diff options
| author | Davide Garberi <dade.garberi@gmail.com> | 2018-09-24 15:16:54 +0200 |
|---|---|---|
| committer | Davide Garberi <dade.garberi@gmail.com> | 2018-09-25 15:22:21 +0200 |
| commit | 0adb92fe3d6a96b622d7ca417ced50e33b9f727f (patch) | |
| tree | 9463ef694d2eb11e0a83ec86ef589b1f6dbd2799 | |
| parent | e2e5733b0b21ee1af9572bb9edd55fa64be56350 (diff) | |
msm8996-common: sepolicy: Address some denials
Change-Id: Id7520ca339db83eeeb8b3e608a44809141e30df3
Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
| -rw-r--r-- | sepolicy/atfwd.te | 2 | ||||
| -rw-r--r-- | sepolicy/cnd.te | 2 | ||||
| -rw-r--r-- | sepolicy/hal_dpmQmiMgr.te | 1 | ||||
| -rw-r--r-- | sepolicy/hal_fingerprint_default.te | 4 | ||||
| -rw-r--r-- | sepolicy/hal_gnss_qti.te | 2 | ||||
| -rw-r--r-- | sepolicy/hal_imsrtp.te | 2 | ||||
| -rw-r--r-- | sepolicy/hal_perf_default.te | 1 | ||||
| -rw-r--r-- | sepolicy/hal_rcsservice.te | 2 | ||||
| -rw-r--r-- | sepolicy/hal_sensors_default.te | 1 | ||||
| -rw-r--r-- | sepolicy/ims.te | 2 | ||||
| -rw-r--r-- | sepolicy/init.te | 7 | ||||
| -rw-r--r-- | sepolicy/location.te | 3 | ||||
| -rw-r--r-- | sepolicy/mm-qcamerad.te | 5 | ||||
| -rw-r--r-- | sepolicy/netmgrd.te | 2 | ||||
| -rw-r--r-- | sepolicy/peripheral_manager.te | 1 | ||||
| -rw-r--r-- | sepolicy/qti.te | 1 | ||||
| -rw-r--r-- | sepolicy/qti_init_shell.te | 6 | ||||
| -rw-r--r-- | sepolicy/sensors.te | 1 | ||||
| -rw-r--r-- | sepolicy/tee.te | 6 | ||||
| -rw-r--r-- | sepolicy/thermal-engine.te | 1 | ||||
| -rw-r--r-- | sepolicy/time_daemon.te | 2 | ||||
| -rw-r--r-- | sepolicy/vendor_init.te | 5 |
22 files changed, 41 insertions, 18 deletions
diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te index d0eed5e..a48a7db 100644 --- a/sepolicy/atfwd.te +++ b/sepolicy/atfwd.te @@ -1,2 +1,2 @@ allow atfwd sysfs_msm_subsys:dir search; -allow atfwd sysfs_msm_subsys:file { open read }; +allow atfwd sysfs_msm_subsys:file { getattr open read setattr }; diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te index 09f270c..5b6938b 100644 --- a/sepolicy/cnd.te +++ b/sepolicy/cnd.te @@ -1,5 +1,5 @@ allow cnd sysfs_msm_subsys:dir search; -allow cnd sysfs_msm_subsys:file { open read }; +allow cnd sysfs_msm_subsys:file { getattr open read setattr }; allow cnd sysfs_soc:dir search; allow cnd system_data_file:dir read; allow cnd system_data_file:file { getattr ioctl open read }; diff --git a/sepolicy/hal_dpmQmiMgr.te b/sepolicy/hal_dpmQmiMgr.te index ec5358c..7dec426 100644 --- a/sepolicy/hal_dpmQmiMgr.te +++ b/sepolicy/hal_dpmQmiMgr.te @@ -1 +1,2 @@ allow hal_dpmQmiMgr sysfs_msm_subsys:dir search; +allow hal_dpmQmiMgr sysfs_msm_subsys:file { getattr open read setattr }; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te index fee691f..3c7d5e6 100644 --- a/sepolicy/hal_fingerprint_default.te +++ b/sepolicy/hal_fingerprint_default.te @@ -11,3 +11,7 @@ allow hal_fingerprint_default firmware_file:file r_file_perms; allow hal_fingerprint_default fpc_data_file:dir create_dir_perms; allow hal_fingerprint_default fpc_data_file:sock_file { create setattr unlink }; +allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms; +allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; +allow hal_fingerprint_default vfat:dir { read search }; +allow hal_fingerprint_default vfat:file { getattr open read setattr }; diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te index 37a4083..49ab1ff 100644 --- a/sepolicy/hal_gnss_qti.te +++ b/sepolicy/hal_gnss_qti.te @@ -1,3 +1,3 @@ allow hal_gnss_qti sysfs_msm_subsys:dir search; allow hal_gnss_qti sysfs_soc:dir search; -allow hal_gnss_qti sysfs_msm_subsys:file { open read }; +allow hal_gnss_qti sysfs_msm_subsys:file { getattr open read setattr }; diff --git a/sepolicy/hal_imsrtp.te b/sepolicy/hal_imsrtp.te index 1787976..f583686 100644 --- a/sepolicy/hal_imsrtp.te +++ b/sepolicy/hal_imsrtp.te @@ -1,2 +1,2 @@ allow hal_imsrtp sysfs_msm_subsys:dir search; -allow hal_imsrtp sysfs_msm_subsys:file { open read }; +allow hal_imsrtp sysfs_msm_subsys:file { getattr open read setattr }; diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te index 47b30f4..e185a2c 100644 --- a/sepolicy/hal_perf_default.te +++ b/sepolicy/hal_perf_default.te @@ -1,4 +1,5 @@ set_prop(hal_perf_default, freq_prop) +typeattribute hal_perf_default data_between_core_and_vendor_violators; allow hal_perf_default hal_graphics_composer_default:process signull; allow hal_perf_default proc_kernel_sched:file rw_file_perms; allow hal_perf_default sysfs_msm_subsys:dir search; diff --git a/sepolicy/hal_rcsservice.te b/sepolicy/hal_rcsservice.te index 9719d47..333b19d 100644 --- a/sepolicy/hal_rcsservice.te +++ b/sepolicy/hal_rcsservice.te @@ -1,2 +1,2 @@ allow hal_rcsservice sysfs_msm_subsys:dir search; -allow hal_rcsservice sysfs_msm_subsys:file { open read }; +allow hal_rcsservice sysfs_msm_subsys:file { getattr open read setattr }; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te index 9e01c6d..491a38c 100644 --- a/sepolicy/hal_sensors_default.te +++ b/sepolicy/hal_sensors_default.te @@ -1 +1,2 @@ allow hal_sensors_default sysfs_msm_subsys:dir search; +allow hal_sensors_default sysfs_msm_subsys:file { getattr open read setattr }; diff --git a/sepolicy/ims.te b/sepolicy/ims.te index c1848e6..a46b104 100644 --- a/sepolicy/ims.te +++ b/sepolicy/ims.te @@ -1,4 +1,4 @@ allow ims sysfs_msm_subsys:dir search; -allow ims sysfs_msm_subsys:file { open read }; +allow ims sysfs_msm_subsys:file { getattr open read setattr }; allow ims sysfs_soc:dir search; allow ims ctl_default_prop:property_service set; diff --git a/sepolicy/init.te b/sepolicy/init.te index 55f9fac..5d8c97e 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,12 +1,13 @@ +typeattribute init data_between_core_and_vendor_violators; allow init adsprpcd_file:filesystem { mount relabelfrom relabelto }; allow init debugfs_ipc:dir relabelfrom; allow init debugfs_ipc:file relabelfrom; allow init proc_kernel_sched:file write; -allow init sysfs_scsi_devices_0000:dir write; +allow init proc:file { getattr open read setattr }; allow init { ion_device tee_device }:chr_file ioctl; allow init hidl_base_hwservice:hwservice_manager add; -allow init sysfs_fingerprint:file { open read write }; +allow init sysfs_fingerprint:file { open read setattr write }; +allow init sysfs:file setattr; allow init tee_device:chr_file write; allow init hidl_base_hwservice:hwservice_manager add; -allow init sysfs_fingerprint:file { open read write }; allow init system_server:binder call; diff --git a/sepolicy/location.te b/sepolicy/location.te index ab3ba1f..e6dacad 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -1,4 +1,5 @@ allow location sysfs_msm_subsys:dir search; allow location sysfs_soc:dir search; allow location wcnss_prop:file r_file_perms; -allow location sysfs_msm_subsys:file { open read }; +allow location sysfs_msm_subsys:file { getattr open read setattr }; +allow location location_data_file:sock_file unlink; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te index 512b271..4ae3bd5 100644 --- a/sepolicy/mm-qcamerad.te +++ b/sepolicy/mm-qcamerad.te @@ -1,3 +1,8 @@ +typeattribute mm-qcamerad data_between_core_and_vendor_violators; + +allow mm-qcamerad camera_data_file:dir create_dir_perms; +allow mm-qcamerad camera_data_file:file create_file_perms; + allow mm-qcamerad sysfs_camera:dir search; allow mm-qcamerad sysfs_camera:file r_file_perms; allow mm-qcamerad sysfs_video:dir search; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index f7f0051..06bbe17 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -1,5 +1,5 @@ allow netmgrd sysfs_msm_subsys:dir search; -allow netmgrd sysfs_msm_subsys:file { open read }; +allow netmgrd sysfs_msm_subsys:file { getattr open read setattr }; allow netmgrd sysfs_net:dir search; allow netmgrd sysfs_net:file rw_file_perms; allow netmgrd sysfs_soc:dir search; diff --git a/sepolicy/peripheral_manager.te b/sepolicy/peripheral_manager.te index b32c70d..709affa 100644 --- a/sepolicy/peripheral_manager.te +++ b/sepolicy/peripheral_manager.te @@ -1 +1,2 @@ allow vendor_per_mgr sysfs_msm_subsys:dir search; +allow vendor_per_mgr sysfs_msm_subsys:file { getattr open read setattr }; diff --git a/sepolicy/qti.te b/sepolicy/qti.te index dac3966..df3942a 100644 --- a/sepolicy/qti.te +++ b/sepolicy/qti.te @@ -1,2 +1,3 @@ allow qti sysfs_msm_subsys:dir search; +allow qti sysfs_msm_subsys:file { getattr open read setattr }; allow qti sysfs_soc:dir search; diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te index a32d8ee..a5ec8a4 100644 --- a/sepolicy/qti_init_shell.te +++ b/sepolicy/qti_init_shell.te @@ -1,4 +1,4 @@ allow qti_init_shell sysfs:file write; -allow qti_init_shell vendor_radio_data_file:file { open read write }; -allow qti_init_shell vendor_radio_data_file:dir getattr; -allow qti_init_shell vfat:file getattr; +allow qti_init_shell vendor_radio_data_file:dir { getattr open read search setattr }; +allow qti_init_shell vfat:file { getattr open read setattr }; +allow qti_init_shell vfat:dir { open read search }; diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te index eaeed4d..740e938 100644 --- a/sepolicy/sensors.te +++ b/sepolicy/sensors.te @@ -1 +1,2 @@ allow sensors sysfs_msm_subsys:dir search; +allow sensors sysfs_msm_subsys:file { getattr open read setattr }; diff --git a/sepolicy/tee.te b/sepolicy/tee.te index 2b4d499..7664bc4 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -1,5 +1,3 @@ -typeattribute tee data_between_core_and_vendor_violators; - -allow tee fingerprintd_data_file:file { open read }; - +allow tee fingerprintd_data_file:file create_file_perms; +allow tee fingerprintd_data_file:dir rw_dir_perms; allow tee system_data_file:dir r_dir_perms; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index 59626eb..ffd8a30 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -1,5 +1,6 @@ typeattribute thermal-engine data_between_core_and_vendor_violators; allow thermal-engine sysfs_msm_subsys:dir search; +allow thermal-engine sysfs_msm_subsys:file { getattr open read setattr }; allow thermal-engine sysfs_usb_supply:dir search; allow thermal-engine sysfs_usb_supply:file r_file_perms; diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te index d586681..3896a0a 100644 --- a/sepolicy/time_daemon.te +++ b/sepolicy/time_daemon.te @@ -1,3 +1,5 @@ allow time_daemon sysfs_msm_subsys:dir search; +allow time_daemon sysfs_msm_subsys:file { getattr open read setattr }; allow time_daemon sysfs_soc:dir search; allow time_daemon time_data_file:file { open read write }; +allow time_daemon time_data_file:dir search; diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te index f4404cf..caecc32 100644 --- a/sepolicy/vendor_init.te +++ b/sepolicy/vendor_init.te @@ -6,6 +6,11 @@ allow vendor_init { cnd_data_file # dpmd_data_file fpc_data_file + media_rw_data_file + nfc_data_file + rootfs + time_data_file thermal_data_file tombstone_data_file }:dir create_dir_perms; +allow vendor_init media_rw_data_file:dir getattr; |