diff options
| -rw-r--r-- | BoardConfig.mk | 2 | ||||
| -rw-r--r-- | init.mako.rc | 3 | ||||
| -rw-r--r-- | sepolicy/device.te | 2 | ||||
| -rw-r--r-- | sepolicy/domain.te | 1 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/rmt.te | 3 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 5 | ||||
| -rw-r--r-- | sepolicy/tee.te | 14 |
8 files changed, 28 insertions, 3 deletions
diff --git a/BoardConfig.mk b/BoardConfig.mk index 7f86242..414f456 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -102,7 +102,6 @@ BOARD_SEPOLICY_UNION += \ camera.te \ conn_init.te \ device.te \ - domain.te \ file.te \ file_contexts \ kickstart.te \ @@ -115,6 +114,7 @@ BOARD_SEPOLICY_UNION += \ sensors.te \ surfaceflinger.te \ system_server.te \ + tee.te \ te_macros \ thermald.te \ ueventd.te diff --git a/init.mako.rc b/init.mako.rc index acf04cd..1d02f3f 100644 --- a/init.mako.rc +++ b/init.mako.rc @@ -149,6 +149,9 @@ on post-fs-data # to observe dnsmasq.leases file for dhcp information of soft ap. chown dhcp system /data/misc/dhcp + # Apply correct labeling to DRM files + restorecon_recursive /data/misc/playready + write /dev/wcnss_wlan 1 write /sys/module/wcnss_ssr_8960/parameters/enable_riva_ssr 1 diff --git a/sepolicy/device.te b/sepolicy/device.te index fe55ec6..0b32dbb 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,5 +1,5 @@ # GPU (used by most UI apps) -type gpu_device, dev_type; +type gpu_device, dev_type, mlstrustedobject; type diag_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te deleted file mode 100644 index 45925a7..0000000 --- a/sepolicy/domain.te +++ /dev/null @@ -1 +0,0 @@ -allow domain init_tmpfs:file read; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 91baf5b..b46db51 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -85,6 +85,7 @@ /data/qcks(/.*)? u:object_r:kickstart_data_file:s0 /data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0 /data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 +/data/misc/playready(/.*)? u:object_r:drm_data_file:s0 /data/fdAlbum u:object_r:camera_calibration_file:s0 /system/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0 diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te index 9a8e81f..86b920e 100644 --- a/sepolicy/rmt.te +++ b/sepolicy/rmt.te @@ -6,3 +6,6 @@ type rmt_exec, exec_type, file_type; init_daemon_domain(rmt) unconfined_domain(rmt) + +# Otherwise will overflow logs +dontaudit rmt kmem_device:chr_file rw_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index b9689e0..cf4a746 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -17,3 +17,8 @@ unix_socket_connect(system_server, mpdecision, mpdecision) unix_socket_send(system_server, mpdecision, mpdecision) allow system_server mpdecision:unix_stream_socket sendto; allow system_server mpdecision_socket:dir search; + +# Access /dev/mdm +allow system_server radio_device:chr_file r_file_perms; + +allow system_server self:netlink_socket create_socket_perms; diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..a6bdbb8 --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,14 @@ +# Qualcomm Secure Execution Environment Communicator policy + +# /data/misc/playready labeling +type_transition tee system_data_file:dir drm_data_file; + +# Access /data/misc/playready +allow tee system_data_file:dir ra_dir_perms; +allow tee drm_data_file:dir create_dir_perms; +allow tee drm_data_file:file create_file_perms; + +# Access /persist/{widevine,playready} +allow tee persist_file:dir search; +allow tee persist_drm_file:dir r_dir_perms; +allow tee persist_drm_file:file r_file_perms; |