sepolicy: add rule for dpm

add rule for DPM data file for db file and removed duplicate rules Change-Id: Ieed4f0b1cf19df06c04528245a0c6b799518542a
2014-11-03 13:33:33 -08:00
parent 722b2d01aa
commit 7dbb59b937
8 changed files with 28 additions and 37 deletions
--- a/common/app.te
+++ b/common/app.te
@@ -1,6 +1,9 @@
 # allow application to access cnd domain and socket
 unix_socket_connect(appdomain, cnd, cnd)

+# allow application to access dpmd domain and socket
+unix_socket_connect(appdomain, dpmwrapper, dpmd)
+
 unix_socket_connect(appdomain, qlogd, qlogd)
 #Allow all apps to open and send ioctl to qdsp device
 allow appdomain qdsp_device:chr_file r_file_perms;
--- a/common/dpmd.te
+++ b/common/dpmd.te
@@ -1,44 +1,38 @@
 #dpmd as domain
 type dpmd, domain;
 type dpmd_exec, exec_type, file_type;
-
-#file_type_auto_trans(dpmd, socket_device, dpmd_socket);
+file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
 init_daemon_domain(dpmd)
-type_transition dpmd system_data_file:{ file } dpmd_data_file;
-
+net_domain(dpmd)
 allow dpmd dpmd_exec:file execute_no_trans;

-#allow dpmd to access diag service
-userdebug_or_eng(`
-  allow dpmd diag_device:chr_file { read write ioctl open };
-')
-allow dpmd dpmd_data_file:file { read lock getattr open setattr execute };
+#allow dpmd to access dpm_data_file
+allow dpmd dpmd_data_file:file create_file_perms;
+allow dpmd dpmd_data_file:dir create_dir_perms;

 #allow dpmd to access qmux radio socket
 qmux_socket(dpmd);

 #self capability
-allow dpmd self:capability net_raw;
-allow dpmd self:capability { chown fsetid dac_override };
-allow dpmd self:netlink_route_socket { create read write bind create nlmsg_read };
-allow dpmd sysfs_wake_lock:file { open append };
-allow dpmd self:capability net_admin;
-allow dpmd self:rawip_socket { getopt create setopt };
+allow dpmd sysfs_wake_lock:file rw_file_perms;
 allow dpmd self:socket rw_socket_perms;
 allow dpmd self:netlink_socket rw_socket_perms;
+allow dpmd self:capability { setuid setgid dac_override net_raw chown fsetid net_admin sys_module };

-#socket
-allow dpmd self:udp_socket { ioctl create getopt };
-allow dpmd smem_log_device:chr_file { read write ioctl open };
-allow dpmd init:unix_stream_socket connectto;
-
-#llow dpmd to set system property
-allow dpmd property_socket:sock_file write;
+#socket, self
+allow dpmd smem_log_device:chr_file rw_file_perms;
+unix_socket_connect(dpmd, property, init)
 allow dpmd self:capability2 block_suspend;
 allow dpmd system_prop:property_service set;
+allow dpmd ctl_default_prop:property_service set;

+#misc.
 allow dpmd shell_exec:file { read execute open execute_no_trans };
 allow dpmd system_file:file execute_no_trans;

 #kernel
 allow dpmd kernel:system module_request;
+
+#appdomain
+allow dpmd appdomain:fd use;
+allow dpmd appdomain:tcp_socket { read write getopt };
--- a/common/file.te
+++ b/common/file.te
@@ -13,7 +13,8 @@ type cnd_data_file, file_type;

 # Define dpmd data file type
 type dpmd_socket, file_type;
-type dpmd_data_file, data_file_type;
+type dpmwrapper_socket, file_type;
+type dpmd_data_file, file_type, data_file_type;

 #Define the timeout for platform specific transports
 type sysfs_hsic_modem_wait, sysfs_type, fs_type;
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -73,6 +73,7 @@
 /dev/socket/qlogd                               u:object_r:qlogd_socket:s0
 /dev/socket/ipacm_log_file                      u:object_r:ipacm_socket:s0
 /dev/socket/dpmd                                u:object_r:dpmd_socket:s0
+/dev/socket/dpmwrapper                          u:object_r:dpmwrapper_socket:s0
 /dev/socket/pps                                 u:object_r:pps_socket:s0
 /dev/socket/rild2                               u:object_r:rild_socket:s0
 /dev/socket/rild2-debug                         u:object_r:rild_debug_socket:s0
--- a/common/init.te
+++ b/common/init.te
@@ -1,8 +1,4 @@
 # Adding allow rule for search on /fuse
 allow init fuse:dir search;
-
-#allow dpmd to read, write on data file
-allow init dpmd_data_file:dir { read open setattr };
-
 allow init self:capability sys_module;
 allow init fuse:dir mounton;
--- a/common/radio.te
+++ b/common/radio.te
@@ -5,3 +5,6 @@ allow radio ims_socket:sock_file write;
 #Need permission to execute com.qualcomm.qti.telephony/app_dex/xx
 allow radio radio_data_file:file execute;
 allow radio shell_data_file:dir search;
+
+#Need permission to execute dpmd talk to radio layer
+unix_socket_connect(radio, dpmd, dpmd)
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -18,15 +18,13 @@ unix_socket_send(system_server, mpctl, mpdecision)
 unix_socket_connect(system_server, mpctl, mpdecision)

 # allow  system/framework applications to update the dpmd configuration files
-#allow system_server dpmd:unix_stream_socket connectto;
 unix_socket_connect(system_server, dpmd, dpmd);
 allow system_server dpmd_socket:sock_file write;
-#allow system_server dpmd_data_file:dir { write read getattr open add_name };
-allow system_server dpmd_data_file:dir rw_dir_perms;
-#allow system_server dpmd_data_file:file { write getattr setattr read lock create open };
-allow system_server dpmd_data_file:file rw_file_perms;
+allow system_server dpmd_data_file:dir create_dir_perms;
 allow system_server dpmservice:service_manager add;
+allow system_server dpmd_data_file:file create_file_perms;
 allow system_server socket_device:sock_file write;
+
 unix_socket_send(system_server, mpctl, perfd)
 unix_socket_connect(system_server, mpctl, perfd)

--- a/common/untrusted_app.te
+++ b/common/untrusted_app.te
@@ -1,8 +1,3 @@
-allow dpmd untrusted_app:fd use;
-allow dpmd untrusted_app:tcp_socket { read write };
-allow untrusted_app dpmd:unix_stream_socket connectto;
-allow untrusted_app dpmd_socket:sock_file write;
-
 # access to perflock
 allow untrusted_app mpctl_socket:dir r_dir_perms;
 unix_socket_send(untrusted_app, mpctl, perfd)