Merge "sepolicy : add bootkpi secontext and allow rule to access"
diff --git a/common/device.te b/common/device.te
index 97df8a7..4778a3b 100644
--- a/common/device.te
+++ b/common/device.te
@@ -8,6 +8,9 @@
#Define the mhi device
type mhi_device, dev_type;
+#Define the bhi device
+type bhi_device, dev_type;
+
#device type for smd device nodes, ie /dev/smd*
type smd_device, dev_type;
diff --git a/common/dpmservice_app.te b/common/dpmservice_app.te
index 6dc8748..47f23bc 100644
--- a/common/dpmservice_app.te
+++ b/common/dpmservice_app.te
@@ -42,3 +42,9 @@
#allow dpmservice to search mediaserver and radio service.
allow dpmservice_app mediaserver_service:service_manager find;
allow dpmservice_app radio_service:service_manager find;
+
+#don't audit /proc/<pid>/stat denials
+dontaudit dpmservice_app domain:dir r_dir_perms;
+
+#allow dpmservice to get running time for apps
+r_dir_file(dpmservice_app, appdomain)
diff --git a/common/file_contexts b/common/file_contexts
index 0910189..218988a 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -7,6 +7,7 @@
/dev/hsicctl.* u:object_r:hsic_device:s0
/dev/kgsl-3d0 u:object_r:gpu_device:s0
/dev/mhi_pipe_.* u:object_r:mhi_device:s0
+/dev/bhi u:object_r:bhi_device:s0
/dev/msm_.* u:object_r:audio_device:s0
/dev/usf1 u:object_r:usf_device:s0
/dev/msm_dsps u:object_r:sensors_device:s0
diff --git a/common/location.te b/common/location.te
index 805130c..77f3188 100644
--- a/common/location.te
+++ b/common/location.te
@@ -49,3 +49,6 @@
#Allow access to netmgrd socket
netmgr_socket(location);
+
+#Allow access to properties
+set_prop(location, location_prop);
diff --git a/common/mdm_helper.te b/common/mdm_helper.te
index 61c9a22..d0c4b20 100755
--- a/common/mdm_helper.te
+++ b/common/mdm_helper.te
@@ -48,3 +48,7 @@
#Needed in order to collect ramdumps
allow mdm_helper tombstone_data_file:dir create_dir_perms;
allow mdm_helper tombstone_data_file:file create_file_perms;
+
+#Needed to allow boot over PCIe
+allow mdm_helper bhi_device:chr_file rw_file_perms;
+allow mdm_helper mhi_device:chr_file rw_file_perms;
diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te
index 11bb6ad..a9e81e7 100644
--- a/common/mm-pp-daemon.te
+++ b/common/mm-pp-daemon.te
@@ -43,6 +43,9 @@
allow mm-pp-daemon { shell_exec zygote_exec }:file rx_file_perms;
allow mm-pp-daemon system_file:file x_file_perms;
allow mm-pp-daemon self:process ptrace;
+
+ # This allows pp-daemon to set debug property
+ allow mm-pp-daemon debug_prop:property_service set;
')
# Allow mm-pp-daemon to change the brightness of the target during display
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
index f260e12..aa40066 100644
--- a/common/mm-qcamerad.te
+++ b/common/mm-qcamerad.te
@@ -14,6 +14,10 @@
allow mm-qcamerad port:tcp_socket name_bind;
allow mm-qcamerad self:tcp_socket { accept listen };
allow mm-qcamerad camera_data_file:file create_file_perms;
+
+ # mm-qcamerad needs to set persist.camera. property
+ allow mm-qcamerad camera_prop:property_service set;
+
')
#Communicate with user land process through domain socket
@@ -51,3 +55,4 @@
#Allow access to /dev/graphics/fb* for screen capture
allow mm-qcamerad graphics_device:chr_file rw_file_perms;
+unix_socket_connect(mm-qcamerad, property, init)
diff --git a/common/property_contexts b/common/property_contexts
index 490154e..33d5d44 100644
--- a/common/property_contexts
+++ b/common/property_contexts
@@ -32,6 +32,7 @@
qualcomm.perf.cores_online u:object_r:mpdecision_prop:s0
netd.fstman. u:object_r:netd_prop:s0
location. u:object_r:location_prop:s0
+qc.izat. u:object_r:location_prop:s0
persist.rmnet.mux u:object_r:rmnet_mux_prop:s0
qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0
dbg.coresight.cfg_file u:object_r:coresight_prop:s0
diff --git a/common/wfdservice.te b/common/wfdservice.te
index 35e4791..c4fd8ce 100644
--- a/common/wfdservice.te
+++ b/common/wfdservice.te
@@ -55,9 +55,12 @@
#Allow PROT_EXEC for 3rd party library loaded by wfdservice
allow wfdservice self:process execmem;
-#Allow access to read mmosal_logmask file in /data partition
userdebug_or_eng(`
+#Allow access to read mmosal_logmask file in /data partition
allow wfdservice system_data_file:file r_file_perms;
+#Allow access to dump encoder/decoder dumps in /data/misc/media
+ allow wfdservice media_data_file:dir w_dir_perms;
+ allow wfdservice media_data_file:file create_file_perms;
')
#Allow access to firmware files for HDCP session
diff --git a/msm8916/init_shell.te b/msm8916/init_shell.te
new file mode 100644
index 0000000..0d962af
--- /dev/null
+++ b/msm8916/init_shell.te
@@ -0,0 +1,32 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# media_codecs_eld_prop - to choose target specific media_codecs.xml
+# media_settings_xml_prop - to choose target specific media_profiles.xml
+allow qti_init_shell {
+ media_msm8939hw_prop
+}:property_service set;
diff --git a/msm8916/property.te b/msm8916/property.te
new file mode 100644
index 0000000..78560cd
--- /dev/null
+++ b/msm8916/property.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#properites for init.qcom.sh script
+type media_msm8939hw_prop, property_type;
+
diff --git a/msm8916/property_contexts b/msm8916/property_contexts
new file mode 100644
index 0000000..bbdf9d6
--- /dev/null
+++ b/msm8916/property_contexts
@@ -0,0 +1,28 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+media.msm8939hw u:object_r:media_msm8939hw_prop:s0
diff --git a/msm8937/file_contexts b/msm8937/file_contexts
new file mode 100644
index 0000000..13ddaee
--- /dev/null
+++ b/msm8937/file_contexts
@@ -0,0 +1,45 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+###################################
+# Primary storage device nodes
+#
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
+/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
+
+#Using soc instead of soc.0 for 3.18 kernel
+/dev/block/platform/soc/7824900.sdhci/by-name/fsg u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/ssd u:object_r:ssd_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/misc u:object_r:misc_partition:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/system u:object_r:system_block_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/dip u:object_r:dip_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0
+/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0
diff --git a/msm8996/file_contexts b/msm8996/file_contexts
index b902f19..162fa3b 100644
--- a/msm8996/file_contexts
+++ b/msm8996/file_contexts
@@ -48,7 +48,10 @@
/dev/block/platform/soc/624000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc/624000.ufshc/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/soc/624000.ufshc/by-name/frp u:object_r:frp_block_device:s0
-
+/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0
# eMMC devices
/dev/block/platform/soc/7464900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0
@@ -67,6 +70,10 @@
/dev/block/platform/soc/7464900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc/7464900.sdhci/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/soc/7464900.sdhci/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0
###################################
# System files