aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavide Garberi <dade.garberi@gmail.com>2018-09-14 22:22:05 +0200
committerDavide Garberi <dade.garberi@gmail.com>2018-09-16 15:22:11 +0200
commit849a67f0b49aba827b642a8a1aca611d5a289f29 (patch)
tree3ad368dc3d1e0bb87a2879ac26543bc923061219
parent4e7cfbca0e0367f6d9ffb84401da1213d6224413 (diff)
msm8996: sepolicy: Address some denials
Change-Id: I8f4d9588573e48069d365b77b081f981b4948fbb Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
Diffstat
-rw-r--r--sepolicy/atfwd.te1
-rw-r--r--sepolicy/cnd.te4
-rw-r--r--sepolicy/hal_audio_default.te4
-rw-r--r--sepolicy/hal_gnss_qti.te1
-rw-r--r--sepolicy/hal_imsrtp.te1
-rw-r--r--sepolicy/hal_perf_default.te1
-rw-r--r--sepolicy/hal_rcsservice.te1
-rw-r--r--sepolicy/healthd.te1
-rw-r--r--sepolicy/ims.te1
-rw-r--r--sepolicy/init.te7
-rw-r--r--sepolicy/location.te1
-rw-r--r--sepolicy/netmgrd.te3
-rw-r--r--sepolicy/qti_init_shell.te3
-rw-r--r--sepolicy/system_server.te2
-rw-r--r--sepolicy/tee.te1
-rw-r--r--sepolicy/time_daemon.te1
-rw-r--r--sepolicy/vendor_init.te1
-rw-r--r--sepolicy/webview_zygote.te1
18 files changed, 35 insertions, 0 deletions
diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te
index 8588d58..d0eed5e 100644
--- a/sepolicy/atfwd.te
+++ b/sepolicy/atfwd.te
@@ -1 +1,2 @@
allow atfwd sysfs_msm_subsys:dir search;
+allow atfwd sysfs_msm_subsys:file { open read };
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index 83e7fe8..39e9d6b 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1,2 +1,6 @@
allow cnd sysfs_msm_subsys:dir search;
+allow cnd sysfs_msm_subsys:file { open read };
allow cnd sysfs_soc:dir search;
+allow cnd default_android_hwservice:hwservice_manager add;
+allow cnd system_data_file:dir read;
+allow cnd system_data_file:file { getattr ioctl open read };
diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te
index c999ec5..3693662 100644
--- a/sepolicy/hal_audio_default.te
+++ b/sepolicy/hal_audio_default.te
@@ -1 +1,5 @@
allow hal_audio_default sysfs_soc:dir search;
+allow hal_audio_default vendor_data_file:file { append getattr open read };
+allow hal_audio_default thermal_socket:sock_file write;
+allow hal_audio_default thermal-engine:unix_stream_socket connectto;
+
diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te
index 2d58a8d..37a4083 100644
--- a/sepolicy/hal_gnss_qti.te
+++ b/sepolicy/hal_gnss_qti.te
@@ -1,2 +1,3 @@
allow hal_gnss_qti sysfs_msm_subsys:dir search;
allow hal_gnss_qti sysfs_soc:dir search;
+allow hal_gnss_qti sysfs_msm_subsys:file { open read };
diff --git a/sepolicy/hal_imsrtp.te b/sepolicy/hal_imsrtp.te
index dde5fe0..1787976 100644
--- a/sepolicy/hal_imsrtp.te
+++ b/sepolicy/hal_imsrtp.te
@@ -1 +1,2 @@
allow hal_imsrtp sysfs_msm_subsys:dir search;
+allow hal_imsrtp sysfs_msm_subsys:file { open read };
diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te
index 47b30f4..ae707c1 100644
--- a/sepolicy/hal_perf_default.te
+++ b/sepolicy/hal_perf_default.te
@@ -3,3 +3,4 @@ allow hal_perf_default hal_graphics_composer_default:process signull;
allow hal_perf_default proc_kernel_sched:file rw_file_perms;
allow hal_perf_default sysfs_msm_subsys:dir search;
allow hal_perf_default sysfs_soc:dir search;
+allow hal_perf_default hal_perf_default:capability dac_override;
diff --git a/sepolicy/hal_rcsservice.te b/sepolicy/hal_rcsservice.te
index 2992bec..9719d47 100644
--- a/sepolicy/hal_rcsservice.te
+++ b/sepolicy/hal_rcsservice.te
@@ -1 +1,2 @@
allow hal_rcsservice sysfs_msm_subsys:dir search;
+allow hal_rcsservice sysfs_msm_subsys:file { open read };
diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
new file mode 100644
index 0000000..93d2673
--- /dev/null
+++ b/sepolicy/healthd.te
@@ -0,0 +1 @@
+allow healthd sysfs:file { getattr open read };
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index b547e65..c1848e6 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -1,3 +1,4 @@
allow ims sysfs_msm_subsys:dir search;
+allow ims sysfs_msm_subsys:file { open read };
allow ims sysfs_soc:dir search;
allow ims ctl_default_prop:property_service set;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index bf04885..88d2f14 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -3,3 +3,10 @@ allow init debugfs_ipc:dir relabelfrom;
allow init debugfs_ipc:file relabelfrom;
allow init proc_kernel_sched:file write;
allow init sysfs_scsi_devices_0000:dir write;
+allow init { ion_device tee_device }:chr_file ioctl;
+allow init { hal_fingerprint_hwservice hidl_base_hwservice }:hwservice_manager add;
+allow init { sysfs sysfs_fingerprint }:file { open read write };
+allow init tee_device:chr_file write;
+allow init hidl_base_hwservice:hwservice_manager add;
+allow init sysfs_fingerprint:file { open read write };
+allow init system_server:binder call;
diff --git a/sepolicy/location.te b/sepolicy/location.te
index 1bcd2fe..ab3ba1f 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -1,3 +1,4 @@
allow location sysfs_msm_subsys:dir search;
allow location sysfs_soc:dir search;
allow location wcnss_prop:file r_file_perms;
+allow location sysfs_msm_subsys:file { open read };
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 933aa83..f7f0051 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1,4 +1,7 @@
allow netmgrd sysfs_msm_subsys:dir search;
+allow netmgrd sysfs_msm_subsys:file { open read };
allow netmgrd sysfs_net:dir search;
allow netmgrd sysfs_net:file rw_file_perms;
allow netmgrd sysfs_soc:dir search;
+allow netmgrd property_socket:sock_file write;
+allow netmgrd init:unix_stream_socket connectto;
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index a78a8ba..a32d8ee 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -1 +1,4 @@
allow qti_init_shell sysfs:file write;
+allow qti_init_shell vendor_radio_data_file:file { open read write };
+allow qti_init_shell vendor_radio_data_file:dir getattr;
+allow qti_init_shell vfat:file getattr;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 74e97e7..d1bab44 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -6,6 +6,8 @@ allow system_server install_data_file:file getattr;
allow system_server zygote:process getpgid;
+allow system_server init:binder { call transfer };
+
# /vendor/usr/keylayout
r_dir_file(system_server, idc_file)
# /vendor/usr/idc
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
new file mode 100644
index 0000000..c42d6a3
--- /dev/null
+++ b/sepolicy/tee.te
@@ -0,0 +1 @@
+allow tee fingerprintd_data_file:file { open read };
diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te
index f7324a4..d586681 100644
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@@ -1,2 +1,3 @@
allow time_daemon sysfs_msm_subsys:dir search;
allow time_daemon sysfs_soc:dir search;
+allow time_daemon time_data_file:file { open read write };
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
new file mode 100644
index 0000000..e921f9c
--- /dev/null
+++ b/sepolicy/vendor_init.te
@@ -0,0 +1 @@
+allow vendor_init proc_kernel_sched:file write;
diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te
new file mode 100644
index 0000000..c8a7ec2
--- /dev/null
+++ b/sepolicy/webview_zygote.te
@@ -0,0 +1 @@
+allow webview_zygote zygote:unix_dgram_socket write;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-19 22:52:30 +0000