From abd977a79ec0a1f90cf236339e080775491b9919 Mon Sep 17 00:00:00 2001
From: rpcraig <rpcraig@tycho.ncsc.mil>
Date: Fri, 10 Aug 2012 06:25:52 -0400
Subject: [PATCH] Additions for grouper/JB

---
 app.te            | 3 +++
 debuggerd.te      | 1 +
 drmserver.te      | 4 ++++
 keystore.te       | 1 +
 mediaserver.te    | 1 +
 wpa_supplicant.te | 4 ++++
 6 files changed, 14 insertions(+)

diff --git a/app.te b/app.te
index f844221a1..028bf4544 100644
--- a/app.te
+++ b/app.te
@@ -24,6 +24,9 @@ allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp file created by system server.
 allow platform_app apk_tmp_file:file rw_file_perms;
+# Read/[open] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow platform_app qtaguid_proc:file { open };
+allow platform_app qtaguid_device:chr_file r_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
diff --git a/debuggerd.te b/debuggerd.te
index 8ff37474c..653d00396 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -5,6 +5,7 @@ type debuggerd_exec, exec_type, file_type;
 init_daemon_domain(debuggerd)
 typeattribute debuggerd mlstrustedsubject;
 allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:process ptrace;
diff --git a/drmserver.te b/drmserver.te
index 624ae1327..f30033a2f 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -11,6 +11,10 @@ binder_call(drmserver, system)
 binder_call(drmserver, appdomain)
 binder_service(drmserver)
 
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
 allow drmserver sdcard:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
+allow drmserver self:{ tcp_socket udp_socket } *;
diff --git a/keystore.te b/keystore.te
index 43c913a85..6c4d61026 100644
--- a/keystore.te
+++ b/keystore.te
@@ -5,3 +5,4 @@ type keystore_exec, exec_type, file_type;
 init_daemon_domain(keystore)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
diff --git a/mediaserver.te b/mediaserver.te
index 1b97eed72..c8adf3ac1 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -9,6 +9,7 @@ allow mediaserver kernel:system module_request;
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
+binder_transfer(mediaserver, surfaceflinger)
 binder_service(mediaserver)
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file r_file_perms;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 8860ef9dd..be1bf2563 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -14,3 +14,7 @@ allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system)
 allow wpa random_device:chr_file r_file_perms;
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:sock_file wpa_socket;
+allow wpa wpa_socket:sock_file create_file_perms;
-- 
GitLab