diff --git a/init.mako.rc b/init.mako.rc index 1e1569f..0bafabe 100644 --- a/init.mako.rc +++ b/init.mako.rc @@ -329,7 +329,7 @@ service qmuxd /system/bin/qmuxd service kickstart /system/bin/qcks -i /firmware/image/ -r /data/tombstones/mdm/ class core user system - group system + group system wakelock oneshot service netmgrd /system/bin/netmgrd @@ -383,10 +383,10 @@ service thermald /system/bin/thermald class main group radio system -service mpdecision /system/bin/mpdecision --no_sleep --avg_comp +service mpdecision /system/bin/mpdecision --avg_comp class main user root - group root system + group root readproc system service qcamerasvr /system/bin/mm-qcamera-daemon class late_start diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..41da3ed --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,4 @@ +allow audioserver self:socket { create ioctl read }; +allow audioserver qmuxd_socket:dir { add_name write search }; +allow audioserver qmuxd_socket:sock_file { create write setattr }; +allow audioserver qmux:unix_stream_socket connectto; diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te index 8876a3a..6f32ebb 100644 --- a/sepolicy/bluetooth_loader.te +++ b/sepolicy/bluetooth_loader.te @@ -26,3 +26,5 @@ allow { bluetooth bluetooth_loader } bluetooth_prop:property_service set; # Allow getprop/setprop for init.mako.bt.sh allow bluetooth_loader system_file:file execute_no_trans; allow bluetooth_loader toolbox_exec:file rx_file_perms; + +unix_socket_connect(bluetooth_loader, property, init) diff --git a/sepolicy/camera.te b/sepolicy/camera.te index ef4d230..288ef2a 100644 --- a/sepolicy/camera.te +++ b/sepolicy/camera.te @@ -5,10 +5,12 @@ type camera_exec, exec_type, file_type; # Started by init init_daemon_domain(camera) +allow camera system_file:file execmod; + # Interact with other media devices allow camera video_device:dir search; allow camera { gpu_device video_device }:chr_file rw_file_perms; -allow camera { surfaceflinger mediaserver }:fd use; +allow camera { surfaceflinger mediaserver cameraserver }:fd use; # Create front and back camera sockets (/data/cam_socket[01]) type_transition camera system_data_file:sock_file camera_socket "cam_socket0"; @@ -25,3 +27,9 @@ allow camera gpu_device:chr_file { read write open ioctl }; # Connect to sensor socket (/data/app/sensor_ctl_socket) unix_socket_connect(camera, sensors, sensors) allow camera sensors_socket:sock_file read; + +allow camera apk_data_file:dir rw_dir_perms; +allow camera storage_file:dir rw_dir_perms; +allow camera storage_file:lnk_file rw_file_perms; +allow camera mnt_user_file:dir rw_dir_perms; +allow camera fuse:dir rw_dir_perms; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..c58ecc4 --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,7 @@ +unix_socket_send(cameraserver, camera, camera); +unix_socket_send(cameraserver, mpdecision, mpdecision); + +allow cameraserver sysfs:file r_file_perms; + +# for libmmjpeg +allow cameraserver system_file:file execmod; diff --git a/sepolicy/init.te b/sepolicy/init.te index 33cbf02..643baf6 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,2 +1,3 @@ allow init diag_device:chr_file unlink; allow init tmpfs:lnk_file create_file_perms; +allow init sysfs_hardware:file rw_file_perms; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..3227d9d --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1 @@ +allow mediacodec audio_device:chr_file { open read write ioctl }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index da57b3c..4dd7d57 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -8,4 +8,10 @@ unix_socket_send(mediaserver, mpdecision, mpdecision) # TODO: Investigate the specific type of socket. allow mediaserver self:socket create_socket_perms; +# For text relocations in /system/vendor/lib/libmmjpeg.so +allow mediaserver system_file:file execmod; + allow mediaserver media_rw_data_file:file write; + +allow mediaserver camera_device:chr_file { read write open ioctl }; +allow mediaserver audio_device:chr_file { read write open ioctl }; diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te index a62bef3..db115d5 100644 --- a/sepolicy/mpdecision.te +++ b/sepolicy/mpdecision.te @@ -42,5 +42,6 @@ allow mpdecision sysfs:file write; # /proc/PID/status file. r_dir_file(mpdecision, system_server) r_dir_file(mpdecision, mediaserver) +r_dir_file(mpdecision, cameraserver) allow mpdecision self:capability sys_nice; diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te index f8fd9f3..0e30068 100644 --- a/sepolicy/rmt.te +++ b/sepolicy/rmt.te @@ -6,7 +6,7 @@ type rmt_exec, exec_type, file_type; init_daemon_domain(rmt) # Drop (user, group) to (nobody, nobody) -allow rmt self:capability { setuid setgid }; +allow rmt self:capability { setuid setgid dac_override }; # opens and reads /dev/block/mmcblk0 allow rmt root_block_device:blk_file r_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 9abf8a4..4a3d8e9 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -24,3 +24,6 @@ allow system_server radio_device:chr_file r_file_perms; allow system_server self:netlink_socket create_socket_perms; allow system_server sysfs_hardware:file rw_file_perms; + +allow system_server persist_file:dir r_dir_perms; +allow system_server unlabeled:file unlink; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index bb0062b..d2b9675 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -3,3 +3,4 @@ allow ueventd { radio_efs_file wifi_data_file }:file r_file_perms; allow ueventd { firmware_file wifi_data_file }:dir r_dir_perms; allow ueventd { firmware_file wifi_data_file }:file r_file_perms; allow ueventd sysfs_smdcntl_open_timeout:file setattr; +allow ueventd sysfs_hardware:file rw_file_perms; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..835ad4b --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1 @@ +allow vold persist_file:dir r_dir_perms;