tequilaOS/platform_device_qcom_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
3325 commits 1 branch 0 tags 4.5 MiB
Commit graph

517 commits

Author SHA1 Message Date
qctecmdr
b35317dabc Merge "sepolicy: allow netmgrd to access ipc logging" 2020-04-21 01:14:30 -07:00
qctecmdr
1076527176 Merge "sepolicy:dontaudit gmscore_app" 2020-04-18 04:49:12 -07:00
qctecmdr
8d092761a8 Merge "sepolicy: Add rules for SystemHelper HAL" 2020-04-18 04:49:12 -07:00
Subash Abhinov Kasiviswanathan
8ea9ea39ef sepolicy: allow netmgrd to access ipc logging 
Allows search of ipc logging directory so kernel can open
ipc logging files indirectly triggered from  netmgrd.

Change-Id: I263a4b251badd9e796a8cfc73b9de17915e7ddc6
 2020-04-17 15:14:34 -07:00
Mohamed Moussa
e6404386d8 sepolicy:dontaudit gmscore_app 
This will silence AVC denials without allowing a permission by using dontaudit rules.

Change-Id: I222c696846a6a21452bd2ef7d3d283f9c6a85f51
 2020-04-15 12:27:18 -07:00
Linux Build Service Account
c067d4eacf Merge "sepolicy: Rename vendor soc_id and soc_name properties" into sepolicy.lnx.6.0 2020-04-15 06:03:10 -07:00
Roopesh Nataraja
b8db03db5c sepolicy: Rename vendor soc_id and soc_name properties 
Change-Id: I0f7ae97ba9480c46b7a00598312089b9b7c39f05
 2020-04-13 11:10:10 -07:00
Nirmal Kumar
48f931a28f hal_bootctl : Update sepolicy for hal_bootctl 
-allow hal_bootctl_server to perform rawio
            -In 'user' builds rawio is not allowed for hal_bootctl_server domain.

Change-Id: I78bedd7aba25a58aba68748b80a1ebf810990860
 2020-04-13 11:05:17 -07:00
Rohit Soneta
fa67406408 sepolicy: Add rules for SystemHelper HAL 
Change-Id: I98ce0f491e1c80ef6d61aff68c192914fbf25073
 2020-04-13 13:35:48 +05:30
qctecmdr
c5cd53ddf0 Merge "Sepolicy: Allow bluetooth to access libsoc_helper" 2020-04-11 01:43:10 -07:00
qctecmdr
f31f365603 Merge "sepolicy: Add rules for QCV init rc and sh scripts" 2020-04-11 01:43:10 -07:00
Jack Pham
9f9a4af25e sepolicy: Allow init (recovery) to access USB sysfs 
Add genfs contexts for USB sysfs entries that control the
operational mode and assign them as vendor_sysfs_usb_device type.
Allow init context to access these paths for recovery mode.

Change-Id: Ic1f0c5e9237848ac47cebca6e2cbbe9bd25270ad
 2020-04-10 17:09:19 -07:00
Roopesh Nataraja
9074980d8a sepolicy: Add rules for QCV init rc and sh scripts 
- Add rules to allow execution of init.qti.qcv.sh
- Allow init.qti.qcv.sh to set_prop vendor_soc_name_prop
- Allow init.qti.qcv.rc to read vendor_soc_name_prop

Change-Id: I4f548bf0ab424dceba1d5b72c1ec8a596a037431
 2020-04-10 13:57:57 -07:00
Satish kumar sugasi
1f9ac5aeb5 Sepolicy: Allow bluetooth to access libsoc_helper 
Change-Id: Ife1537ad7954a42f6892e442abf1004e57ddf914
 2020-04-09 23:15:11 -07:00
qctecmdr
f511f71e18 Merge "File context for vendor_boot in Lahaina - Use existing boot_block_device label for vendor_boot_[a/b] vendor_custom_ab_block_device cpucp_[a/b] & shrm_[a/b] " 2020-04-09 14:40:36 -07:00
qctecmdr
d12209724a Merge "hal_bootctl : Add sepolicies for hal_bootctl - Access /dev and vendor_bsg device - Allow sys_rawio for capability check in scsi" 2020-04-09 10:48:13 -07:00
Linux Build Service Account
02cbd45b80 Merge "sepolicy: Add custom domain and rules for LibsocHelperTest" into sepolicy.lnx.6.0 2020-04-09 08:25:23 -07:00
Linux Build Service Account
e2bda41177 Merge "sepolicy: Create subsys nodes for Lahaina" into sepolicy.lnx.6.0 2020-04-08 18:39:05 -07:00
Roopesh Nataraja
ced3bd1562 sepolicy: Add custom domain and rules for LibsocHelperTest 
Change-Id: Ic02b251cc5ae13e63e5e9df66193d0b7bbf32516
 2020-04-07 11:48:52 -07:00
Chris Lew
f1eee6b5e6 sepolicy: diag-router: Add mhi device permissions 
diag-router needs mhi character dev read/write permissions to bridge
the diag connection to external socs.

Change-Id: I22028e1c9b164aba24374413e16440e8deae8c4b
 2020-04-06 17:45:07 -07:00
David Ng
e91e433838 sepolicy: Create subsys nodes for Lahaina 
Add subsystem handling mapping for various hw variants of the target.

Change-Id: I1bc38fd92eef09e6f81a6914d3c876e711075d2c
 2020-04-06 17:33:48 -07:00
Nirmal Kumar
b2fb5ba86a hal_bootctl : Add sepolicies for hal_bootctl 
-  Access /dev and vendor_bsg device
            - Allow sys_rawio for capability check in scsi

Change-Id: I051a5e8fa498aa9791d8fb872ec49504ca311db2
 2020-04-06 12:34:53 -07:00
vijaagra
901802b27d sepolicy: Add rule to give perms to read gpuclk 
avc: denied { read } for comm=52756E6E65723A20676C5F34
name="gpuclk" dev="sysfs" ino=78660
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:sysfs_kgsl

Change-Id: I985cc9164c3cd52537ce5abcdcb42d763790aaa7
 2020-04-06 04:54:51 -07:00
Linux Build Service Account
ac290aa388 Merge "sepolicy: Update rpmb device path and type" into sepolicy.lnx.6.0 2020-04-06 00:54:14 -07:00
Linux Build Service Account
a7215f3e9c Merge "Allow fastbootd to access power_supply, usb nodes." into sepolicy.lnx.6.0 2020-04-06 00:53:15 -07:00
P.Adarsh Reddy
822e1e5465 Allow fastbootd to access power_supply, usb nodes. 
This change allows fastbootd (for healthd) to access
the power_supply and usb nodes.

Change-Id: Ib5c637b28dd65c6958778b02c3026c90b39fe713
 2020-04-03 06:15:04 -07:00
Ayishwarya Narasimhan
feb53b6ee6 sepolicy changes for imsfactory hal 
Change-Id: I72644a4de6e4670dd91a4eb6cb54ea8c29740990
 2020-04-03 01:20:41 -07:00
Nirmal Kumar
090ce33412 File context for vendor_boot in Lahaina 
- Use existing boot_block_device label for vendor_boot_[a/b]
      vendor_custom_ab_block_device cpucp_[a/b]  & shrm_[a/b]
        

Change-Id: If3b72642c3b78cd5ca96d3e4e6d8e3252d19f920
 2020-04-01 10:42:30 -07:00
qctecmdr
6e502ef51a Merge "sepolicy: Add permissions for persist.console.silent.config" 2020-04-01 01:46:08 -07:00
qctecmdr
b03a618e5a Merge "sepolicy: Permissions for v1.3 DRM and clearkey HALs" 2020-03-31 07:02:32 -07:00
qctecmdr
95b74e3405 Merge "sepolicy:Restrict access to vendor_restricted_prop" 2020-03-31 07:02:32 -07:00
qctecmdr
6a91762f95 Merge "Add sepolices to update engine domain." 2020-03-31 07:02:28 -07:00
Murthy Nidadavolu
70c453a603 sepolicy: Permissions for v1.3 DRM and clearkey HALs 
FR60432: OEMCrypto Version 16 support

Allow v1.3 DRM and clearkey HALs in SEPolicy.
Keep v1.2 HALs as well for backward compatibility.

Change-Id: I5aeb50f80507143c8adcf597a78202590447149e
 2020-03-30 10:29:34 +05:30
qctecmdr
89de2e16ae Merge "sepolicy: Allow libsoc_helper vendor clients to read soc_id" 2020-03-27 20:04:42 -07:00
qctecmdr
15d3fce672 Merge "sepolicy: allow netmgrd to access qmipriod properties" 2020-03-27 20:04:42 -07:00
Roopesh Nataraja
d28a917a4a sepolicy: Allow libsoc_helper vendor clients to read soc_id 
Change-Id: I530fa6d368471158ffc04c75d1f3bdb71f6cc0d3
 2020-03-27 17:26:28 -07:00
Sean Tranchetti
c3e415cb69 sepolicy: allow netmgrd to access qmipriod properties 
Allows netmgr to control starting/stopping the qmipriod daemon via
setting the relevant android properties.

Change-Id: I35d9af93ff565bddc4813eef8ad36db896d4a400
 2020-03-27 14:30:00 -06:00
Sean Tranchetti
c373d9978c sepolicy: create initial sepolicy for qmipriod 
Creates the initial sepolicy to allow for the qmipriod binary to be
launched on init, as well as access the needed resources.

Change-Id: Ib3c9d1b62148a370ff8bc80598dd550291b2c776
 2020-03-27 14:29:14 -06:00
P.Adarsh Reddy
f0cca4ea72 Add sepolices to update engine domain. 
While applying OTA update package, update engine
loops through partitions entries/mountpoints.
Add few policies and supress the dac ones.

Change-Id: Ic4ff7e8df86a01a3b7380e0bd458909f9099953e
 2020-03-27 02:49:17 -07:00
Monika Singh
a70ca8717e sepolicy: Update rpmb device path and type 
On 4.19 kernel, due to upstream commit <97548575be>
(mmc: block: Convert RPMB to a character device),
there is a change in RPMB path from "/dev/block/mmcblk0rpmb"
to “/dev/mmcblk0rpmb”. Also block device design for RPMB is
now changed to char device. This change updates RPMB path
and provides required permissions for qseecom to be able to
access new device design for RPMB eMMC device.

Change-Id: I7545b9b30b9b8f1c0fd8aacd38048516c2f86970
 2020-03-27 11:46:14 +05:30
qctecmdr
a88906f9e2 Merge "sepolicy: vendor modprobe changes" 2020-03-26 19:41:05 -07:00
Sayali Lokhande
4d86cb2738 sepolicy : Allow kernel to search debugfs_mmc dir 
Debugfs is failed to be initialized because of the denial below.
Add selinux policy to fix it.
avc: denied { search } for comm="kworker/0:1" name="mmc0"
dev="debugfs" ino=6562 scontext=u:r:kernel:s0
tcontext=u:object_r:debugfs_mmc:s0 tclass=dir permissive=0

CRs-Fixed: 2636489
Change-Id: I831a363d448b3efe11960c3937b04dbca80d37f3
 2020-03-25 23:02:57 -07:00
Srinivasarao P
7b50fbd4ec sepolicy: Add permissions for persist.console.silent.config 
provide permissions to read property persist.console.silent.config
to fix avc denial issues.

Change-Id: I85c13f99239f433daf9bc64fbb52cb61c5666b9c
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
 2020-03-25 22:34:28 -07:00
qctecmdr
f2ce4398c2 Merge "Update telephony SELinux policies to avoid name collision." 2020-03-25 13:55:36 -07:00
Garik Badalyan
bb15e90b05 Update telephony SELinux policies to avoid name collision. 
-Update telephony SELinux policies to avoid name collision
in future.
-Remove old unused telephony SELinux labels.

Change-Id: I60224d6a34d95c853b7ad32a17ecbce4b7b9b204
CRs-Fixed: 2644933
 2020-03-23 13:27:33 -07:00
Sreelakshmi Gownipalli
51359b97ab diag: Add support for connecting to diag via unix sockets 
Add support to connect to diag unix socket from diag vendor clients.

Change-Id: I65f8738e0473fe1bdbbf369a8f60e86e6c2f8284
 2020-03-23 07:40:45 -07:00
Linux Build Service Account
4118b742f5 Merge "sepolicy: Define new policy rule to read gpu model" into sepolicy.lnx.6.0 2020-03-23 06:13:12 -07:00
Linux Build Service Account
5d80ff03be Merge "Update device sepolicy rules for NN HAL 1.3" into sepolicy.lnx.6.0 2020-03-20 03:06:08 -07:00
kranthi
dbe56c1472 sepolicy: Define new policy rule to read gpu model 
Add  a new file context label for gpu_model sysfs entry. allowed read
access to that entry.
Addressing the following denials :
type=1400 audit(0.0:62): avc: denied { read } for
name="gpu_model" dev="sysfs" ino=78734 scontext=u:r:mediaserver:s0
tcontext=u:object_r:vendor_sysfs_kgsl:s0 tclass=file permissive=0
type=1400 audit(0.0:88): avc: denied { read } for name="gpu_model"
dev="sysfs" ino=78734 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:vendor_sysfs_kgsl:s0 tclass=file permissive=0 app=com.android.systemui
type=1400 audit(0.0:100): avc: denied { read }
for name="gpu_model" dev="sysfs" ino=78734 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:vendor_sysfs_kgsl:s0 tclass=file permissive=0
app=com.android.launcher3

Change-Id: I9e1b9ffbb88ea62b4cc530564d811d7cfc640bbc
 2020-03-19 14:16:40 +05:30
qctecmdr
c2740d3582 Merge "sepolicy for imscmservice hal" 2020-03-18 22:44:28 -07:00