Stephen Smalley  committed 00fb9ba

Apply our SE for Android changes and policy.

  • Participants
  • Parent commits 469f2bb
  • Branches seandroid-4.3_r3

Comments (0)

Files changed (38)


-       app.te \
-       bluetooth.te \
-       compatibility.te \
+       bluetooth_loader.te \
+       bridge.te \
+       camera.te \
+       conn_init.te \
        device.te \
+       dhcp.te \
        domain.te \
        drmserver.te \
        file.te \
        file_contexts \
        hci_init.te \
+       init.te \
        init_shell.te \
        keystore.te \
-       mediaserver.te \
        kickstart.te \
+       mediaserver.te \
+       mpdecision.te \
+       netmgrd.te \
        nfc.te \
+       qmux.te \
        rild.te \
+       rmt.te \
+       sensors.te \
        surfaceflinger.te \
-       system.te \
+       system_server.te \
+       tee.te \
+       te_macros \
+       thermald.te \
        ueventd.te \
-       wpa.te
+       wpa_supplicant.te
 /dev/block/platform/msm_sdcc.1/by-name/cache        /cache          ext4    noatime,nosuid,nodev,barrier=1,data=ordered                     wait,check
 /dev/block/platform/msm_sdcc.1/by-name/userdata     /data           ext4    noatime,nosuid,nodev,barrier=1,data=ordered,noauto_da_alloc     wait,check,encryptable=/dev/block/platform/msm_sdcc.1/by-name/metadata
 /dev/block/platform/msm_sdcc.1/by-name/persist      /persist        ext4    nosuid,nodev,barrier=1,data=ordered,nodelalloc                  wait
-/dev/block/platform/msm_sdcc.1/by-name/modem        /firmware       vfat    ro,uid=1000,gid=1000,dmask=227,fmask=337                        wait
+/dev/block/platform/msm_sdcc.1/by-name/modem        /firmware       vfat    ro,uid=1000,gid=1000,dmask=227,fmask=337,context=u:object_r:radio_efs_file:s0   wait
 /dev/block/platform/msm_sdcc.1/by-name/boot         /boot           emmc    defaults                                                        defaults
 /dev/block/platform/msm_sdcc.1/by-name/recovery     /recovery       emmc    defaults                                                        defaults
 /dev/block/platform/msm_sdcc.1/by-name/misc         /misc           emmc    defaults                                                        defaults

File init.mako.rc

 on fs
     mount_all ./fstab.mako
+    restorecon_recursive /persist
     setprop ro.crypto.fuse_sdcard true
     write /sys/kernel/boot_adsp/boot 1
 # to observe dnsmasq.leases file for dhcp information of soft ap.
     chown dhcp system /data/misc/dhcp
+    mkdir /data/misc/playready
+    restorecon /data/misc/playready
+    mkdir /data/misc/tzapps
+    restorecon /data/misc/tzapps
     write /dev/wcnss_wlan 1
     write /sys/module/wcnss_ssr_8960/parameters/enable_riva_ssr 1
     mkdir /data/system/sensors
     chmod 665 /data/system/sensors
     write /data/system/sensors/settings 1
+    restorecon /data/system/sensors/settings
     chmod 660 /data/system/sensors/settings
     # AKM setting data
     class late_start
     user bluetooth
     group qcom_oncrpc bluetooth net_bt_admin system
+    seclabel u:r:bluetooth_loader:s0
     #   user wifi
     #   group wifi inet keystore
     class main
-    socket wpa_wlan0 dgram 660 wifi wifi
+    socket wpa_wlan0 dgram 660 wifi wifi u:object_r:wpa_socket:s0
 #   user wifi
 #   group wifi inet keystore
     class main
-    socket wpa_wlan0 dgram 660 wifi wifi
+    socket wpa_wlan0 dgram 660 wifi wifi u:object_r:wpa_socket:s0

File sepolicy/app.te

-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow appdomain gpu_device:chr_file rw_file_perms;

File sepolicy/bluetooth.te

-allow bluetooth smd_device:chr_file rw_file_perms;

File sepolicy/bluetooth_loader.te

+# Bluetooth executables and script (bdAddrLoader,
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+# Start bdAddrLoader from init
+# Run
+allow bluetooth_loader shell_exec:file { entrypoint read };
+allow bluetooth_loader bluetooth_loader_exec:file { getattr open execute_no_trans };
+# needs /system/bin/log access
+allow bluetooth_loader devpts:chr_file rw_file_perms;
+# Run hci_qcomm_init from
+domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach)
+# hci_qcomm_init started with logwrapper
+allow hci_attach devpts:chr_file rw_file_perms;
+allow hci_attach bluetooth_loader:fd use;
+# Read mac address from persist partition
+allow bluetooth_loader persist_file:dir search;
+r_dir_file(bluetooth_loader, persist_bluetooth_file)
+# Talk to init over the property socket
+unix_socket_connect(bluetooth_loader, property, init)
+# Set persist.service.bdroid.* and bluetooth.* property values
+allow { bluetooth bluetooth_loader } bluetooth_prop:property_service set;
+# Shared memory node access
+allow hci_attach bluetooth_device:chr_file rw_file_perms;
+# Allow getprop/setprop for
+allow bluetooth_loader system_file:file execute_no_trans;

File sepolicy/bridge.te

+# Bridge Manager (radio process)
+type bridge, domain;
+type bridge_exec, exec_type, file_type;
+# Started by init
+allow bridge self:netlink_kobject_uevent_socket { create bind read };
+# Allow logging diagnostic items
+allow bridge diag_device:chr_file rw_file_perms;
+# Talk to qmuxd
+# XXX Label sysfs files with a specific type?
+allow bridge sysfs:file { open write read getattr };

File sepolicy/camera.te

+# Qualcomm MSM camera
+type camera, domain;
+type camera_exec, exec_type, file_type;
+# Started by init
+allow camera self:process execmem;
+allow camera camera_device:dir search;
+allow camera { video_device camera_device }:chr_file rw_file_perms;
+allow camera { surfaceflinger mediaserver }:fd use;
+# Create /data/cam_socket0 as camera_socket
+type_transition camera system_data_file:sock_file camera_socket "cam_socket0";
+allow camera camera_socket:sock_file { create unlink };
+allow camera system_data_file:dir remove_name;
+# All others under /data get camera_calibration_file
+file_type_auto_trans(camera, system_data_file, camera_calibration_file);
+allow camera camera_calibration_file:dir { write add_name };
+allow camera camera_calibration_file:file create_file_perms;
+# Connect to /data/app/sensor_ctl_socket
+unix_socket_connect(camera, sensors, sensors)
+allow camera sensors_socket:sock_file read;

File sepolicy/compatibility.te

-# This file contains autogenerated policy based on
-# denials seen in the wild.
-# As a general rule, you should not add policy to
-# this file. You SHOULD treat this policy very
-# skeptically- while it does preserve compatibility,
-# it is also extremely overbroad.
-# Over time this list should trend to size 0. Your
-# assistance in bringing it to 0 is highly appreciated.
-#============= adbd ==============
-allow adbd app_data_file:dir { write add_name };
-allow adbd app_data_file:file { write create open setattr };
-allow adbd kernel:process setsched;
-allow adbd proc:file write;
-allow adbd self:capability setpcap;
-#============= debuggerd ==============
-allow debuggerd system:unix_stream_socket connectto;
-allow debuggerd system_data_file:sock_file write;
-#============= dhcp ==============
-allow dhcp system_data_file:file open;
-allow dhcp unlabeled:file create;
-#============= drmserver ==============
-allow drmserver init:unix_stream_socket { read write };
-#============= init ==============
-allow init node:rawip_socket node_bind;
-#============= init_shell ==============
-allow init_shell init:fifo_file write;
-allow init_shell init:netlink_route_socket { read write };
-allow init_shell init:netlink_socket { read write };
-allow init_shell init:unix_stream_socket { read write };
-allow init_shell self:netlink_route_socket { write getattr setopt bind create nlmsg_read };
-#============= installd ==============
-allow installd download_file:dir { read search open getattr };
-#============= keystore ==============
-allow keystore init:unix_stream_socket { read write };
-#============= media_app ==============
-allow media_app system_data_file:file append;
-#============= mediaserver ==============
-allow mediaserver device:chr_file { read write ioctl open };
-allow mediaserver init:unix_dgram_socket sendto;
-allow mediaserver init:unix_stream_socket { read write };
-allow mediaserver system_data_file:file { write open };
-allow mediaserver system_data_file:sock_file write;
-#============= nfc ==============
-allow nfc device:chr_file { read write open };
-allow nfc init:unix_stream_socket { read write };
-#allow nfc system_data_file:dir { write remove_name add_name };
-#allow nfc system_data_file:file { write create unlink append };
-allow nfc unlabeled:file { read write open };
-#============= ping ==============
-allow ping adbd:process sigchld;
-#============= platform_app ==============
-allow platform_app device:chr_file { read write ioctl };
-allow platform_app init:binder { transfer call };
-allow platform_app init:unix_stream_socket { read write };
-#allow platform_app system_data_file:file append;
-allow platform_app unlabeled:file { read getattr open };
-#============= radio ==============
-allow radio init:binder call;
-allow radio init:unix_stream_socket { read write };
-allow radio system_data_file:file append;
-#============= release_app ==============
-allow release_app system_data_file:file append;
-allow release_app unlabeled:lnk_file read;
-#============= sdcardd ==============
-allow sdcardd unlabeled:dir { read open };
-#============= shared_app ==============
-allow shared_app device:chr_file { read write };
-allow shared_app init:binder call;
-allow shared_app init:unix_stream_socket { read write };
-allow shared_app init_tmpfs:file read;
-#allow shared_app system_data_file:file append;
-allow shared_app unlabeled:file { write lock getattr open read };
-#============= shell ==============
-allow shell apk_private_data_file:dir getattr;
-allow shell asec_image_file:dir getattr;
-allow shell backup_data_file:dir getattr;
-allow shell device:sock_file write;
-allow shell drm_data_file:dir getattr;
-allow shell nfc_data_file:dir getattr;
-allow shell rootfs:file getattr;
-allow shell sdcard_internal:dir { create rmdir };
-#allow shell self:capability { fowner fsetid dac_override };
-#allow shell self:capability2 syslog;
-#allow shell system_data_file:dir { write remove_name add_name };
-#allow shell system_data_file:file { write create setattr };
-allow shell unlabeled:dir getattr;
-allow shell vold:unix_stream_socket connectto;
-allow shell vold_socket:sock_file write;
-#============= surfaceflinger ==============
-allow surfaceflinger adbd:binder call;
-allow surfaceflinger device:chr_file { read write ioctl open };
-allow surfaceflinger init:dir search;
-allow surfaceflinger init:file { read open };
-allow surfaceflinger init:unix_stream_socket { read write };
-allow surfaceflinger platform_app:binder call;
-allow surfaceflinger shell_data_file:dir search;
-allow surfaceflinger sysfs:file write;
-allow surfaceflinger system_app:dir search;
-allow surfaceflinger system_app:file { read open };
-#============= system ==============
-allow system device:chr_file ioctl;
-allow system init:binder { transfer call };
-allow system init:unix_stream_socket { read write setopt };
-allow system proc:file write;
-allow system security_file:lnk_file read;
-allow system unlabeled:dir { read remove_name write open add_name };
-allow system unlabeled:file { rename getattr read create open ioctl append };
-#============= system_app ==============
-allow system_app init:unix_stream_socket { read write setopt };
-allow system_app unlabeled:file { read getattr open };
-#============= untrusted_app ==============
-allow untrusted_app device:chr_file { read write };
-allow untrusted_app init:binder { transfer call };
-allow untrusted_app init:dir { getattr search };
-allow untrusted_app init:file { read getattr open };
-allow untrusted_app init:unix_stream_socket { read write connectto };
-allow untrusted_app kernel:dir { getattr search };
-allow untrusted_app kernel:file { read getattr open };
-allow untrusted_app servicemanager:dir { getattr search };
-allow untrusted_app servicemanager:file { read getattr open };
-allow untrusted_app shell_data_file:dir search;
-allow untrusted_app shell_data_file:file { read getattr open };
-#allow untrusted_app system_data_file:file append;
-allow untrusted_app ueventd:dir { search getattr };
-allow untrusted_app ueventd:file { read getattr open };
-allow untrusted_app unlabeled:dir setattr;
-allow untrusted_app zygote:dir search;
-#============= vold ==============
-allow vold unlabeled:dir { read getattr open };
-#============= wpa ==============
-allow wpa init:unix_dgram_socket { read write sendto };
-allow wpa wifi_data_file:sock_file write;
-#============= zygote ==============
-allow zygote security_file:lnk_file read;

File sepolicy/conn_init.te

+# wifi connection service
+type conn_init, domain;
+type conn_init_exec, exec_type, file_type;
+# Started by logwrapper in init
+domain_auto_trans(init, conn_init_exec, conn_init)
+allow conn_init devpts:chr_file { read write };
+# allow /persist/wifi access
+allow conn_init persist_file:dir search;
+r_dir_file(conn_init, persist_wifi_file)
+# allow /data/misc/wifi access for firmware files
+allow conn_init wifi_data_file:dir w_dir_perms;
+allow conn_init wifi_data_file:file create_file_perms;

File sepolicy/device.te

-# GPU (used by most UI apps)
-type gpu_device, dev_type;
-# Qualcomm Secure Execution Environment Communicator (QSEECOM) device
-type qseecom_device, dev_type;
 type diag_device, dev_type;
-type bcm2079x_device, dev_type;
-# Qualcomm MSM Audio ACDB device
-type msm_acdb_device, dev_type;
-# Kickstart device used by QC qcks
+type kgsl_device, dev_type, mlstrustedobject;
 type kickstart_device, dev_type;
-# SMD device, used by hci_qcomm_init
+type mpdecision_device, dev_type;
+type shared_log_device, dev_type;
+type power_control_device, dev_type;
+type efs_block_device, dev_type;
+type bluetooth_device, dev_type;
 type smd_device, dev_type;

File sepolicy/dhcp.te

+allow dhcp self:rawip_socket { create write setopt };

File sepolicy/domain.te

-allow domain init_tmpfs:file read;
+allow domain kgsl_device:chr_file rw_file_perms;
+# libgsl is chatty about accessing /data/local/tmp
+dontaudit { surfaceflinger appdomain } shell_data_file:dir search;

File sepolicy/drmserver.te

-# Grant DRM Service access to Qualcomm Secure Execution Environment Communicator (QSEECOM) device
-allow drmserver qseecom_device:chr_file rw_file_perms;
-allow drmserver sdcard_external:file open;
+# Drm wants to read /firmware/image/tzapps.mdt
+r_dir_file(drmserver, radio_efs_file)

File sepolicy/file.te

-# Qualcomm MSM Interface (QMI) socket types
-type qmux_audio_socket, file_type;
-type qmux_bluetooth_socket, file_type;
-type qmux_gps_socket, file_type;
-type qmux_radio_socket, file_type;
+# Qualcomm MSM Interface (QMI) socket
+type qmuxd_socket, file_type;
+type sensors_socket, file_type;
+type camera_socket, file_type;
+type kickstart_data_file, file_type, data_file_type;
+type sensors_data_file, file_type, data_file_type;
+type mpdecision_socket, file_type;
 type audio_firmware_file, file_type;
+# Default type for anything under /firmware
+type radio_efs_file, fs_type;
+# Persist firmware types
+type persist_file, file_type;
+type persist_bluetooth_file, file_type;
+type persist_drm_file, file_type;
+type persist_sensors_file, file_type;
+type persist_wifi_file, file_type;

File sepolicy/file_contexts

-# GPU device
-/dev/kgsl-3d0       u:object_r:gpu_device:s0
-/dev/msm_rotator    u:object_r:gpu_device:s0
+# GPU device (world r/w)
+/dev/kgsl-3d0                  u:object_r:kgsl_device:s0
+/dev/kgsl                      u:object_r:kgsl_device:s0
+# Image Rotator Driver
+/dev/msm_rotator    u:object_r:video_device:s0
 # Qualcomm Secure Execution Environment Communicator (QSEECOM) device
-/dev/qseecom        u:object_r:qseecom_device:s0
+/dev/qseecom        u:object_r:tee_device:s0
 # Qualcomm MSM Interface (QMI) devices
-/dev/socket/qmux_audio/*           u:object_r:qmux_audio_socket:s0
-/dev/socket/qmux_bluetooth/*       u:object_r:qmux_bluetooth_socket:s0
-/dev/socket/qmux_gps/*             u:object_r:qmux_gps_socket:s0
-/dev/socket/qmux_radio/*           u:object_r:qmux_radio_socket:s0
+/dev/socket/qmux_audio(/.*)?           u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_bluetooth(/.*)?       u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_gps(/.*)?             u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_radio(/.*)?           u:object_r:qmuxd_socket:s0
-/dev/bcm2079x-i2c                  u:object_r:bcm2079x_device:s0
+/dev/bcm2079x-i2c                  u:object_r:nfc_device:s0
 /dev/diag                          u:object_r:diag_device:s0
-/dev/media([0-9])+                 u:object_r:camera_device:s0
-/dev/smd([0-9])+                   u:object_r:smd_device:s0
-/dev/mdm                           u:object_r:radio_device:s0
-# Qualcomm MSM Audio ACDB device
-/dev/msm_acdb       u:object_r:msm_acdb_device:s0
+/dev/cpu_dma_latency           u:object_r:power_control_device:s0
+/dev/smem_log                  u:object_r:shared_log_device:s0
+# Block labeling
+/dev/block/mmcblk0p[89]        u:object_r:efs_block_device:s0
+# CPU governor controls
+/dev/socket/mpdecision(/.*)?           u:object_r:mpdecision_socket:s0
+## Radio related
+# modem driver
+/dev/mdm                               u:object_r:radio_device:s0
+# high speed inter-chip controls
+/dev/hsicctl[0-3]                      u:object_r:radio_device:s0
+# mux controller
+/dev/rmnet_mux_ctrl                    u:object_r:radio_device:s0
+# qmi protocol driver
+/dev/qmi[0-2]                          u:object_r:radio_device:s0
+# shared memory drivers
+/dev/smdcntl[0-7]                      u:object_r:radio_device:s0
+/dev/smd7                              u:object_r:radio_device:s0
+# Bluetooth shared memory interfaces
+/dev/smd2                              u:object_r:hci_attach_dev:s0
+/dev/smd3                              u:object_r:hci_attach_dev:s0
+# Default label for shared memory drivers
+/dev/smd([0-9])+                       u:object_r:smd_device:s0
+# Serial console
+/dev/ttyHS0                            u:object_r:hci_attach_dev:s0
+/dev/ttyMSM0                           u:object_r:hci_attach_dev:s0
+# Radio interface
+/dev/ttyUSB0                   u:object_r:radio_device:s0
+# Jpeg Engine support
+/dev/gemini.*                          u:object_r:camera_device:s0
+# MSM camera related
+/dev/v4l-subdev.*                      u:object_r:camera_device:s0
+/dev/video([0-9])+                     u:object_r:camera_device:s0
+/dev/msm_camera(/.*)?                  u:object_r:camera_device:s0
+/dev/media([0-9])+                     u:object_r:camera_device:s0
+# Qualcomm MSM Audio devices
+/dev/msm_acdb                      u:object_r:audio_device:s0
+/dev/msm_mp3                       u:object_r:audio_device:s0
+/dev/msm_rtac                      u:object_r:audio_device:s0
+/dev/msm_vidc.*                    u:object_r:audio_device:s0
+/dev/msm_amrnb.*                   u:object_r:audio_device:s0
+/dev/msm_amrwb.*                   u:object_r:audio_device:s0
+/dev/msm_aac.*                     u:object_r:audio_device:s0
-# Qualcomm audio firmware files
-/data/misc/audio/*                 u:object_r:audio_firmware_file:s0
+# MSM Dedicated Sensors Processor Subsystem
+/dev/msm_dsps                          u:object_r:sensors_device:s0
+# Sensors shared Memory Packet Interface
+/dev/smd_sns_dsps                      u:object_r:sensors_device:s0
 /dev/ks_hsic_bridge                u:object_r:kickstart_device:s0
 /dev/efs_hsic_bridge               u:object_r:kickstart_device:s0
-/system/bin/qcks                   u:object_r:kickstart_exec:s0
-/system/bin/efsks                  u:object_r:kickstart_exec:s0
-/system/bin/ks                     u:object_r:kickstart_exec:s0
+# System binaries
+/system/bin/efsks                u:object_r:kickstart_exec:s0
+/system/bin/ks                   u:object_r:kickstart_exec:s0
+/system/bin/qcks                 u:object_r:kickstart_exec:s0
+/system/etc/ u:object_r:kickstart_exec:s0
+/system/bin/hci_qcomm_init       u:object_r:hci_attach_exec:s0
+/system/bin/bdAddrLoader           u:object_r:bluetooth_loader_exec:s0
+/system/etc/        u:object_r:bluetooth_loader_exec:s0
+/system/bin/rmt_storage            u:object_r:rmt_exec:s0
+/system/bin/bridgemgrd             u:object_r:bridge_exec:s0
+/system/bin/qmuxd                  u:object_r:qmux_exec:s0
+/system/bin/netmgrd                u:object_r:netmgrd_exec:s0
+/system/bin/thermald               u:object_r:thermald_exec:s0
+/system/bin/mpdecision             u:object_r:mpdecision_exec:s0
+/system/bin/sensors.qcom           u:object_r:sensors_exec:s0
+/system/bin/mm-qcamera-daemon      u:object_r:camera_exec:s0
+/system/bin/qseecomd               u:object_r:tee_exec:s0
+/system/bin/conn_init              u:object_r:conn_init_exec:s0
-/data/nfc(/.*)?                    u:object_r:nfc_data_file:s0
+# Data labeling
+/data/audio(/.*)?              u:object_r:audio_firmware_file:s0
+/data/misc/audio(/.*)?         u:object_r:audio_firmware_file:s0
+/data/nfc(/.*)?                u:object_r:nfc_data_file:s0
+/data/qcks(/.*)?               u:object_r:kickstart_data_file:s0
+/data/misc/sensors(/.*)?       u:object_r:sensors_data_file:s0
+/data/misc/playready(/.*)?     u:object_r:drm_data_file:s0
+/data/misc/tzapps(/.*)?        u:object_r:tee_data_file:s0
+/data/system/sensors(/.*)?     u:object_r:sensors_data_file:s0
-/system/bin/hci_qcomm_init         u:object_r:hci_exec:s0
-/system/bin/bdAddrLoader           u:object_r:hci_exec:s0
+# Persist firmware filesystem
+/persist(/.*)?                   u:object_r:persist_file:s0
+/persist/bluetooth(/.*)?         u:object_r:persist_bluetooth_file:s0
+/persist/sensors(/.*)?           u:object_r:persist_sensors_file:s0
+/persist/playready(/.*)?         u:object_r:persist_drm_file:s0
+/persist/widevine(/.*)?          u:object_r:persist_drm_file:s0
+/persist/wifi(/.*)?              u:object_r:persist_wifi_file:s0

File sepolicy/hci_init.te

-type hci_init, domain;
-permissive hci_init;
-type hci_exec, file_type, exec_type;
-type hci_data_file, file_type;
-domain_auto_trans(shell, hci_exec, hci_init)

File sepolicy/init.te

+allow init wpa_socket:unix_dgram_socket { bind create };

File sepolicy/init_shell.te

-allow init_shell diag_device:chr_file { read write };
-allow init_shell hci_exec:file rx_file_perms;
-allow init_shell bluetooth_prop:property_service set;
-allow init_shell smd_device:chr_file rw_file_perms;
-allow init_shell unlabeled:file r_file_perms;
-allow init_shell init:fifo_file r_file_perms;

File sepolicy/keystore.te

-# Grant keystore daemon access to Qualcomm Secure Execution Environment Communicator (QSEECOM) device
-allow keystore qseecom_device:chr_file rw_file_perms;

File sepolicy/kickstart.te

+# kickstart processes and scripts
 type kickstart, domain;
-permissive kickstart;
-type kickstart_exec, file_type, exec_type;
-domain_auto_trans(init, kickstart_exec, kickstart)
+type kickstart_exec, exec_type, file_type;
+# talks to init over the property socket
+unix_socket_connect(kickstart, property, init)
+# Start /system/bin/qcks from init
+# Spawn /system/bin/efsks and /system/bin/ks
+allow kickstart kickstart_exec:file { open execute_no_trans getattr };
+# Run dd on m9kefs[123] block devices; write to /data/qcks/
+# Run cat on firmware and m9kefs[123] data; write to /data/qcks/
+allow kickstart efs_block_device:blk_file rw_file_perms;
+allow kickstart kickstart_data_file:file create_file_perms;
+allow kickstart kickstart_data_file:dir rw_dir_perms;
+allow kickstart radio_efs_file:file r_file_perms;
+allow kickstart radio_efs_file:dir search;
+# Let qcks access /dev/mdm node (modem driver)
+allow kickstart radio_device:chr_file r_file_perms;
+# Allow /dev/ttyUSB0 access
+allow kickstart radio_device:chr_file { write };
+# Allow to run toolbox commands
+allow kickstart shell_exec:file rx_file_perms;
+# Toolbox commands for firmware dd
+allow kickstart system_file:file execute_no_trans;
+# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2
+allow kickstart block_device:dir { getattr write search };
+# Set system property key
+allow kickstart radio_prop:property_service set;
+allow kickstart shell_exec:file entrypoint;
+# ls on /data/qcks/
+allow kickstart self:capability dac_override;
+# wake_lock and wake_unlock access. separate domain?
+allow kickstart sysfs:file append;
+# Access USB host ks bridge drivers
+allow kickstart kickstart_device:chr_file rw_file_perms;

File sepolicy/mediaserver.te

-# Grant access to Qualcomm MSM Audio ACDB device to mediaserver
-allow mediaserver msm_acdb_device:chr_file rw_file_perms;
+allow mediaserver audio_firmware_file:dir ra_dir_perms;
+allow mediaserver audio_firmware_file:file create_file_perms;
+allow mediaserver camera_calibration_file:sock_file w_file_perms;
 # Grant access to Qualcomm MSM Interface (QMI) audio sockets to mediaserver
-allow mediaserver qmux_audio_socket:sock_file create_file_perms;
-allow mediaserver qmux_audio_socket:dir rw_dir_perms;
+unix_socket_send(mediaserver, camera, camera)
-# Permit mediaserver to create sockets
 allow mediaserver self:socket create;
-# Grant access to audio firmware files to mediaserver
-allow mediaserver audio_firmware_file:dir ra_dir_perms;
-allow mediaserver audio_firmware_file:file create_file_perms;
+# Allow logging diagnostic items
+allow mediaserver diag_device:chr_file rw_file_perms;

File sepolicy/mpdecision.te

+# CPU governor (root process)
+type mpdecision, domain;
+type mpdecision_exec, exec_type, file_type;
+# Started by init
+# dac_override to unlink /dev/socket/mpdecision/touchboost
+allow mpdecision self:capability { dac_override fsetid net_admin };
+allow mpdecision self:netlink_kobject_uevent_socket { create read setopt bind read };
+# Create under /dev/socket/mpdecision
+allow mpdecision mpdecision_socket:dir w_dir_perms;
+allow mpdecision mpdecision_socket:sock_file { create setattr write };
+# XXX Should we label with own type?
+allow mpdecision sysfs:file { read open write getattr };

File sepolicy/netmgrd.te

+# Network utilities (radio process)
+type netmgrd, domain;
+type netmgrd_exec, exec_type, file_type;
+# Started by init
+allow netmgrd self:udp_socket { create ioctl };
+# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket
+allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
+allow netmgrd self:packet_socket { write bind read create };
+allow netmgrd self:netlink_socket { write read create bind setopt };
+allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr };
+# Talk to qmuxd
+# Allow logging diagnostic items
+allow netmgrd diag_device:chr_file rw_file_perms;
+# /data/data_test/ access with shell
+allow netmgrd shell_exec:file { execute read open execute_no_trans };
+allow netmgrd system_file:file { execute_no_trans };
+# Talk to init over the property socket
+unix_socket_connect(netmgrd, property, init)
+# Set net.rmnet_usb0. values
+allow netmgrd radio_prop:property_service set;

File sepolicy/nfc.te

-allow nfc bcm2079x_device:chr_file rw_file_perms;

File sepolicy/qmux.te

+# Qualcomm Management Interface Multiplexer
+type qmux, domain;
+type qmux_exec, exec_type, file_type;
+# Started by init
+# Create sockets under each /dev/socket/qmux_* directory.
+allow qmux qmuxd_socket:dir w_dir_perms;
+allow qmux qmuxd_socket:sock_file { create setattr getattr unlink };
+# /dev/hsicctl* node access
+allow qmux radio_device:chr_file rw_file_perms;
+# Allow logging diagnostic items
+allow qmux diag_device:chr_file rw_file_perms;
+# wake lock access
+allow qmux sysfs_wake_lock:file { open append };

File sepolicy/rild.te

-allow rild diag_device:chr_file rw_file_perms;
+allow rild self:netlink_socket { create bind read write };
+allow rild self:netlink_route_socket { write };
 # Grant access to Qualcomm MSM Interface (QMI) radio sockets to RILD
-allow rild qmux_radio_socket:sock_file create_file_perms;
-allow rild qmux_radio_socket:dir rw_dir_perms;
+# Allow logging diagnostic items
+allow rild diag_device:chr_file rw_file_perms;
+# XXX label with own type?
+allow rild sysfs:file { read open write getattr };

File sepolicy/rmt.te

+# remote storage process
+type rmt, domain;
+type rmt_exec, exec_type, file_type;
+# Started by init
+# opens and reads the primary block device
+allow rmt block_device:blk_file { open read };
+allow rmt block_device:dir search;
+# XXX should we allow sys_rawio on /dev/mem?
+allow rmt self:capability { sys_rawio };
+# dac_override on open /sys/power/wake_lock
+allow rmt self:capability { setuid setgid dac_override };
+allow rmt self:socket { create ioctl bind setopt read };
+allow rmt cgroup:dir { create add_name };
+# XXX do we need write access?
+allow rmt kmem_device:chr_file rw_file_perms;
+# Allow shared memory logging access
+allow rmt shared_log_device:chr_file rw_file_perms;
+# XXX Should we label with own type?
+allow rmt sysfs:file { open append read getattr write };
+allow rmt sysfs:dir rw_dir_perms;

File sepolicy/sensors.te

+# Integrated qualcomm sensor process
+type sensors, domain;
+type sensors_exec, exec_type, file_type;
+# Started by init
+# dac_override open /dev/msm_dsps
+allow sensors self:capability { setuid setgid chown dac_override };
+# Allow logging diagnostic items
+allow sensors diag_device:chr_file rw_file_perms;
+# Create /data/app/sensor_ctl_socket
+file_type_auto_trans(sensors, apk_data_file, sensors_socket);
+allow sensors sensors_data_file:dir create_dir_perms;
+allow sensors sensors_data_file:file create_file_perms;
+dontaudit sensors apk_data_file:dir remove_name;
+# Access to sensor nodes
+allow sensors sensors_device:chr_file rw_file_perms;
+# XXX should power_control_device be labeled differently?
+allow sensors power_control_device:chr_file { write open append };
+# Access to /persist/sensors
+allow sensors persist_file:dir { search getattr };
+allow sensors persist_sensors_file:dir r_dir_perms;
+allow sensors persist_sensors_file:file rw_file_perms;
+# XXX label with own type?
+allow sensors sysfs:file { open append read write getattr };

File sepolicy/surfaceflinger.te

-# Grant GPU access to SurfaceFlinger
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
 allow surfaceflinger sysfs:file rw_file_perms;
-# Read from /data/local/tmp
-allow surfaceflinger shell_data_file:dir search;
-allow surfaceflinger shell_data_file:file { open getattr read };
-allow surfaceflinger shell_data_file:lnk_file read;

File sepolicy/system.te

-# Grant GPU access to system apps (e.g., PowerManagerService)
-allow system gpu_device:chr_file rw_file_perms;
-allow system diag_device:chr_file rw_file_perms;
-# Grant access to Qualcomm MSM Interface (QMI) radio sockets to system apps
-# (e.g., LocationManager)
-allow system qmux_radio_socket:sock_file create_file_perms;
-allow system qmux_radio_socket:dir rw_dir_perms;

File sepolicy/system_server.te

+allow system_server diag_device:chr_file rw_file_perms;
+allow system_server init:unix_dgram_socket sendto;
+allow system_server wpa_socket:unix_dgram_socket sendto;
+# Grant access to Qualcomm MSM Interface (QMI) radio sockets to system services
+# (e.g., LocationManager)
+# PowerManagerService
+unix_socket_connect(system_server, sensors, sensors)
+allow system_server sensors_socket:sock_file read;
+allow system_server sensors:unix_stream_socket sendto;
+# mpdecision access
+unix_socket_connect(system_server, mpdecision, mpdecision)
+unix_socket_send(system_server, mpdecision, mpdecision)
+allow system_server mpdecision:unix_stream_socket sendto;
+allow system_server mpdecision_socket:dir search;
+allow system_server sysfs:file { read open write };

File sepolicy/te_macros

+# qmux_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the qmux domain.
+# Also allow the client domain to remove
+# its own socket.
+define(`qmux_socket', `
+type $1_qmuxd_socket, file_type;
+file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
+unix_socket_connect($1, qmuxd, qmux)
+allow qmux $1_qmuxd_socket:sock_file { getattr unlink };

File sepolicy/tee.te

+# Qualcomm Secure Execution Environment Communicator policy
+allow tee self:process execmem;
+# Access /data/misc/playready
+allow tee system_data_file:dir { open read };
+allow tee drm_data_file:dir rw_dir_perms;
+allow tee drm_data_file:file rw_file_perms;
+# Access /persist/{widevine,playready}
+allow tee persist_file:dir search;
+allow tee persist_drm_file:dir r_dir_perms;
+allow tee persist_drm_file:file r_file_perms;

File sepolicy/thermald.te

+# Temperature sensor daemon (root process)
+type thermald, domain;
+type thermald_exec, exec_type, file_type;
+# Started by init
+# XXX should we allow kexec_load with /dev/socket/qmux_radio/qmux_client_socket
+# dac_override open, unlink with /dev/socket/qmux_radio/qmux_client_socket
+allow thermald self:capability { net_admin fsetid dac_override };
+allow thermald self:socket { ioctl create write read };
+allow thermald self:netlink_kobject_uevent_socket { read create setopt bind };
+# Talk to qmuxd
+# Access to shared memory logger and logging diagnostic items
+allow thermald { shared_log_device diag_device }:chr_file rw_file_perms;
+# XXX Should we label with own type?
+allow thermald sysfs:file { open read write getattr };

File sepolicy/ueventd.te

-allow ueventd sdcard_external:dir search;
-allow ueventd sdcard_external:file r_file_perms;
-allow ueventd wifi_data_file:dir search;
-allow ueventd wifi_data_file:file r_file_perms;
+# Drivers read firmware files (/firmware/image, /vendor/firmware/wlan/prima)
+allow ueventd { radio_efs_file wifi_data_file }:file r_file_perms;
+allow ueventd { radio_efs_file wifi_data_file }:dir search;

File sepolicy/wpa.te

-allow wpa devpts:chr_file rw_file_perms;

File sepolicy/wpa_supplicant.te

+allow wpa init:unix_dgram_socket { read write };
+# logwrapper used with wpa_supplicant
+allow wpa devpts:chr_file { read write };
+allow wpa wpa_socket:unix_dgram_socket { read write };
+allow wpa_socket system_server:unix_dgram_socket sendto;