diff options
| author | Cosme Domínguez Díaz <cosme.ddiaz@gmail.com> | 2018-04-29 02:45:22 +0200 |
|---|---|---|
| committer | Cosme Domínguez Díaz <cosme.ddiaz@gmail.com> | 2018-05-02 23:46:36 +0200 |
| commit | b5b41d341dd744c40d3908550daaafcee6fe7b4b (patch) | |
| tree | 3c13b9ed2d88a4b15eefb61339152a42eda3104a | |
| parent | 008f0bb54500d59599f1b61522dc8ac75bfd2e5c (diff) | |
msm8996-common: sepolicy: Cleanup
57 files changed, 194 insertions, 206 deletions
@@ -193,14 +193,6 @@ PRODUCT_PACKAGES += \ android.hardware.drm@1.0-impl \ android.hardware.drm@1.0-service -PRODUCT_PACKAGES += \ - mkshrc_vendor \ - sh_vendor \ - toybox_vendor - -PRODUCT_PACKAGES += \ - netutils-wrapper-1.0 - # For config.fs PRODUCT_PACKAGES += \ fs_config_files diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te index d5742fd..78d0e78 100644 --- a/sepolicy/bluetooth.te +++ b/sepolicy/bluetooth.te @@ -1,3 +1,3 @@ # Bluetooth app depend on /vendor/lib64/libaptX_encoder.so -allow bluetooth vendor_file:file { r_file_perms execute }; +allow bluetooth vendor_file:file rx_file_perms; diff --git a/sepolicy/charger.te b/sepolicy/charger.te index 794e8e9..4881c2d 100644 --- a/sepolicy/charger.te +++ b/sepolicy/charger.te @@ -1,2 +1,2 @@ -allow charger device:dir { open read }; +allow charger device:dir r_dir_perms; allow charger self:capability { dac_override dac_read_search }; diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te index d0d8d59..83e7fe8 100644 --- a/sepolicy/cnd.te +++ b/sepolicy/cnd.te @@ -1,2 +1,2 @@ -allow cnd cnd:capability { setuid dac_override chown dac_override dac_read_search setgid fsetid net_raw }; -allow cnd system_data_file:dir read; +allow cnd sysfs_msm_subsys:dir search; +allow cnd sysfs_soc:dir search; diff --git a/sepolicy/dpmd.te b/sepolicy/dpmd.te deleted file mode 100644 index f758949..0000000 --- a/sepolicy/dpmd.te +++ /dev/null @@ -1 +0,0 @@ -allow dpmd dpmd:capability { dac_override dac_read_search chown fsetid }; diff --git a/sepolicy/energyawareness.te b/sepolicy/energyawareness.te deleted file mode 100644 index 8d8250e..0000000 --- a/sepolicy/energyawareness.te +++ /dev/null @@ -1 +0,0 @@ -allow energyawareness sysfs:{ dir file } { read open getattr }; diff --git a/sepolicy/file.te b/sepolicy/file.te index 5efa9a5..ea8f856 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,22 +1,44 @@ -type debugfs_rmt, debugfs_type, fs_type; type fpc_data_file, data_file_type, file_type; -type nv_data_file, file_type, data_file_type; -type sysfs_fpc_irq, sysfs_type, fs_type; -type sysfs_fpc_proximity, sysfs_type, fs_type; -type sysfs_fpc_utouch_disable, fs_type, sysfs_type; type thermal_data_file, data_file_type, file_type; -type netmgr_data_file, file_type, data_file_type; # /sys +type sysfs_camera, sysfs_type, fs_type; +type sysfs_enable_ps_sensor, sysfs_type, fs_type; +type sysfs_fingerprint, sysfs_type, fs_type; +type sysfs_mdss_mdp_caps, sysfs_type, fs_type; type sysfs_msm_subsys, sysfs_type, fs_type; type sysfs_msm_subsys_restart, sysfs_type, fs_type; +type sysfs_msm_core, sysfs_type, fs_type; type sysfs_net, sysfs_type, fs_type, mlstrustedobject; +type sysfs_perf, sysfs_type, fs_type; type sysfs_pcie, sysfs_type, fs_type, mlstrustedobject; +type sysfs_power_management, sysfs_type, fs_type; +type sysfs_rmtfs, sysfs_type, fs_type; +type sysfs_soc, sysfs_type, fs_type, mlstrustedobject; +type sysfs_timestamp_switch, sysfs_type, fs_type; +type sysfs_video, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type, mlstrustedobject; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; # debugfs +type debugfs_msm_core, debugfs_type, fs_type; +type debugfs_rmt, debugfs_type, fs_type; +type debugfs_wlan, debugfs_type, fs_type; type debugfs_kgsl, debugfs_type, fs_type; +type debugfs_ipc, debugfs_type, fs_type; +type debugfs_bufinfo, debugfs_type, fs_type; +type debugfs_mdp, debugfs_type, fs_type; type debugfs_ion, debugfs_type, fs_type; +type debugfs_qsee_log, debugfs_type, fs_type; +type debugfs_usb, debugfs_type, fs_type; +type debugfs_runtime_pm, debugfs_type, fs_type; +type debugfs_cnss, debugfs_type, fs_type; +type debugfs_ufs, debugfs_type, fs_type; + +# /proc +type proc_kernel_sched, fs_type; +type proc_wifi_dbg, fs_type; +type proc_irq, fs_type; # /vendor type idc_file, file_type, vendor_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 0e2df3d..9e25999 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,42 +1,22 @@ -# charger -/sys/devices/soc/.*ssusb/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 -/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery(/.*)? u:object_r:sysfs_batteryinfo:s0 +# Partitions +/dev/block/platform/soc/624000\.ufshc/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/soc/7464900\.sdhci/by-name/persist u:object_r:persist_block_device:s0 -# Data files -/data/decrypt.txt u:object_r:thermal_data_file:s0 -/data/misc/netmgr/log.txt u:object_r:netmgrd_data_file:s0 - -# fingerprint -/dev/fpc1020 u:object_r:fpc1020_device:s0 -/data/fpc(/.*)? u:object_r:fpc_data_file:s0 -/sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc_irq:s0 -/sys/devices/soc/soc:fpc_fpc1020/proximity_state u:object_r:sysfs_fpc_proximity:s0 -/sys/devices/soc/soc:fpc1020/utouch_disable u:object_r:sysfs_fpc_utouch_disable:s0 - -# FRP partition -/dev/block/bootdevice/by-name/config u:object_r:frp_block_device:s0 - -# lights -/sys/devices/soc/75b7000\.i2c/i2c-9/9-[0-9a-f]+/leds(/.*)? u:object_r:sysfs_leds:s0 -/sys/devices/soc/leds-qpnp-[0-9]+/leds(/.*)? u:object_r:sysfs_leds:s0 -/vendor/bin/hw/android\.hardware\.light@2\.0-service.zuk_8996 u:object_r:hal_light_default_exec:s0 +# Devices +/dev/fpc1020 u:object_r:fpc1020_device:s0 +/dev/tfa9890 u:object_r:audio_device:s0 -# Neural Networks HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.0-service-hvx u:object_r:hal_neuralnetworks_hvx_exec:s0 - -# persist -/dev/block/platform/soc/(624000\.ufshc|7464900\.sdhci)/by-name/persist u:object_r:persist_block_device:s0 -/persist/rfs(/.*)? u:object_r:rfs_file:s0 -/persist/sensors/gyro_sensitity_cal u:object_r:sensors_persist_file:s0 - -# readmac -/vendor/bin/readmac u:object_r:readmac_exec:s0 +# Data files +/data/fpc(/.*)? u:object_r:fpc_data_file:s0 +/data/decrypt\.txt u:object_r:thermal_data_file:s0 +/data/misc/stargate(/.*)? u:object_r:qfp-daemon_data_file:s0 -# ril -/vendor/radio/qcril_database/qcril.db u:object_r:nv_data_file:s0 +# Binaries +/vendor/bin/readmac u:object_r:readmac_exec:s0 -# audio amplifier -/dev/tfa9890 u:object_r:audio_device:s0 +# HALs +/vendor/bin/hw/android\.hardware\.light@2\.0-service.zuk_8996 u:object_r:hal_light_default_exec:s0 +/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.0-service-hvx u:object_r:hal_neuralnetworks_hvx_exec:s0 # Misc files on /vendor /vendor/usr/idc(/.*)? u:object_r:idc_file:s0 diff --git a/sepolicy/firmware.te b/sepolicy/firmware.te deleted file mode 100644 index 9ac714e..0000000 --- a/sepolicy/firmware.te +++ /dev/null @@ -1 +0,0 @@ -allow { bt_firmware_file firmware_file } rootfs:filesystem associate; diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te deleted file mode 100644 index 9c64f10..0000000 --- a/sepolicy/fsck.te +++ /dev/null @@ -1,2 +0,0 @@ -allow fsck persist_block_device:blk_file rw_file_perms; - diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index a59d3ed..99cf5c2 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -1,8 +1,73 @@ +genfscon proc /sys/kernel/sched_boost u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_downmigrate u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_freq_dec_notify u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_freq_inc_notify u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_init_task_load u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_migration_cost_ns u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_migration_fixup u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_small_task u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_spill_nr_run u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_upmigrate u:object_r:proc_kernel_sched:s0 +genfscon proc /irq u:object_r:proc_irq:s0 +genfscon proc /debug/fwdump u:object_r:proc_wifi_dbg:s0 +genfscon proc /debugdriver/driverdump u:object_r:proc_wifi_dbg:s0 + # sysfs +genfscon sysfs /devices/bt_qca6174/extldo u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/bt_qca6174/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/soc/leds-qpnp-24/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/soc/900000.qcom,mdss_mdp/900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/soc/900000.qcom,mdss_mdp/caps u:object_r:sysfs_mdss_mdp_caps:s0 +genfscon sysfs /module/msm_core u:object_r:sysfs_msm_core:s0 +genfscon sysfs /devices/soc/70000.qcom,msm-core u:object_r:sysfs_msm_core:s0 +genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0 +genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/msm_performance u:object_r:sysfs_perf:s0 +genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0 +genfscon sysfs /module/subsystem_restart u:object_r:sysfs_msm_subsys_restart:s0 +genfscon sysfs /bus/msm_subsys u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/ce0000.qcom,venus u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/b00000.qcom,kgsl-3d0 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/soc:qcom,cpubw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/soc:qcom,kgsl-hyp u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/soc:qcom,cnss u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/9300000.qcom,lpass u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/1c00000.qcom,ssc u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/2080000.qcom,mss u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /kernel/boot_adsp/boot u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /kernel/boot_slpi/boot u:object_r:sysfs_msm_subsys:s0 genfscon sysfs /devices/soc/600000.qcom,pcie u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/soc/8c0000.qcom,msm-cam u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/soc/aa4000.qcom,fd u:object_r:sysfs_video:s0 +genfscon sysfs /devices/soc/soc:fpc1020 u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/proximity_state u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/irq u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/utouch_disable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc0 u:object_r:sysfs_soc:s0 genfscon sysfs /devices/soc/600000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0 u:object_r:sysfs_wifi:s0 -genfscon sysfs /devices/soc/2080000.qcom,mss u:object_r:sysfs_msm_subsys:s0 -genfscon sysfs /devices/soc/soc:qcom,kgsl-hyp u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/0.qcom,rmtfs_sharedmem u:object_r:sysfs_rmtfs:s0 +genfscon sysfs /devices/soc/84000000.qcom,rmtfs_rtel_sharedmem u:object_r:sysfs_rmtfs:s0 +genfscon sysfs /module/lpm_levels/parameters u:object_r:sysfs_power_management:s0 +genfscon sysfs /devices/soc/qpnp-fg-17/power_supply/bms/capacity u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/soc/qpnp-smbcharger-16/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/virtual/timed_output/vibrator/voltage_level u:object_r:sysfs_vibrator:s0 +genfscon sysfs /module/diagchar/parameters/timestamp_switch u:object_r:sysfs_timestamp_switch:s0 +genfscon sysfs /devices/soc/qpnp-smbcharger-16/power_supply/battery/system_temp_level u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/soc/624000.ufshc/host0/target0:0:0/0:0:0:0 u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/soc/624000.ufshc/health u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /module/diagchar u:object_r:sysfs_diag:s0 # debugfs -genfscon debugfs /rmt_storage u:object_r:debugfs_rmt:s0 +genfscon debugfs /wlan_wcnss u:object_r:debugfs_wlan:s0 +genfscon debugfs /msm_core u:object_r:debugfs_msm_core:s0 +genfscon debugfs /rmt_storage u:object_r:debugfs_rmt:s0 +genfscon debugfs /ipc_logging u:object_r:debugfs_ipc:s0 +genfscon debugfs /dma_buf/bufinfo u:object_r:debugfs_bufinfo:s0 +genfscon debugfs /mdp/xlog/dump u:object_r:debugfs_mdp:s0 +genfscon debugfs /tzdbg/qsee_log u:object_r:debugfs_qsee_log:s0 +genfscon debugfs /ion u:object_r:debugfs_ion:s0 +genfscon debugfs /tcpm/9-0022 u:object_r:debugfs_usb:s0 +genfscon debugfs /ipc_logging/fusb302/log u:object_r:debugfs_usb:s0 +genfscon debugfs /cnss_runtime_pm u:object_r:debugfs_runtime_pm:s0 +genfscon debugfs /cnss-prealloc/status u:object_r:debugfs_cnss:s0 +genfscon debugfs /ufshcd0 u:object_r:debugfs_ufs:s0 diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te new file mode 100644 index 0000000..c999ec5 --- /dev/null +++ b/sepolicy/hal_audio_default.te @@ -0,0 +1 @@ +allow hal_audio_default sysfs_soc:dir search; diff --git a/sepolicy/hal_dpmQmiMgr.te b/sepolicy/hal_dpmQmiMgr.te new file mode 100644 index 0000000..ec5358c --- /dev/null +++ b/sepolicy/hal_dpmQmiMgr.te @@ -0,0 +1 @@ +allow hal_dpmQmiMgr sysfs_msm_subsys:dir search; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te index abbc29d..d5a91a1 100644 --- a/sepolicy/hal_fingerprint_default.te +++ b/sepolicy/hal_fingerprint_default.te @@ -1,8 +1,8 @@ r_dir_file(hal_fingerprint_default, firmware_file) allow hal_fingerprint_default tee_device:chr_file ioctl; -allow hal_fingerprint_default sysfs:file write; allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms; -allow hal_fingerprint_default sysfs_fpc_irq:file rw_file_perms; +allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint_default tee_device:chr_file rw_file_perms; allow hal_fingerprint_default firmware_file:file r_file_perms; allow hal_fingerprint_default system_data_file:dir rw_dir_perms; diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te new file mode 100644 index 0000000..2d58a8d --- /dev/null +++ b/sepolicy/hal_gnss_qti.te @@ -0,0 +1,2 @@ +allow hal_gnss_qti sysfs_msm_subsys:dir search; +allow hal_gnss_qti sysfs_soc:dir search; diff --git a/sepolicy/hal_imsrtp.te b/sepolicy/hal_imsrtp.te new file mode 100644 index 0000000..dde5fe0 --- /dev/null +++ b/sepolicy/hal_imsrtp.te @@ -0,0 +1 @@ +allow hal_imsrtp sysfs_msm_subsys:dir search; diff --git a/sepolicy/hal_iop_default.te b/sepolicy/hal_iop_default.te new file mode 100644 index 0000000..b8aea8d --- /dev/null +++ b/sepolicy/hal_iop_default.te @@ -0,0 +1 @@ +allow hal_iop_default sysfs_soc:dir search; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te index fdc5c46..8c63d4c 100644 --- a/sepolicy/hal_light_default.te +++ b/sepolicy/hal_light_default.te @@ -1 +1 @@ -allow hal_light_default sysfs:file { open read write }; +allow hal_light_default sysfs:file rw_file_perms; diff --git a/sepolicy/hal_neuralnetworks_hvx.te b/sepolicy/hal_neuralnetworks_hvx.te index fdbd3f3..d05693b 100644 --- a/sepolicy/hal_neuralnetworks_hvx.te +++ b/sepolicy/hal_neuralnetworks_hvx.te @@ -4,6 +4,6 @@ hal_server_domain(hal_neuralnetworks_hvx, hal_neuralnetworks) type hal_neuralnetworks_hvx_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_neuralnetworks_hvx) -allow hal_neuralnetworks_hvx ion_device:chr_file { read open ioctl }; -allow hal_neuralnetworks_hvx qdsp_device:chr_file { read open ioctl }; +allow hal_neuralnetworks_hvx ion_device:chr_file r_file_perms; +allow hal_neuralnetworks_hvx qdsp_device:chr_file r_file_perms; diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te index 86004ca..47b30f4 100644 --- a/sepolicy/hal_perf_default.te +++ b/sepolicy/hal_perf_default.te @@ -1,2 +1,5 @@ set_prop(hal_perf_default, freq_prop) allow hal_perf_default hal_graphics_composer_default:process signull; +allow hal_perf_default proc_kernel_sched:file rw_file_perms; +allow hal_perf_default sysfs_msm_subsys:dir search; +allow hal_perf_default sysfs_soc:dir search; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te index 316a62c..a6a4cec 100644 --- a/sepolicy/hal_power_default.te +++ b/sepolicy/hal_power_default.te @@ -1 +1 @@ -allow hal_power_default sysfs:file { write open }; +allow hal_power_default sysfs:file rw_file_perms; diff --git a/sepolicy/hal_rcsservice.te b/sepolicy/hal_rcsservice.te new file mode 100644 index 0000000..2992bec --- /dev/null +++ b/sepolicy/hal_rcsservice.te @@ -0,0 +1 @@ +allow hal_rcsservice sysfs_msm_subsys:dir search; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te new file mode 100644 index 0000000..9e01c6d --- /dev/null +++ b/sepolicy/hal_sensors_default.te @@ -0,0 +1 @@ +allow hal_sensors_default sysfs_msm_subsys:dir search; diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te new file mode 100644 index 0000000..cb82c4a --- /dev/null +++ b/sepolicy/hal_wifi_default.te @@ -0,0 +1 @@ +allow hal_wifi_default debugfs_wlan:dir search; diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te index 14671bb..7eaf0e4 100644 --- a/sepolicy/hwservicemanager.te +++ b/sepolicy/hwservicemanager.te @@ -1,3 +1,3 @@ allow hwservicemanager init:dir search; -allow hwservicemanager init:file { open read }; +allow hwservicemanager init:file r_file_perms; allow hwservicemanager init:process getattr; diff --git a/sepolicy/idmap.te b/sepolicy/idmap.te deleted file mode 100644 index b268823..0000000 --- a/sepolicy/idmap.te +++ /dev/null @@ -1 +0,0 @@ -allow idmap install_data_file:file rw_file_perms; diff --git a/sepolicy/ims.te b/sepolicy/ims.te index 00ed504..b547e65 100644 --- a/sepolicy/ims.te +++ b/sepolicy/ims.te @@ -1,2 +1,3 @@ -allow ims ims:capability net_raw; +allow ims sysfs_msm_subsys:dir search; +allow ims sysfs_soc:dir search; allow ims ctl_default_prop:property_service set; diff --git a/sepolicy/init.te b/sepolicy/init.te index 7294485..bf04885 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,3 +1,5 @@ allow init adsprpcd_file:filesystem { mount relabelfrom relabelto }; -allow init debugfs:file write; -allow init system_data_file:file rename; +allow init debugfs_ipc:dir relabelfrom; +allow init debugfs_ipc:file relabelfrom; +allow init proc_kernel_sched:file write; +allow init sysfs_scsi_devices_0000:dir write; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..059156d --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1 @@ +allow kernel debugfs_ipc:dir search; diff --git a/sepolicy/location.te b/sepolicy/location.te index 4a38218..1bcd2fe 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -1,2 +1,3 @@ -allow location system_data_file:dir { write remove_name add_name }; -allow location wcnss_prop:file { read getattr open }; +allow location sysfs_msm_subsys:dir search; +allow location sysfs_soc:dir search; +allow location wcnss_prop:file r_file_perms; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..91ce667 --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1 @@ +allow mediacodec sysfs_soc:dir search; diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te index 3c82227..3e22092 100644 --- a/sepolicy/mediaextractor.te +++ b/sepolicy/mediaextractor.te @@ -1,2 +1 @@ -allow mediaextractor sdcardfs:file { getattr read } ; -allow mediaextractor fuse:file read; +allow mediaextractor sdcardfs:file r_file_perms; diff --git a/sepolicy/mediaprovider.te b/sepolicy/mediaprovider.te index 6ab8637..bea5690 100644 --- a/sepolicy/mediaprovider.te +++ b/sepolicy/mediaprovider.te @@ -1,2 +1,2 @@ -allow mediaprovider cache_private_backup_file:dir getattr; -allow mediaprovider cache_recovery_file:dir getattr; +allow mediaprovider cache_private_backup_file:dir r_dir_perms; +allow mediaprovider cache_recovery_file:dir r_dir_perms; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te index 12a50e4..512b271 100644 --- a/sepolicy/mm-qcamerad.te +++ b/sepolicy/mm-qcamerad.te @@ -1,2 +1,4 @@ -allow mm-qcamerad sysfs:file { read open }; -allow mm-qcamerad sysfs_graphics:file read; +allow mm-qcamerad sysfs_camera:dir search; +allow mm-qcamerad sysfs_camera:file r_file_perms; +allow mm-qcamerad sysfs_video:dir search; +allow mm-qcamerad sysfs_video:file r_file_perms; diff --git a/sepolicy/net.te b/sepolicy/net.te new file mode 100644 index 0000000..7196642 --- /dev/null +++ b/sepolicy/net.te @@ -0,0 +1 @@ +allow netd sysfs_net:file rw_file_perms; diff --git a/sepolicy/netd.te b/sepolicy/netd.te deleted file mode 100644 index 46e8ed6..0000000 --- a/sepolicy/netd.te +++ /dev/null @@ -1 +0,0 @@ -r_dir_file(netd, firmware_file) diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index c7ed94d..933aa83 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -1,55 +1,4 @@ -net_domain(netmgrd) - -# Grant access to Qualcomm MSM Interface (QMI) radio sockets -qmux_socket(netmgrd) - -wakelock_use(netmgrd) - -# create socket in /dev/socket/netmgrd/ -allow netmgrd netmgrd_socket:dir rw_dir_perms; -allow netmgrd netmgrd_socket:sock_file create_file_perms; - -# communicate with netd -unix_socket_connect(netmgrd, netd, netd) - -allow netmgrd proc_net:file rw_file_perms; - -allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; - -# read /data/misc/net -allow netmgrd net_data_file:dir r_dir_perms; -allow netmgrd net_data_file:file r_file_perms; -# read and write /data/misc/netmgr -userdebug_or_eng(` - allow netmgrd netmgr_data_file:dir rw_dir_perms; - allow netmgrd netmgr_data_file:file create_file_perms; -') - -# execute shell, ip, and toolbox -allow netmgrd vendor_shell_exec:file rx_file_perms; -allow netmgrd vendor_toolbox_exec:file rx_file_perms; - -# netmgrd sockets -allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; -allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; -allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; -allow netmgrd self:rawip_socket create_socket_perms_no_ioctl; -allow netmgrd self:socket create_socket_perms; -# in addition to ioctl commands granted to domain allow netmgrd to use: -allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; -allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; - -set_prop(netmgrd, net_radio_prop) - -# read files in /sys -r_dir_file(netmgrd, sysfs_type) -allow netmgrd sysfs_net:file write; - -userdebug_or_eng(` - allow netmgrd diag_device:chr_file rw_file_perms; -') - -# For netmgrd to be able to execute netutils wrappers -domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) -allow netmgrd netutils_wrapper_exec:file { open read getattr execute }; -allow netmgrd netutils_wrapper:process sigkill; +allow netmgrd sysfs_msm_subsys:dir search; +allow netmgrd sysfs_net:dir search; +allow netmgrd sysfs_net:file rw_file_perms; +allow netmgrd sysfs_soc:dir search; diff --git a/sepolicy/netutils_wrapper.te b/sepolicy/netutils_wrapper.te deleted file mode 100644 index 963d47b..0000000 --- a/sepolicy/netutils_wrapper.te +++ /dev/null @@ -1,17 +0,0 @@ -# For netutils to be able to write their stdout stderr to the pipes opened by netmgrd -allow netutils_wrapper netmgrd:fd use; -allow netutils_wrapper netmgrd:fifo_file { getattr read write append }; - -# netmgrd opens files without o_CLOEXEC and fork_execs the netutils wrappers -# this results in all file (fd) permissions being audited for access by netutils_wrapper -# domain. Stop those audit messages flooding the kernel log. -dontaudit netutils_wrapper netmgrd:udp_socket { getattr read write append }; -dontaudit netutils_wrapper diag_device:chr_file { getattr read write append ioctl }; -dontaudit netutils_wrapper netmgr_data_file:file { getattr read write append }; -dontaudit netutils_wrapper netmgrd:netlink_route_socket { getattr read write append }; -dontaudit netutils_wrapper netmgrd:netlink_socket { getattr read write append }; -dontaudit netutils_wrapper netmgrd:netlink_xfrm_socket { getattr read write append }; -dontaudit netutils_wrapper netmgrd:unix_stream_socket { getattr read write append }; -dontaudit netutils_wrapper sysfs_msm_subsys:file read; -dontaudit netutils_wrapper netmgrd:tcp_socket { getattr read write append }; -dontaudit netutils_wrapper netmgrd:socket { read write }; diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te new file mode 100644 index 0000000..9b150e2 --- /dev/null +++ b/sepolicy/per_mgr.te @@ -0,0 +1 @@ +allow per_mgr sysfs_msm_subsys:dir search; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te index e3f1665..bebf31b 100644 --- a/sepolicy/priv_app.te +++ b/sepolicy/priv_app.te @@ -1,7 +1,7 @@ -allow priv_app device:dir { open read }; -allow priv_app { camera_prop proc_interrupts }:file { open read }; -allow priv_app camera_prop:file getattr; -allow priv_app proc_modules:file { getattr open read }; allow priv_app adsprpcd_file:filesystem getattr; +allow priv_app device:dir open; +allow priv_app proc_interrupts:file open; +allow priv_app proc_modules:file r_file_perms; allow priv_app proc_stat:file r_file_perms; -allow priv_app vendor_file:file { r_file_perms execute }; +allow priv_app vendor_file:file rx_file_perms; +allow priv_app qemu_hw_mainkeys_prop:file r_file_perms; diff --git a/sepolicy/qti.te b/sepolicy/qti.te new file mode 100644 index 0000000..dac3966 --- /dev/null +++ b/sepolicy/qti.te @@ -0,0 +1,2 @@ +allow qti sysfs_msm_subsys:dir search; +allow qti sysfs_soc:dir search; diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te deleted file mode 100644 index ccc278f..0000000 --- a/sepolicy/qti_init_shell.te +++ /dev/null @@ -1,5 +0,0 @@ -allow qti_init_shell sysfs:file rw_file_perms; - -allow qti_init_shell kmsg_device:chr_file { open write }; - -allow qti_init_shell sensors_persist_file:dir { add_name create write }; diff --git a/sepolicy/radio.te b/sepolicy/radio.te deleted file mode 100644 index 442a4b9..0000000 --- a/sepolicy/radio.te +++ /dev/null @@ -1,2 +0,0 @@ -allow radio vendor_file:file { execute getattr open read }; -allow radio system_app_data_file:dir getattr; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index db21356..06625de 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,13 +1 @@ -allow rild nv_data_file:dir rw_dir_perms; -allow rild nv_data_file:file { create_file_perms getattr ioctl lock open read }; - -allow rild { vendor_configs_file vendor_file }:file ioctl; - -allow rild qcom_ims_prop:property_service set; - - -allow rild radio_data_file:file { create getattr ioctl lock open read unlink write }; -allow rild radio_data_file:dir { add_name getattr open read remove_name search write }; - -allow rild toolbox_exec:file { getattr execute execute_no_trans open read }; -allow rild vendor_toolbox_exec:file execute_no_trans; +allow rild vendor_file:file ioctl; diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te index 3f531cb..11bd786 100644 --- a/sepolicy/rmt_storage.te +++ b/sepolicy/rmt_storage.te @@ -1,5 +1,3 @@ -# debugfs access -userdebug_or_eng(` - allow rmt_storage debugfs_rmt:dir search; - allow rmt_storage debugfs_rmt:file rw_file_perms; -') +allow rmt_storage debugfs_rmt:dir search; +allow rmt_storage debugfs_rmt:file rw_file_perms; +allow rmt_storage sysfs_rmtfs:dir search; diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te new file mode 100644 index 0000000..eaeed4d --- /dev/null +++ b/sepolicy/sensors.te @@ -0,0 +1 @@ +allow sensors sysfs_msm_subsys:dir search; diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te deleted file mode 100644 index 984bb16..0000000 --- a/sepolicy/servicemanager.te +++ /dev/null @@ -1,4 +0,0 @@ -allow servicemanager { init per_mgr rild qseeproxy }:dir search; -allow servicemanager { per_mgr qseeproxy }:process getattr; -allow servicemanager { per_mgr rild qseeproxy }:file { read open }; -allow servicemanager rild:process getattr; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index d5e1fba..56cb70d 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,2 +1,2 @@ -allow system_app sysfs_fpc_proximity:file rw_file_perms; +allow system_app sysfs_fingerprint:file rw_file_perms; allow system_app shell_prop:property_service set; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 431e096..631fa7b 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,6 +1,6 @@ -allow system_server alarm_boot_prop:file { read open getattr }; +allow system_server alarm_boot_prop:file r_file_perms; allow system_server persist_file:dir write; -allow system_server sysfs_fpc_utouch_disable:file rw_file_perms; +allow system_server sysfs_fingerprint:file rw_file_perms; allow system_server install_data_file:file getattr; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index 02f8521..a0d2651 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -1,10 +1,11 @@ -type_transition thermal-engine system_data_file:file thermal_data_file "decrypt.txt"; -allow thermal-engine sysfs_kgsl:file r_file_perms; -allow thermal-engine system_data_file:dir w_dir_perms; -allow thermal-engine thermal_data_file:file create_file_perms; +allow thermal-engine sysfs_msm_subsys:dir search; + allow thermal-engine sysfs_usb_supply:dir search; allow thermal-engine sysfs_usb_supply:file r_file_perms; -allow thermal-engine diag_device:chr_file { read write }; -allow thermal-engine diag_device:chr_file open; -allow thermal-engine diag_device:chr_file ioctl; -allow thermal-engine sysfs_uio:dir read; + +allow thermal-engine sysfs_soc:dir search; + +allow thermal-engine sysfs_msm_core:dir search; +allow thermal-engine sysfs_msm_core:file r_file_perms; + +allow thermal-engine sysfs_rmtfs:dir search; diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te new file mode 100644 index 0000000..f7324a4 --- /dev/null +++ b/sepolicy/time_daemon.te @@ -0,0 +1,2 @@ +allow time_daemon sysfs_msm_subsys:dir search; +allow time_daemon sysfs_soc:dir search; diff --git a/sepolicy/tombstoned.te b/sepolicy/tombstoned.te deleted file mode 100644 index 08f529d..0000000 --- a/sepolicy/tombstoned.te +++ /dev/null @@ -1,2 +0,0 @@ -allow tombstoned system_data_file:dir r_dir_perms; -allow tombstoned system_data_file:file getattr; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index 18766b6..39b21e5 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -1,2 +1,2 @@ allow ueventd vfat:dir search; -allow ueventd vfat:file { read open }; +allow ueventd vfat:file r_file_perms; diff --git a/sepolicy/vold.te b/sepolicy/vold.te index ef3c943..4fda929 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -1,2 +1,3 @@ -allow vold persist_file:dir { ioctl open read }; -allow vold system_data_file:file { open }; +allow vold persist_file:dir r_file_perms; +allow vold proc_irq:dir r_dir_perms; +allow vold sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te new file mode 100644 index 0000000..fd9c6e8 --- /dev/null +++ b/sepolicy/wcnss_service.te @@ -0,0 +1,6 @@ +allow wcnss_service sysfs_msm_subsys:dir search; +allow wcnss_service sysfs_pcie:dir search; +allow wcnss_service sysfs_pcie:file rw_file_perms; +allow wcnss_service sysfs_wifi:dir search; +allow wcnss_service sysfs_wifi:file rw_file_perms; +allow wcnss_service sysfs_soc:dir search; diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te deleted file mode 100644 index bb1116c..0000000 --- a/sepolicy/webview_zygote.te +++ /dev/null @@ -1 +0,0 @@ -allow webview_zygote mnt_expand_file:dir getattr; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te deleted file mode 100644 index c0e3d3e..0000000 --- a/sepolicy/zygote.te +++ /dev/null @@ -1,2 +0,0 @@ -allow zygote cgroup:file create; -allow zygote system_data_file:dir write; |