 +1,8 @@
|
||||
#============= system_app ==============
|
||||
userdebug_or_eng(`
|
||||
# Rules for QSensors Test Application
|
||||
allow system_app sensors:unix_stream_socket connectto;
|
||||
allow system_app sensors_device:chr_file getattr;
|
||||
allow system_app sensors_socket:sock_file write;
|
||||
allow system_app socket_device:dir read;
|
||||
')
|
||||
Reference in New Issue
Block a user