Merge "shamu: remove discard in fstab" into nyc-mr1-dev am: 2328f598c0
am: 5b7b6992ba
Change-Id: I00a8ce8520d53829eb1c039d758d2df95b567df9
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 4a8a184..9729bbc 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -125,4 +125,6 @@
# Disable dex-preopt of prebuilts to save space.
DONT_DEXPREOPT_PREBUILTS := true
+TARGET_FS_CONFIG_GEN += device/moto/shamu/config.fs
+
-include vendor/moto/shamu/BoardConfigVendor.mk
diff --git a/ShamuLayout/res/values-be-rBY/strings.xml b/ShamuLayout/res/values-be-rBY/strings.xml
deleted file mode 100644
index c90f50e..0000000
--- a/ShamuLayout/res/values-be-rBY/strings.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Copyright (C) 2014 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
-
-<resources xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="app_label" msgid="4827444239162090155">"Галоўны экран Nexus 6"</string>
- <string name="google_folder_title" msgid="3050712152111669078">"Google"</string>
- <string name="create_folder_title" msgid="1626185277541881691">"Стварыць"</string>
- <string name="play_folder_title" msgid="8796147714003891112">"Play"</string>
-</resources>
diff --git a/ShamuLayout/res/values-bs-rBA/strings.xml b/ShamuLayout/res/values-bs-rBA/strings.xml
deleted file mode 100644
index b1de26a..0000000
--- a/ShamuLayout/res/values-bs-rBA/strings.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Copyright (C) 2014 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
-
-<resources xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="app_label" msgid="4827444239162090155">"Nexus 6 početni ekran"</string>
- <string name="google_folder_title" msgid="3050712152111669078">"Google"</string>
- <string name="create_folder_title" msgid="1626185277541881691">"Kreiraj"</string>
- <string name="play_folder_title" msgid="8796147714003891112">"Reproduciraj"</string>
-</resources>
diff --git a/android_filesystem_config.h b/android_filesystem_config.h
deleted file mode 100644
index 6dfee70..0000000
--- a/android_filesystem_config.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/* This file is used to define the properties of the filesystem
-** images generated by build tools (mkbootfs and mkyaffs2image) and
-** by the device side of adb.
-*/
-
-#include <private/android_filesystem_config.h>
-
-#define NO_ANDROID_FILESYSTEM_CONFIG_DEVICE_DIRS
-/* static const struct fs_path_config android_device_dirs[] = { }; */
-
-/* Rules for files.
-** These rules are applied based on "first match", so they
-** should start with the most specific path and work their
-** way up to the root. Prefixes ending in * denotes wildcard
-** and will allow partial matches.
-*/
-static const struct fs_path_config android_device_files[] = {
- { 00700, AID_RADIO, AID_SHELL, (1ULL << CAP_BLOCK_SUSPEND), "system/bin/qmuxd" },
- { 00700, AID_CAMERA, AID_SHELL, (1ULL << CAP_SYS_NICE), "system/bin/mm-qcamera-daemon" },
-#ifdef NO_ANDROID_FILESYSTEM_CONFIG_DEVICE_DIRS
- { 00000, AID_ROOT, AID_ROOT, 0, "system/etc/fs_config_dirs" },
-#endif
-};
diff --git a/config.fs b/config.fs
new file mode 100644
index 0000000..15679d2
--- /dev/null
+++ b/config.fs
@@ -0,0 +1,5 @@
+[system/bin/qmuxd]
+mode: 0700
+user: AID_RADIO
+group: AID_SHELL
+caps: BLOCK_SUSPEND
diff --git a/device.mk b/device.mk
index a05b9b8..c422f9e 100644
--- a/device.mk
+++ b/device.mk
@@ -124,6 +124,7 @@
PRODUCT_PACKAGES := \
libwpa_client \
hostapd \
+ wificond \
wpa_supplicant \
wpa_supplicant.conf
diff --git a/init.shamu.rc b/init.shamu.rc
index 6397977..cacc865 100644
--- a/init.shamu.rc
+++ b/init.shamu.rc
@@ -119,25 +119,25 @@
write /sys/bus/msm_subsys/devices/subsys3/recovery_policy "skip_restart"
on boot
- chown bluetooth net_bt_stack /sys/module/bluetooth_power/parameters/power
- chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type
- chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state
- chown bluetooth net_bt_stack /proc/bluetooth/sleep/proto
- chown bluetooth net_bt_stack /proc/bluetooth/sleep/lpm
- chown bluetooth net_bt_stack /proc/bluetooth/sleep/btwrite
- chown bluetooth net_bt_stack /sys/module/hci_uart/parameters/ath_lpm
- chown bluetooth net_bt_stack /sys/module/hci_uart/parameters/ath_btwrite
+ chown bluetooth bluetooth /sys/module/bluetooth_power/parameters/power
+ chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type
+ chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
+ chown bluetooth bluetooth /proc/bluetooth/sleep/proto
+ chown bluetooth bluetooth /proc/bluetooth/sleep/lpm
+ chown bluetooth bluetooth /proc/bluetooth/sleep/btwrite
+ chown bluetooth bluetooth /sys/module/hci_uart/parameters/ath_lpm
+ chown bluetooth bluetooth /sys/module/hci_uart/parameters/ath_btwrite
chown system system /sys/module/sco/parameters/disable_esco
- chown bluetooth net_bt_stack /sys/module/hci_smd/parameters/hcismd_set
+ chown bluetooth bluetooth /sys/module/hci_smd/parameters/hcismd_set
chmod 0660 /sys/module/bluetooth_power/parameters/power
chmod 0660 /sys/module/hci_smd/parameters/hcismd_set
chmod 0660 /sys/class/rfkill/rfkill0/state
chmod 0660 /proc/bluetooth/sleep/proto
- chown bluetooth net_bt_stack /dev/ttyHS0
+ chown bluetooth bluetooth /dev/ttyHS0
chmod 0660 /sys/module/hci_uart/parameters/ath_lpm
chmod 0660 /sys/module/hci_uart/parameters/ath_btwrite
chmod 0660 /dev/ttyHS0
- chown bluetooth net_bt_stack /sys/devices/platform/msm_serial_hs.0/clock
+ chown bluetooth bluetooth /sys/devices/platform/msm_serial_hs.0/clock
chmod 0660 /sys/devices/platform/msm_serial_hs.0/clock
# update foreground cpuset now that processors are up
@@ -149,7 +149,7 @@
write /dev/cpuset/top-app/cpus 0-3
chmod 0660 /dev/ttyHS2
- chown bluetooth net_bt_stack /dev/ttyHS2
+ chown bluetooth bluetooth /dev/ttyHS2
#Create QMUX deamon socket area
mkdir /dev/socket/qmux_radio 0770 radio radio
@@ -186,7 +186,7 @@
#BT DUN port-bridge
chmod 0660 /dev/smd7
- chown bluetooth net_bt_stack /dev/smd7
+ chown bluetooth bluetooth /dev/smd7
#For bridgemgr daemon to inform the USB driver of the correct transport
chown radio radio /sys/class/android_usb/f_rmnet_smd_sdio/transport
@@ -255,8 +255,6 @@
# msm specific files that need to be created on /data
on post-fs-data
- mkdir /data/misc/bluetooth 0770 bluetooth bluetooth
-
# Create the directories used by the Wireless subsystem
mkdir /data/misc/wifi 0770 wifi wifi
mkdir /data/misc/wifi/sockets 0770 wifi wifi
@@ -413,7 +411,7 @@
on property:ro.data.large_tcp_window_size=true
write /proc/sys/net/ipv4/tcp_adv_win_scale 2
-service p2p_supplicant /system/bin/wpa_supplicant \
+service wpa_supplicant /system/bin/wpa_supplicant \
-iwlan0 -Dnl80211 -c/data/misc/wifi/wpa_supplicant.conf \
-I/system/etc/wifi/p2p_supplicant_overlay.conf \
-puse_p2p_group_interface=1p2p_device=1 \
@@ -428,19 +426,6 @@
disabled
oneshot
-service wpa_supplicant /system/bin/wpa_supplicant \
- -iwlan0 -Dnl80211 -c/data/misc/wifi/wpa_supplicant.conf \
- -I/system/etc/wifi/wpa_supplicant_overlay.conf \
- -e/data/misc/wifi/entropy.bin -g@android:wpa_wlan0
- # we will start as root and wpa_supplicant will switch to user wifi
- # after setting up the capabilities required for WEXT
- # user wifi
- # group wifi inet keystore
- class main
- socket wpa_wlan0 dgram 660 wifi wifi
- disabled
- oneshot
-
service adspd /system/bin/adspd /dev/ttyHS3
class main
socket adspdsock stream 0660 media media
diff --git a/sepolicy/adspd.te b/sepolicy/adspd.te
index 8e1e095..7288af4 100644
--- a/sepolicy/adspd.te
+++ b/sepolicy/adspd.te
@@ -1,4 +1,4 @@
-type adspd, domain, domain_deprecated, mlstrustedsubject;
+type adspd, domain, device_domain_deprecated, mlstrustedsubject;
type adspd_exec, file_type, exec_type;
init_daemon_domain(adspd)
diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te
index 2cfef37..04b6b75 100644
--- a/sepolicy/atfwd.te
+++ b/sepolicy/atfwd.te
@@ -1,4 +1,4 @@
-type atfwd, domain, domain_deprecated;
+type atfwd, domain, device_domain_deprecated;
type atfwd_exec, exec_type, file_type;
# Started by init
diff --git a/sepolicy/attributes b/sepolicy/attributes
new file mode 100644
index 0000000..d140949
--- /dev/null
+++ b/sepolicy/attributes
@@ -0,0 +1,4 @@
+# domain_deprecated attribute is being removed from core policy. Leave it
+# in device-specific policy for device-specific domains. Unlike core policy,
+# device-specific policy will eventually be deprecated.
+attribute device_domain_deprecated;
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
index 8de66a7..1337919 100644
--- a/sepolicy/audioserver.te
+++ b/sepolicy/audioserver.te
@@ -4,6 +4,7 @@
# Permit audioserver to create sockets with no specific SELinux class.
# TODO: Investigate the specific type of socket.
allow audioserver self:socket create_socket_perms;
+allowxperm audioserver self:socket ioctl msm_sock_ipc_ioctls;
allow audioserver mpdecision_socket:dir r_dir_perms;
unix_socket_send(audioserver, mpdecision, mpdecision)
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
index 5f0acfc..68f8fea 100644
--- a/sepolicy/bluetooth_loader.te
+++ b/sepolicy/bluetooth_loader.te
@@ -1,4 +1,4 @@
-type bluetooth_loader, domain, domain_deprecated;
+type bluetooth_loader, domain, device_domain_deprecated;
type bluetooth_loader_exec, exec_type, file_type;
# Started by init
diff --git a/sepolicy/bridge.te b/sepolicy/bridge.te
index cfabe80..4253de2 100644
--- a/sepolicy/bridge.te
+++ b/sepolicy/bridge.te
@@ -1,5 +1,5 @@
# Bridge Manager (radio process)
-type bridge, domain, domain_deprecated;
+type bridge, domain, device_domain_deprecated;
type bridge_exec, exec_type, file_type;
# Started by init
@@ -13,4 +13,4 @@
# Alert the RmNet SMD & SDIO function driver of the correct transport.
# (/sys/class/android_usb/f_rmnet_smd_sdio/transport)
-allow bridge sysfs_rmnet:file { open read write getattr };
\ No newline at end of file
+allow bridge sysfs_rmnet:file { open read write getattr };
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index 89c1afe..04136eb 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -1,13 +1,13 @@
# Qualcomm MSM camera
-type camera, domain, domain_deprecated;
+type camera, domain, device_domain_deprecated;
type camera_exec, exec_type, file_type;
# Started by init
init_daemon_domain(camera)
# Interact with other media devices
-allow camera video_device:dir search;
-allow camera { gpu_device video_device }:chr_file rw_file_perms;
+allow camera camera_device:dir search;
+allow camera { camera_device gpu_device video_device }:chr_file rw_file_perms;
allow camera { audioserver cameraserver surfaceflinger mediaserver }:fd use;
# Connect to sensor socket (/dev/sensor/sensor_ctl_socket)
@@ -16,8 +16,6 @@
allow camera sensors_device:chr_file rw_file_perms;
-allow camera self:capability { sys_nice };
-
# Create front and back camera sockets (/data/cam_socket[23])
# TODO: create these sockets elsewhere, apps shouldn't be putting sockets
# directly under /data.
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index 15e87aa..eea1d12 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1,5 +1,5 @@
#permissive cnd;
-type cnd, domain, domain_deprecated;
+type cnd, domain, device_domain_deprecated;
type cnd_exec, exec_type, file_type;
# cnd is started by init, type transit from init domain to cnd domain
diff --git a/sepolicy/device_domain_deprecated.te b/sepolicy/device_domain_deprecated.te
new file mode 100644
index 0000000..bbe0b71
--- /dev/null
+++ b/sepolicy/device_domain_deprecated.te
@@ -0,0 +1,36 @@
+allow device_domain_deprecated adbd:unix_stream_socket connectto;
+allow device_domain_deprecated adbd:fd use;
+allow device_domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow device_domain_deprecated rootfs:dir r_dir_perms;
+allow device_domain_deprecated rootfs:file r_file_perms;
+allow device_domain_deprecated rootfs:lnk_file r_file_perms;
+allow device_domain_deprecated device:file read;
+allow device_domain_deprecated system_file:dir r_dir_perms;
+allow device_domain_deprecated system_file:file r_file_perms;
+allow device_domain_deprecated system_file:lnk_file r_file_perms;
+allow device_domain_deprecated system_data_file:file { getattr read };
+allow device_domain_deprecated system_data_file:lnk_file r_file_perms;
+allow device_domain_deprecated apk_data_file:dir { getattr search };
+allow device_domain_deprecated apk_data_file:file r_file_perms;
+allow device_domain_deprecated apk_data_file:lnk_file r_file_perms;
+allow device_domain_deprecated dalvikcache_data_file:dir { search getattr };
+allow device_domain_deprecated dalvikcache_data_file:file r_file_perms;
+allow device_domain_deprecated cache_file:dir r_dir_perms;
+allow device_domain_deprecated cache_file:file { getattr read };
+allow device_domain_deprecated cache_file:lnk_file r_file_perms;
+allow device_domain_deprecated ion_device:chr_file rw_file_perms;
+allow device_domain_deprecated proc:dir r_dir_perms;
+allow device_domain_deprecated proc:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated sysfs:dir r_dir_perms;
+allow device_domain_deprecated sysfs:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated inotify:dir r_dir_perms;
+allow device_domain_deprecated inotify:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated cgroup:dir r_dir_perms;
+allow device_domain_deprecated cgroup:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated proc_meminfo:file r_file_perms;
+allow device_domain_deprecated proc_net:dir r_dir_perms;
+allow device_domain_deprecated proc_net:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated selinuxfs:dir r_dir_perms;
+allow device_domain_deprecated selinuxfs:file r_file_perms;
+allow device_domain_deprecated asec_public_file:file r_file_perms;
+allow device_domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 2f90559..baccdb1 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -69,8 +69,8 @@
/dev/ramdump_.* u:object_r:ramdump_device:s0
# MSM camera related
-/dev/media([0-9])+ u:object_r:video_device:s0
-/dev/jpeg[0-9]* u:object_r:video_device:s0
+/dev/media([0-9])+ u:object_r:camera_device:s0
+/dev/jpeg[0-9]* u:object_r:camera_device:s0
/dev/bcm2079x-i2c u:object_r:nfc_device:s0
@@ -172,6 +172,9 @@
/sys/devices/cycapsense_prog.1/cycapsense_fw u:object_r:sysfs_capsense_update:s0
/sys/devices/mmi_sar_ctrl.[0-9]*/sar_wifi u:object_r:sysfs_sar_wifi:s0
+# sysfs files used by wifi
+/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0
+
# wifi mac address
/sys/devices/virtual/net/wlan0/address u:object_r:sysfs_mac_address:s0
diff --git a/sepolicy/gsiffd.te b/sepolicy/gsiffd.te
index aefffb8..2a2ca4e 100644
--- a/sepolicy/gsiffd.te
+++ b/sepolicy/gsiffd.te
@@ -1,4 +1,4 @@
-type gsiffd, domain, domain_deprecated;
+type gsiffd, domain, device_domain_deprecated;
type gsiffd_exec, exec_type, file_type;
# Started by init
@@ -14,6 +14,7 @@
# Create sockets
allow gsiffd self:socket create_socket_perms;
+allowxperm gsiffd self:socket ioctl msm_sock_ipc_ioctls;
# Talk to qmux
qmux_socket(gsiffd)
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index c0b418c..82cf3bb 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -1,4 +1,4 @@
-type ims, domain, domain_deprecated;
+type ims, domain, device_domain_deprecated;
type ims_exec, exec_type, file_type;
# Started by init
@@ -24,7 +24,7 @@
allow ims self:capability { setpcap setuid net_bind_service };
# Allow ims to create and use netlink sockets.
-allow ims self:netlink_socket create_socket_perms;
+allow ims self:netlink_socket create_socket_perms_no_ioctl;
# Allow access to smem log
allow ims shared_log_device:chr_file rw_file_perms;
@@ -37,6 +37,7 @@
# Allow ims to create and use socket to communicate between ims processes.
allow ims self:socket create_socket_perms;
+allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
# Runs /system/bin/sh for executing ndc commands via popen
allow ims shell_exec:file rx_file_perms;
diff --git a/sepolicy/ioctl_defines b/sepolicy/ioctl_defines
index df44af5..e1fbedc 100644
--- a/sepolicy/ioctl_defines
+++ b/sepolicy/ioctl_defines
@@ -34,3 +34,11 @@
define(`IOCTL_KGSL_PERFCOUNTER_READ', `0x0000093b')
define(`IOCTL_KGSL_GPUMEM_SYNC_CACHE_BULK', `0x0000093c')
define(`IOCTL_KGSL_SUBMIT_COMMANDS', `0x0000093d')
+
+# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
+define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
+define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
+define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
+define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
+define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
+define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')
diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros
index b237965..49b7c0e 100644
--- a/sepolicy/ioctl_macros
+++ b/sepolicy/ioctl_macros
@@ -57,3 +57,12 @@
IOCTL_KGSL_PERFCOUNTER_PUT
IOCTL_KGSL_SUBMIT_COMMANDS
}')
+
+define(`msm_sock_ipc_ioctls', `{
+IPC_ROUTER_IOCTL_GET_VERSION
+IPC_ROUTER_IOCTL_GET_MTU
+IPC_ROUTER_IOCTL_LOOKUP_SERVER
+IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
+IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
+IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
+}')
diff --git a/sepolicy/irsc_util.te b/sepolicy/irsc_util.te
index 52e8c37..aa3ef21 100644
--- a/sepolicy/irsc_util.te
+++ b/sepolicy/irsc_util.te
@@ -1,8 +1,9 @@
# IPC Router Security Configuration Tool
-type irsc_util, domain, domain_deprecated;
+type irsc_util, domain, device_domain_deprecated;
type irsc_util_exec, exec_type, file_type;
# Started by init
init_daemon_domain(irsc_util)
allow irsc_util self:socket create_socket_perms;
+allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/sepolicy/mdm_helper.te b/sepolicy/mdm_helper.te
index d1d9c4e..b7975f2 100644
--- a/sepolicy/mdm_helper.te
+++ b/sepolicy/mdm_helper.te
@@ -1,5 +1,5 @@
# Modem helper service. Spawns kickstart.
-type mdm_helper, domain, domain_deprecated;
+type mdm_helper, domain, device_domain_deprecated;
type mdm_helper_exec, file_type, exec_type;
init_daemon_domain(mdm_helper)
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 8e15e4b..2405e91 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -4,6 +4,7 @@
# Permit mediaserver to create sockets with no specific SELinux class.
# TODO: Investigate the specific type of socket.
allow mediaserver self:socket create_socket_perms;
+allowxperm mediaserver self:socket ioctl msm_sock_ipc_ioctls;
allow mediaserver mpdecision_socket:dir r_dir_perms;
unix_socket_send(mediaserver, mpdecision, mpdecision)
diff --git a/sepolicy/mmi_touch_sh.te b/sepolicy/mmi_touch_sh.te
index 8028576..7aa5d79 100644
--- a/sepolicy/mmi_touch_sh.te
+++ b/sepolicy/mmi_touch_sh.te
@@ -1,4 +1,4 @@
-type mmi_touch_sh, domain, domain_deprecated;
+type mmi_touch_sh, domain, device_domain_deprecated;
type mmi_touch_sh_exec, exec_type, file_type;
# Started by init
diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
index b93c126..4d86b29 100644
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te
@@ -1,5 +1,5 @@
# CPU governor (root process)
-type mpdecision, domain, domain_deprecated;
+type mpdecision, domain, device_domain_deprecated;
type mpdecision_exec, exec_type, file_type;
# Started by init
@@ -20,6 +20,7 @@
allow mpdecision self:capability { dac_override net_admin fsetid chown };
allow mpdecision self:netlink_kobject_uevent_socket { create read setopt bind };
allow mpdecision self:socket create_socket_perms;
+allowxperm mpdecision self:socket ioctl msm_sock_ipc_ioctls;
allow mpdecision power_control_device:chr_file w_file_perms;
allow mpdecision mpdecision_socket:dir rw_dir_perms;
allow mpdecision mpdecision_socket:sock_file { create_file_perms unlink };
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 9fc57be..d70ab9b 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1,9 +1,10 @@
# Network utilities (radio process)
-type netmgrd, domain, domain_deprecated;
+type netmgrd, domain, device_domain_deprecated;
type netmgrd_exec, exec_type, file_type;
# Uses network sockets.
net_domain(netmgrd)
+allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
# Talk to qmuxd (qmux_radio)
qmux_socket(netmgrd)
@@ -29,13 +30,14 @@
allow netmgrd system_file:file rx_file_perms;
#Allow operations on different types of sockets
-allow netmgrd self:netlink_socket create_socket_perms;
-allow netmgrd self:rawip_socket create_socket_perms;
+allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
+allow netmgrd self:rawip_socket create_socket_perms_no_ioctl;
allow netmgrd self:netlink_route_socket nlmsg_write;
-allow netmgrd self:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read };
+allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# b/17065650
allow netmgrd self:socket create_socket_perms;
+allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
#Allow communication with cnd
unix_socket_connect(netmgrd, cnd, cnd)
diff --git a/sepolicy/qmux.te b/sepolicy/qmux.te
index ec1c083..c662cf5 100644
--- a/sepolicy/qmux.te
+++ b/sepolicy/qmux.te
@@ -1,5 +1,5 @@
# Qualcomm Management Interface Multiplexer
-type qmux, domain, domain_deprecated;
+type qmux, domain, device_domain_deprecated;
type qmux_exec, exec_type, file_type;
# Started by init
@@ -22,4 +22,4 @@
allow qmux sysfs_usb:file w_file_perms;
# qmux currently runs as root: b/16988307
-allow qmux self:capability { dac_override };
\ No newline at end of file
+allow qmux self:capability { dac_override };
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 216271e..33264d1 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -30,3 +30,7 @@
allow rild audioserver_service:service_manager find;
allow rild mediaserver_service:service_manager find;
+
+# whitelist qualcomm specific ioctls
+allow rild self:socket ioctl;
+allowxperm rild self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
index e554669..67698b4 100644
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -1,5 +1,5 @@
# Integrated qualcomm sensor process
-type sensors, domain, domain_deprecated;
+type sensors, domain, device_domain_deprecated;
type sensors_exec, exec_type, file_type;
# Started by init
@@ -36,3 +36,4 @@
allow sensors persist_sensors_file:file create_file_perms;
allow sensors self:socket *;
+allowxperm sensors self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/sepolicy/ss_ramdump.te b/sepolicy/ss_ramdump.te
index d3a54f7..87e17c9 100644
--- a/sepolicy/ss_ramdump.te
+++ b/sepolicy/ss_ramdump.te
@@ -1,4 +1,4 @@
-type ss_ramdump, domain, domain_deprecated;
+type ss_ramdump, domain, device_domain_deprecated;
type ss_ramdump_exec, exec_type, file_type;
# Started by init
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 713f3e4..f0c7008 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -7,3 +7,7 @@
unix_socket_connect(system_server, sensors, sensors)
allow system_server sensors_socket:sock_file r_file_perms;
+
+# whitelist qualcomm specific ioctls
+allow system_server self:socket ioctl;
+allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/sepolicy/tcmd.te b/sepolicy/tcmd.te
index 2651668..8c40405 100644
--- a/sepolicy/tcmd.te
+++ b/sepolicy/tcmd.te
@@ -1,5 +1,5 @@
-type tcmd, domain, domain_deprecated;
+type tcmd, domain, device_domain_deprecated;
type tcmd_exec, exec_type, file_type;
init_daemon_domain(tcmd)
diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te
index 185f586..e9bcb52 100644
--- a/sepolicy/thermald.te
+++ b/sepolicy/thermald.te
@@ -1,5 +1,5 @@
# Temperature sensor daemon (root process)
-type thermald, domain, domain_deprecated;
+type thermald, domain, device_domain_deprecated;
type thermald_exec, exec_type, file_type;
# Started by init
@@ -21,6 +21,7 @@
allow thermald thermald_socket:sock_file create_file_perms;
allow thermald self:socket create_socket_perms;
+allowxperm thermald self:socket ioctl msm_sock_ipc_ioctls;
# Writes to /sys/module/msm_thermal/core_control/cpus_offlined
allow thermald sysfs_mpdecision:file rw_file_perms;
diff --git a/sepolicy/time.te b/sepolicy/time.te
index bd6e65e..8da6dba 100644
--- a/sepolicy/time.te
+++ b/sepolicy/time.te
@@ -1,4 +1,4 @@
-type time, domain, domain_deprecated;
+type time, domain, device_domain_deprecated;
type time_exec, exec_type, file_type;
# Started by init
@@ -14,4 +14,5 @@
allow time time_data_file:file create_file_perms;
allow time self:socket *;
+allowxperm time self:socket ioctl msm_sock_ipc_ioctls;
allow time self:capability { setuid setgid };
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
deleted file mode 100644
index 284a442..0000000
--- a/sepolicy/untrusted_app.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# Motorola AoV solution
-unix_socket_connect(untrusted_app, adspd, adspd)
-
-# b/17630431: The unix_socket_connect line above needs to be
-# deleted. Generate audit entries to see if these permissions
-# are actually being used.
-# auditallow untrusted_app adspd_socket:sock_file write;
-# auditallow untrusted_app adspd:unix_stream_socket connectto;
-
-allow untrusted_app adspd_data_file:dir r_dir_perms;
-allow untrusted_app adspd_data_file:file r_file_perms;
diff --git a/ueventd.shamu.rc b/ueventd.shamu.rc
index cfe7130..85ce4be 100644
--- a/ueventd.shamu.rc
+++ b/ueventd.shamu.rc
@@ -54,7 +54,7 @@
/dev/jpeg0 0660 system camera
/dev/jpeg1 0660 system camera
/dev/jpeg2 0660 system camera
-/dev/ttyHS99 0660 bluetooth net_bt_stack
+/dev/ttyHS99 0660 bluetooth bluetooth
/sys/devices/virtual/smdpkt/smdcntl* open_timeout 0664 radio radio
#SAR device
