Merge "Add SELinux support for factory reset protection"
diff --git a/common/device.te b/common/device.te
index 97df8a7..4778a3b 100644
--- a/common/device.te
+++ b/common/device.te
@@ -8,6 +8,9 @@
#Define the mhi device
type mhi_device, dev_type;
+#Define the bhi device
+type bhi_device, dev_type;
+
#device type for smd device nodes, ie /dev/smd*
type smd_device, dev_type;
diff --git a/common/dpmservice_app.te b/common/dpmservice_app.te
index 6dc8748..47f23bc 100644
--- a/common/dpmservice_app.te
+++ b/common/dpmservice_app.te
@@ -42,3 +42,9 @@
#allow dpmservice to search mediaserver and radio service.
allow dpmservice_app mediaserver_service:service_manager find;
allow dpmservice_app radio_service:service_manager find;
+
+#don't audit /proc/<pid>/stat denials
+dontaudit dpmservice_app domain:dir r_dir_perms;
+
+#allow dpmservice to get running time for apps
+r_dir_file(dpmservice_app, appdomain)
diff --git a/common/file.te b/common/file.te
index e3f1b3a..4dfe3ff 100644
--- a/common/file.te
+++ b/common/file.te
@@ -173,3 +173,6 @@
# qtitetherservice files
type qtitetherservice_app_data_file, file_type, data_file_type;
+
+# Boot KPI Marker files
+type sys_bootkpi, sysfs_type, file_type;
diff --git a/common/file_contexts b/common/file_contexts
index 0910189..218988a 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -7,6 +7,7 @@
/dev/hsicctl.* u:object_r:hsic_device:s0
/dev/kgsl-3d0 u:object_r:gpu_device:s0
/dev/mhi_pipe_.* u:object_r:mhi_device:s0
+/dev/bhi u:object_r:bhi_device:s0
/dev/msm_.* u:object_r:audio_device:s0
/dev/usf1 u:object_r:usf_device:s0
/dev/msm_dsps u:object_r:sensors_device:s0
diff --git a/common/genfs_contexts b/common/genfs_contexts
index f92adbd..c3d58b5 100755
--- a/common/genfs_contexts
+++ b/common/genfs_contexts
@@ -1,2 +1,3 @@
genfscon proc /asound/card0/state u:object_r:proc_audiod:s0
genfscon proc /proc/sys/vm/dirty_ratio u:object_r:proc_dirty_ratio:s0
+genfscon sys /sys/bootkpi/marker_entry u:object_r:sys_bootkpi:s0
diff --git a/common/location.te b/common/location.te
index 805130c..aa0c8e6 100644
--- a/common/location.te
+++ b/common/location.te
@@ -13,7 +13,7 @@
binder_use(location)
binder_call(location, system_server)
-allow location location_data_file:dir rw_dir_perms;
+allow location location_data_file:dir create_dir_perms;
allow location location_data_file:{ file fifo_file } create_file_perms;
allow location location_data_file:sock_file write;
allow location location_exec:file x_file_perms;
@@ -49,3 +49,6 @@
#Allow access to netmgrd socket
netmgr_socket(location);
+
+#Allow access to properties
+set_prop(location, location_prop);
diff --git a/common/mdm_helper.te b/common/mdm_helper.te
index 61c9a22..d0c4b20 100755
--- a/common/mdm_helper.te
+++ b/common/mdm_helper.te
@@ -48,3 +48,7 @@
#Needed in order to collect ramdumps
allow mdm_helper tombstone_data_file:dir create_dir_perms;
allow mdm_helper tombstone_data_file:file create_file_perms;
+
+#Needed to allow boot over PCIe
+allow mdm_helper bhi_device:chr_file rw_file_perms;
+allow mdm_helper mhi_device:chr_file rw_file_perms;
diff --git a/common/mediaserver.te b/common/mediaserver.te
index 06980d7..2e41268 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -70,3 +70,4 @@
#Allow mediaserver to access service manager STAProxyService
#Allow mediaserver to access service manager wfdservice
allow mediaserver { STAProxyService wfdservice_service }:service_manager find;
+allow mediaserver surfaceflinger:unix_stream_socket rw_socket_perms;
diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te
index 11bb6ad..a9e81e7 100644
--- a/common/mm-pp-daemon.te
+++ b/common/mm-pp-daemon.te
@@ -43,6 +43,9 @@
allow mm-pp-daemon { shell_exec zygote_exec }:file rx_file_perms;
allow mm-pp-daemon system_file:file x_file_perms;
allow mm-pp-daemon self:process ptrace;
+
+ # This allows pp-daemon to set debug property
+ allow mm-pp-daemon debug_prop:property_service set;
')
# Allow mm-pp-daemon to change the brightness of the target during display
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
index f260e12..aa40066 100644
--- a/common/mm-qcamerad.te
+++ b/common/mm-qcamerad.te
@@ -14,6 +14,10 @@
allow mm-qcamerad port:tcp_socket name_bind;
allow mm-qcamerad self:tcp_socket { accept listen };
allow mm-qcamerad camera_data_file:file create_file_perms;
+
+ # mm-qcamerad needs to set persist.camera. property
+ allow mm-qcamerad camera_prop:property_service set;
+
')
#Communicate with user land process through domain socket
@@ -51,3 +55,4 @@
#Allow access to /dev/graphics/fb* for screen capture
allow mm-qcamerad graphics_device:chr_file rw_file_perms;
+unix_socket_connect(mm-qcamerad, property, init)
diff --git a/common/property_contexts b/common/property_contexts
index 490154e..33d5d44 100644
--- a/common/property_contexts
+++ b/common/property_contexts
@@ -32,6 +32,7 @@
qualcomm.perf.cores_online u:object_r:mpdecision_prop:s0
netd.fstman. u:object_r:netd_prop:s0
location. u:object_r:location_prop:s0
+qc.izat. u:object_r:location_prop:s0
persist.rmnet.mux u:object_r:rmnet_mux_prop:s0
qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0
dbg.coresight.cfg_file u:object_r:coresight_prop:s0
diff --git a/common/wfdservice.te b/common/wfdservice.te
index 35e4791..c4fd8ce 100644
--- a/common/wfdservice.te
+++ b/common/wfdservice.te
@@ -55,9 +55,12 @@
#Allow PROT_EXEC for 3rd party library loaded by wfdservice
allow wfdservice self:process execmem;
-#Allow access to read mmosal_logmask file in /data partition
userdebug_or_eng(`
+#Allow access to read mmosal_logmask file in /data partition
allow wfdservice system_data_file:file r_file_perms;
+#Allow access to dump encoder/decoder dumps in /data/misc/media
+ allow wfdservice media_data_file:dir w_dir_perms;
+ allow wfdservice media_data_file:file create_file_perms;
')
#Allow access to firmware files for HDCP session
diff --git a/msm8916/init_shell.te b/msm8916/init_shell.te
new file mode 100644
index 0000000..0d962af
--- /dev/null
+++ b/msm8916/init_shell.te
@@ -0,0 +1,32 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# media_codecs_eld_prop - to choose target specific media_codecs.xml
+# media_settings_xml_prop - to choose target specific media_profiles.xml
+allow qti_init_shell {
+ media_msm8939hw_prop
+}:property_service set;
diff --git a/msm8916/property.te b/msm8916/property.te
new file mode 100644
index 0000000..78560cd
--- /dev/null
+++ b/msm8916/property.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#properites for init.qcom.sh script
+type media_msm8939hw_prop, property_type;
+
diff --git a/msm8916/property_contexts b/msm8916/property_contexts
new file mode 100644
index 0000000..bbdf9d6
--- /dev/null
+++ b/msm8916/property_contexts
@@ -0,0 +1,28 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+media.msm8939hw u:object_r:media_msm8939hw_prop:s0
diff --git a/msm8937/file_contexts b/msm8937/file_contexts
new file mode 100644
index 0000000..13ddaee
--- /dev/null
+++ b/msm8937/file_contexts
@@ -0,0 +1,45 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+###################################
+# Primary storage device nodes
+#
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
+/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
+
+#Using soc instead of soc.0 for 3.18 kernel
+/dev/block/platform/soc/7824900.sdhci/by-name/fsg u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/ssd u:object_r:ssd_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/misc u:object_r:misc_partition:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/system u:object_r:system_block_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/dip u:object_r:dip_device:s0
+/dev/block/platform/soc/7824900.sdhci/by-name/mdtp u:object_r:mdtp_device:s0
+/dev/block/platform/soc.0/7824900.sdhci/by-name/config u:object_r:frp_block_device:s0
diff --git a/msm8960/bootkpi.te b/msm8960/bootkpi.te
new file mode 100644
index 0000000..e932e69
--- /dev/null
+++ b/msm8960/bootkpi.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Access to the marker_entry for logging KPI's
+userdebug_or_eng(`
+ allow zygote sys_bootkpi:file rw_file_perms;
+ allow mediaserver sys_bootkpi:file rw_file_perms;
+ allow system_server sys_bootkpi:file rw_file_perms;
+ allow surfaceflinger sys_bootkpi:file rw_file_perms;
+ allow untrusted_app sys_bootkpi:file rw_file_perms;
+ allow location sys_bootkpi:file rw_file_perms;
+')
diff --git a/msm8960/file_contexts b/msm8960/file_contexts
index 877f6bb..add8b81 100755
--- a/msm8960/file_contexts
+++ b/msm8960/file_contexts
@@ -29,3 +29,4 @@
# Data files
#
/data/qcks(/.*)? u:object_r:efs_data_file:s0
+/sys/bootkpi/marker_entry u:object_r:sys_bootkpi:s0
diff --git a/msm8996/file_contexts b/msm8996/file_contexts
index b902f19..162fa3b 100644
--- a/msm8996/file_contexts
+++ b/msm8996/file_contexts
@@ -48,7 +48,10 @@
/dev/block/platform/soc/624000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc/624000.ufshc/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/soc/624000.ufshc/by-name/frp u:object_r:frp_block_device:s0
-
+/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/624000.ufshc/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0
# eMMC devices
/dev/block/platform/soc/7464900.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0
@@ -67,6 +70,10 @@
/dev/block/platform/soc/7464900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc/7464900.sdhci/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/soc/7464900.sdhci/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0
+/dev/block/platform/soc/7464900.sdhci/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0
###################################
# System files