diff options
author | Amit Pundir <amit.pundir@linaro.org> | 2019-04-18 16:46:10 +0530 |
---|---|---|
committer | Amit Pundir <amit.pundir@linaro.org> | 2019-09-24 23:50:25 +0530 |
commit | 4e37582f32480bd153c93fed20b6aabe98bfbb90 (patch) | |
tree | b86f9698ea06f9d11ead04057b845427798ad0cd /sepolicy | |
parent | b7005515dd7ac2faebc6000b36075c116fdeacfa (diff) | |
download | dragonboard-4e37582f32480bd153c93fed20b6aabe98bfbb90.tar.gz |
db845c: Add support for AOSP on dragonboard db845c
Boots dragonboard db845c to console.
HDMI display broken due to missing firmware files.
Change-Id: I820aeb7b7ab2536a362f9ae37cc44906be0a6190
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/app.te | 4 | ||||
-rw-r--r-- | sepolicy/bootanim.te | 1 | ||||
-rw-r--r-- | sepolicy/crash_dump.te | 7 | ||||
-rw-r--r-- | sepolicy/dnsmasq.te | 3 | ||||
-rw-r--r-- | sepolicy/file.te | 2 | ||||
-rw-r--r-- | sepolicy/file_contexts | 17 | ||||
-rw-r--r-- | sepolicy/genfs_contexts | 3 | ||||
-rw-r--r-- | sepolicy/hal_drm_default.te | 2 | ||||
-rw-r--r-- | sepolicy/hal_graphics_allocator_default.te | 1 | ||||
-rw-r--r-- | sepolicy/hal_graphics_composer.te | 1 | ||||
-rw-r--r-- | sepolicy/hal_graphics_composer_default.te | 3 | ||||
-rw-r--r-- | sepolicy/hal_memtrack.te | 4 | ||||
-rw-r--r-- | sepolicy/hal_wifi_supplicant_default.te | 6 | ||||
-rw-r--r-- | sepolicy/kernel.te | 5 | ||||
-rw-r--r-- | sepolicy/netd.te | 3 | ||||
-rw-r--r-- | sepolicy/platform_app.te | 1 | ||||
-rw-r--r-- | sepolicy/priv_app.te | 1 | ||||
-rw-r--r-- | sepolicy/surfaceflinger.te | 1 | ||||
-rw-r--r-- | sepolicy/system_app.te | 1 | ||||
-rw-r--r-- | sepolicy/system_server.te | 1 | ||||
-rw-r--r-- | sepolicy/te_macros | 8 |
21 files changed, 75 insertions, 0 deletions
diff --git a/sepolicy/app.te b/sepolicy/app.te new file mode 100644 index 0000000..890e6e6 --- /dev/null +++ b/sepolicy/app.te @@ -0,0 +1,4 @@ +# Few system/untrusted_app_xx apps eg. deskclock, +# gallery3d et al. need read-only access to /dev/dri +# as well, otherwise they don't open and crash. +gpu_access(appdomain -isolated_app) diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te new file mode 100644 index 0000000..e8e7494 --- /dev/null +++ b/sepolicy/bootanim.te @@ -0,0 +1 @@ +gpu_access(bootanim) diff --git a/sepolicy/crash_dump.te b/sepolicy/crash_dump.te new file mode 100644 index 0000000..b575e22 --- /dev/null +++ b/sepolicy/crash_dump.te @@ -0,0 +1,7 @@ +# audit2allow +allow crash_dump bluetooth_data_file:file { getattr map open read }; +allow crash_dump bluetooth_prop:file { getattr map open }; +allow crash_dump device_config_runtime_native_boot_prop:file { getattr map open }; +allow crash_dump device_config_runtime_native_prop:file { getattr map open }; +allow crash_dump hwservicemanager_prop:file { getattr map open }; +allow crash_dump runtime_event_log_tags_file:file getattr; diff --git a/sepolicy/dnsmasq.te b/sepolicy/dnsmasq.te new file mode 100644 index 0000000..1154d8a --- /dev/null +++ b/sepolicy/dnsmasq.te @@ -0,0 +1,3 @@ +# audit2allow +allow dnsmasq netd:fifo_file getattr; +allow dnsmasq netd:unix_stream_socket getattr; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..4d9988f --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,2 @@ +type sysfs_gpu, fs_type, sysfs_type; +type dri_device, dev_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..ab364f8 --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,17 @@ +/dev/block/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/dri u:object_r:dri_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/dri/renderD128 u:object_r:gpu_device:s0 +/dev/ttyMSM0 u:object_r:console_device:s0 + +/sys/devices/platform/soc/ae00000.mdss u:object_r:sysfs_gpu:s0 +/sys/devices/platform/soc/c440000.spmi/spmi-0/0-00/c440000.spmi:pmic@0:rtc@6000/rtc u:object_r:sysfs_rtc:s0 + +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.software u:object_r:hal_gatekeeper_default_exec:s0 + +/vendor/lib(64)?/dri/.* u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/gralloc\.gbm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm_freedreno\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgbm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libglapi\.so u:object_r:same_process_hal_file:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..52338f0 --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,3 @@ +genfscon sysfs /devices/platform/soc/ae00000.mdss u:object_r:sysfs_gpu:s0 + +genfscon sysfs /devices/platform/soc/c440000.spmi/spmi-0/0-00/c440000.spmi:pmic@0:rtc@6000 u:object_r:sysfs_rtc:s0 diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te new file mode 100644 index 0000000..e783575 --- /dev/null +++ b/sepolicy/hal_drm_default.te @@ -0,0 +1,2 @@ +# audit2allow +allow hal_drm_default vndbinder_device:chr_file rw_file_perms; diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te new file mode 100644 index 0000000..00f38cc --- /dev/null +++ b/sepolicy/hal_graphics_allocator_default.te @@ -0,0 +1 @@ +gpu_access(hal_graphics_allocator_default) diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te new file mode 100644 index 0000000..40dbe25 --- /dev/null +++ b/sepolicy/hal_graphics_composer.te @@ -0,0 +1 @@ +gpu_access(hal_graphics_composer_server) diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te new file mode 100644 index 0000000..9c310f6 --- /dev/null +++ b/sepolicy/hal_graphics_composer_default.te @@ -0,0 +1,3 @@ +vndbinder_use(hal_graphics_composer_default) + +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read }; diff --git a/sepolicy/hal_memtrack.te b/sepolicy/hal_memtrack.te new file mode 100644 index 0000000..51bd527 --- /dev/null +++ b/sepolicy/hal_memtrack.te @@ -0,0 +1,4 @@ +# Memtrack reads proc/<pid>/cmdline to check if process is surfaceflinger. +# Grant access if that's the case; don't log denials for other processes. +allow hal_memtrack surfaceflinger:file read; +dontaudit hal_memtrack { domain -surfaceflinger}:file read; diff --git a/sepolicy/hal_wifi_supplicant_default.te b/sepolicy/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..c657db5 --- /dev/null +++ b/sepolicy/hal_wifi_supplicant_default.te @@ -0,0 +1,6 @@ +# TODO(b/36657258): Remove data_between_core_and_vendor_violators once +# hal_wifi_supplicant no longer directly accesses wifi_data_file. +typeattribute hal_wifi_supplicant_default data_between_core_and_vendor_violators; + +allow hal_wifi_supplicant_default wifi_data_file:dir create_dir_perms; +allow hal_wifi_supplicant_default wifi_data_file:file create_file_perms; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..46bfee5 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,5 @@ +# audit2allow +allow kernel device:chr_file { create setattr }; +allow kernel device:dir { add_name create write }; +allow kernel self:capability mknod; +allow kernel vendor_file:file { open read }; diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..2e954bb --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,3 @@ +# audit2allow +allow netd kernel:system module_request; +allow netd self:capability sys_module; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..775e964 --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1 @@ +gpu_access(platform_app) diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..05c9e47 --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1 @@ +gpu_access(priv_app) diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..17b66a8 --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1 @@ +gpu_access(surfaceflinger) diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..4a85066 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1 @@ +gpu_access(system_app) diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..80957cc --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1 @@ +gpu_access(system_server) diff --git a/sepolicy/te_macros b/sepolicy/te_macros new file mode 100644 index 0000000..322827a --- /dev/null +++ b/sepolicy/te_macros @@ -0,0 +1,8 @@ +##################################### +# gpu_access(client_domain) +# Allow client_domain to communicate with the GPU +define(`gpu_access', ` +allow $1 dri_device:dir { open read search }; +allow $1 sysfs_gpu:dir search; +allow $1 sysfs_gpu:file { getattr open read }; +') |