197 lines
7 KiB
Text
197 lines
7 KiB
Text
# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are
|
|
# met:
|
|
# * Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# * Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following
|
|
# disclaimer in the documentation and/or other materials provided
|
|
# with the distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
|
|
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
|
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
|
|
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
# fm_radio app needes open read write on fm_radio_device
|
|
allow system_app fm_radio_device:chr_file r_file_perms;
|
|
r_dir_file(system_app, fm_data_file);
|
|
r_dir_file(system_app, bluetooth_data_file);
|
|
r_dir_file(system_app, bt_firmware_file);
|
|
|
|
set_prop(system_app, ctl_default_prop)
|
|
set_prop(system_app, fm_prop)
|
|
set_prop(system_app, usf_prop)
|
|
|
|
allow system_app {
|
|
atfwd_service
|
|
dun_service
|
|
# access to color service SDK
|
|
color_service
|
|
}:service_manager add;
|
|
|
|
# access to perflock
|
|
allow system_app mpctl_socket:dir r_dir_perms;
|
|
unix_socket_send(system_app, mpctl, mpdecision)
|
|
unix_socket_connect(system_app, mpctl, mpdecision)
|
|
unix_socket_send(system_app, mpctl, perfd)
|
|
unix_socket_connect(system_app, mpctl, perfd)
|
|
|
|
# access to mm-pp-daemon
|
|
unix_socket_connect(system_app, pps, mm-pp-daemon)
|
|
|
|
userdebug_or_eng(`
|
|
#allow system_app debugfs:file r_file_perms;
|
|
allow system_app su:unix_dgram_socket sendto;
|
|
allow system_app persist_file:dir r_dir_perms;
|
|
allow system_app sensors_persist_file:dir r_dir_perms;
|
|
allow system_app sensors_persist_file:file rw_file_perms;
|
|
# access to firmware file
|
|
r_dir_file(system_app, firmware_file);
|
|
|
|
# Access to tombstone segfaults
|
|
allow system_app tombstone_data_file:dir r_dir_perms;
|
|
allow system_app tombstone_data_file:file r_file_perms;
|
|
diag_use(system_app)
|
|
|
|
# allow to read ssr ramdump
|
|
allow system_app ssr_ramdump_data_file:dir r_dir_perms;
|
|
')
|
|
|
|
allow system_app cnd_data_file:dir w_dir_perms;
|
|
allow system_app cnd_data_file:file create_file_perms;
|
|
allow system_app bluetooth:unix_stream_socket ioctl;
|
|
|
|
# access to tee domain
|
|
allow system_app tee:unix_dgram_socket sendto;
|
|
|
|
# system app to access DTS data files
|
|
r_dir_file(system_app, dts_data_file)
|
|
|
|
# access to time_daemon
|
|
allow system_app time_daemon:unix_stream_socket connectto;
|
|
|
|
# usf (ultrasound) apps need following permissions
|
|
allow system_app usf:unix_stream_socket connectto;
|
|
allow system_app usf_data_file:sock_file write;
|
|
allow system_app usf_data_file:dir rw_dir_perms;
|
|
allow system_app usf_data_file:{ file lnk_file } create_file_perms;
|
|
|
|
#access to wifi_ftmd
|
|
set_prop(system_app, wififtmd_prop)
|
|
unix_socket_send(system_app, wififtmd, wifi_ftmd)
|
|
|
|
# allow system_app to interact with dtseagleservice
|
|
binder_call(system_app, dtseagleservice)
|
|
|
|
# allow system_app to interact with fido daemon
|
|
binder_call(system_app, fidodaemon)
|
|
|
|
# allow system_app to interact with secota daemon
|
|
binder_call(system_app, secotad)
|
|
|
|
# allow system_app to interact with imscm daemon
|
|
binder_call(system_app, imscm)
|
|
allow system_app imscm_service:service_manager find;
|
|
|
|
# access to seemp folder
|
|
allow system_app seemp_file:dir r_dir_perms;
|
|
allow system_app seemp_file:{ file fifo_file } rw_file_perms;
|
|
binder_call(system_app, seempd)
|
|
|
|
#allow access to qfp-daemon
|
|
allow system_app qfp-daemon_data_file:dir create_dir_perms;
|
|
allow system_app qfp-daemon_data_file:file create_file_perms;
|
|
binder_call(system_app, qfp-daemon)
|
|
|
|
# allow system_app to interact with fido daemon
|
|
binder_call(system_app, fidodaemon)
|
|
|
|
# allow system_app to interact with esepmdaemon
|
|
binder_call(system_app, esepmdaemon)
|
|
|
|
# allow system_app to interact with seemp health daemon
|
|
binder_call(system_app, seemp_health_daemon)
|
|
|
|
#allow access to RIDL
|
|
allow system_app RIDL_data_file:dir rw_dir_perms;
|
|
allow system_app RIDL_data_file:file create_file_perms;
|
|
allow system_app RIDL_data_file:lnk_file r_file_perms;
|
|
allow system_app RIDL_socket:dir r_dir_perms;
|
|
unix_socket_connect(system_app, RIDL, RIDL)
|
|
allow system_app RIDL_socket:sock_file r_file_perms;
|
|
|
|
# Allow access to qti_logkit
|
|
allow system_app qti_logkit_priv_data_file:dir create_dir_perms;
|
|
allow system_app qti_logkit_priv_data_file:file create_file_perms;
|
|
allow system_app qti_logkit_priv_socket:dir r_dir_perms;
|
|
unix_socket_connect(system_app, qti_logkit_priv, qti_logkit)
|
|
allow system_app qti_logkit_priv_socket:sock_file r_file_perms;
|
|
|
|
# iwconfig
|
|
allow system_app wcnss_service_exec:file rx_file_perms;
|
|
|
|
# bugreport
|
|
set_prop(system_app, ctl_dumpstate_prop)
|
|
unix_socket_connect(system_app, dumpstate, dumpstate)
|
|
|
|
# allow gba auth service to add itself as system service
|
|
allow system_app gba_auth_service:service_manager add;
|
|
|
|
# allow gba auth service to find itself
|
|
allow system_app gba_auth_service:service_manager find;
|
|
|
|
# allow access to system_app for wbc_service
|
|
allow system_app wbc_service:service_manager add;
|
|
allow system_app self:netlink_kobject_uevent_socket { read bind setopt create };
|
|
|
|
# allow system_app to interact with mdtp daemon
|
|
binder_call(system_app, mdtpdaemon)
|
|
|
|
# allow access to system_app for audio pp files
|
|
r_dir_file(system_app, audio_pp_data_file);
|
|
|
|
# allow access to system app for radio files
|
|
allow system_app radio_data_file:dir rw_dir_perms;
|
|
allow system_app radio_data_file:file create_file_perms;
|
|
|
|
# DOLBY_START
|
|
set_prop(system_app, dolby_prop)
|
|
# DOLBY_END
|
|
|
|
# allow system_app to access netd
|
|
unix_socket_connect(system_app, netd, netd)
|
|
|
|
allow system_app persist_file:dir rw_dir_perms;
|
|
allow system_app persist_misc_file:dir rw_dir_perms;
|
|
allow system_app persist_misc_file:file create_file_perms;
|
|
|
|
# required for FM App to connectto wcnss_filter sockets
|
|
# serial device ttyHS0 (transport layer for FM)
|
|
allow system_app serial_device:chr_file rw_file_perms;
|
|
set_prop(system_app, bluetooth_prop)
|
|
# access unix sockets for fm application
|
|
unix_socket_connect(system_app,bluetooth, bluetooth)
|
|
# access wcnss_filter from fm app
|
|
allow system_app wcnss_filter:unix_stream_socket connectto;
|
|
|
|
# ANR
|
|
allow system_app anr_data_file:dir r_dir_perms;
|
|
allow system_app anr_data_file:file r_file_perms;
|
|
# detect /data/anr directory is created
|
|
allow system_app system_data_file:dir read;
|
|
|
|
# allow access to ims helper
|
|
unix_socket_connect(system_app, ims, ims)
|
|
|
|
# access to qseeproxy domain
|
|
allow system_app qseeproxy:unix_dgram_socket sendto;
|