diff options
| author | Fedor917 <cryscript@gmail.com> | 2016-11-10 16:08:06 +0700 |
|---|---|---|
| committer | Fedor917 <cryscript@gmail.com> | 2016-11-10 16:08:06 +0700 |
| commit | 1ebfb18a229b395c76b29e7266e2798090948ddd (patch) | |
| tree | 4c7d3e22470915a48cfa714ea3335b1781efc1dd | |
| parent | e20953eccb7d8b9125a37699b2cef2c8374fa3f0 (diff) | |
Test some changes in sepolicy
| -rw-r--r-- | sepolicy/file.te | 4 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 12 | ||||
| -rw-r--r-- | sepolicy/fingerprintd.te | 18 | ||||
| -rw-r--r-- | sepolicy/genfs_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/ipacm-diag.te | 6 | ||||
| -rw-r--r-- | sepolicy/location.te | 1 | ||||
| -rw-r--r-- | sepolicy/mac_permissions.xml | 7 | ||||
| -rw-r--r-- | sepolicy/mediaserver.te | 1 | ||||
| -rw-r--r-- | sepolicy/mm-qcamerad.te | 1 | ||||
| -rw-r--r-- | sepolicy/netd.te | 5 | ||||
| -rw-r--r-- | sepolicy/per_mgr.te | 2 | ||||
| -rw-r--r-- | sepolicy/peripheral_manager.te | 1 | ||||
| -rw-r--r-- | sepolicy/property_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/qmuxd.te | 2 | ||||
| -rw-r--r-- | sepolicy/qti.te | 2 | ||||
| -rw-r--r-- | sepolicy/rild.te | 4 | ||||
| -rw-r--r-- | sepolicy/rmt_storage.te | 1 | ||||
| -rw-r--r-- | sepolicy/seapp_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/sensors.te | 2 | ||||
| -rw-r--r-- | sepolicy/service_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/system_app.te | 4 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 5 | ||||
| -rw-r--r-- | sepolicy/thermal-engine.te | 2 | ||||
| -rw-r--r-- | sepolicy/untrusted_app.te | 1 | ||||
| -rw-r--r-- | sepolicy/vold.te | 2 | ||||
| -rw-r--r-- | sepolicy/wcnss_service.te | 1 | ||||
| -rw-r--r-- | sepolicy/zygote.te | 2 |
27 files changed, 54 insertions, 36 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te index 139812a..4569d6b 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,5 +1,9 @@ type fpc_data_file, file_type; type fpc_images_file, file_type; type sysfs_fpc_irq, sysfs_type, fs_type; +type sysfs_fpc_proximity, sysfs_type, fs_type; type proc_touchpanel, fs_type; type nv_data_file, file_type; +type proc_stat, fs_type; +type debugfs_msm_core, debugfs_type, fs_type; +type debugfs_rmts, debugfs_type, fs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 686f99b..75737a2 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -15,5 +15,17 @@ /data/fpc(/.*)? u:object_r:fpc_data_file:s0 /data/fpc_images(/.*)? u:object_r:fpc_images_file:s0 /sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc_irq:s0 +/sys/devices/soc/soc:fpc_fpc1020/proximity_state u:object_r:sysfs_fpc_proximity:s0 + +/sys/devices/soc/.*ssusb/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 + +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0 +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/current_now u:object_r:sysfs_batteryinfo:s0 +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/voltage_now u:object_r:sysfs_batteryinfo:s0 +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/temp u:object_r:sysfs_batteryinfo:s0 + +/sys/kernel/debug/msm_core(/.*)? u:object_r:debugfs_msm_core:s0 + +/sys/kernel/debug/rmt_storage/rmts u:object_r:debugfs_rmts:s0 /system/bin/ifaadaemon u:object_r:ifaadaemon_exec:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te index 29e56af..a9d13a6 100644 --- a/sepolicy/fingerprintd.te +++ b/sepolicy/fingerprintd.te @@ -1,12 +1,12 @@ -allow fingerprintd firmware_file:file { read getattr open }; -allow fingerprintd firmware_file:dir search; -allow fingerprintd fpc_data_file:dir { write remove_name add_name search read open }; -allow fingerprintd fpc_data_file:sock_file { create unlink setattr }; -allow fingerprintd fpc_images_file:dir { read write open add_name search }; -allow fingerprintd fpc_images_file:file { write create open getattr }; -allow fingerprintd sysfs_fpc_irq:file { read write open }; -allow fingerprintd tee_device:chr_file { read write ioctl open }; +r_dir_file(fingerprintd, firmware_file) +r_dir_file(fingerprintd, proc_touchpanel) +allow fingerprintd fpc_data_file:dir rw_dir_perms; +allow fingerprintd fpc_data_file:sock_file { create unlink }; +allow fingerprintd fpc_images_file:dir rw_dir_perms; +allow fingerprintd fpc_images_file:file create_file_perms; +allow fingerprintd sysfs_fpc_irq:file rw_file_perms; +allow fingerprintd tee_device:chr_file rw_file_perms; allow fingerprintd sysfs:file write; allow fingerprintd proc_touchpanel:dir search; allow fingerprintd proc_touchpanel:file { read open }; -allow fingerprintd vfat:file { read getattr open }; +allow fingerprintd vfat:file r_file_perms; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index cfc50b6..a4d53e1 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -1,3 +1,4 @@ genfscon proc /touchpanel u:object_r:proc_touchpanel:s0 genfscon proc /s1302 u:object_r:proc_touchpanel:s0 genfscon proc /tri-state-key u:object_r:proc_touchpanel:s0 +genfscon proc /stat u:object_r:proc_stat:s0 diff --git a/sepolicy/ipacm-diag.te b/sepolicy/ipacm-diag.te index 70bc113..db7fc42 100644 --- a/sepolicy/ipacm-diag.te +++ b/sepolicy/ipacm-diag.te @@ -1,4 +1,2 @@ -allow ipacm-diag init:unix_stream_socket connectto; -allow ipacm-diag property_socket:sock_file write; -allow ipacm-diag system_prop:property_service set; -allow ipacm-diag diag_prop:property_service set; +set_prop(ipacm-diag, diag_prop) +set_prop(ipacm-diag, system_prop) diff --git a/sepolicy/location.te b/sepolicy/location.te index 756bb26..edbedb7 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -1 +1,2 @@ allow location permission_service:service_manager find; +allow location self:capability net_raw; diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml index a025144..f77d495 100644 --- a/sepolicy/mac_permissions.xml +++ b/sepolicy/mac_permissions.xml @@ -8,11 +8,4 @@ </package> </signer> - <!-- Taobao --> - <signer signature="30820243308201aca00302010202044c59152e300d06092a864886f70d01010505003066310b300906035504061302434e3111300f060355040813087a68656a69616e673111300f0603550407130868616e677a686f75310f300d060355040a130674616f62616f310f300d060355040b130674616f62616f310f300d0603550403130674616f62616f301e170d3130303830343037323232325a170d3337313232303037323232325a3066310b300906035504061302434e3111300f060355040813087a68656a69616e673111300f0603550407130868616e677a686f75310f300d060355040a130674616f62616f310f300d060355040b130674616f62616f310f300d0603550403130674616f62616f30819f300d06092a864886f70d010101050003818d00308189028181008406125f369fde2720f7264923a63dc48e1243c1d9783ed44d8c276602d2d570073d92c155b81d5899e9a8a97e06353ac4b044d07ca3e2333677d199e0969c96489f6323ed5368e1760731704402d0112c002ccd09a06d27946269a438fe4b0216b718b658eed9d165023f24c6ddaec0af6f47ada8306ad0c4f0fcd80d9b69110203010001300d06092a864886f70d01010505000381810053dc5a9acd6fed237c2ff2b81d502edb88bee1ea22ad0e2ad1bb8e2e2e1c20a08f3797af894f35e092c78178090acddf7e8333c8d819736380f2cc91656b684bd4b30b5bb467351bf5f494f4453768a079b4d76311654e20dea7edf106ab958d92040ab8379fca39a4cdd496571eb4e29ce83bbbe770166ba5a03fd7bf90dbcd"> - <package name="com.taobao.taobao" > - <seinfo value="taobao" /> - </package> - </signer> - </policy> diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..ae5aaa9 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1 @@ +allow mediaserver audio_device:chr_file { ioctl open read write }; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te index e8cdb14..4c7c39d 100644 --- a/sepolicy/mm-qcamerad.te +++ b/sepolicy/mm-qcamerad.te @@ -1,2 +1,3 @@ allow mm-qcamerad camera_prop:property_service set; allow mm-qcamerad permission_service:service_manager find; +allow mm-qcamerad mpctl_socket:sock_file write; diff --git a/sepolicy/netd.te b/sepolicy/netd.te index 5d204e5..f513b69 100644 --- a/sepolicy/netd.te +++ b/sepolicy/netd.te @@ -1,3 +1,2 @@ -allow netd firmware_file:file { read open }; -allow netd firmware_file:dir search; -allow netd vfat:file { read open }; +r_dir_file(netd, firmware_file) +allow netd vfat:file r_file_perms; diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te index d5f2aa5..c964ad3 100644 --- a/sepolicy/per_mgr.te +++ b/sepolicy/per_mgr.te @@ -1 +1 @@ -allow per_mgr vfat:file { read open }; +allow per_mgr vfat:file r_file_perms; diff --git a/sepolicy/peripheral_manager.te b/sepolicy/peripheral_manager.te new file mode 100644 index 0000000..6d75682 --- /dev/null +++ b/sepolicy/peripheral_manager.te @@ -0,0 +1 @@ +allow per_mgr self:capability net_raw; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 4dbb541..2b0957e 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -3,3 +3,4 @@ audio. u:object_r:audio_prop:s0 sys.fake_bs_flag0 u:object_r:system_radio_prop:s0 sys.fake_bs_flag1 u:object_r:system_radio_prop:s0 sys.oem.sno u:object_r:system_radio_prop:s0 +persist.sys.diag.max.size u:object_r:diag_prop:s0
\ No newline at end of file diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te index e3fe26b..14aa9a1 100644 --- a/sepolicy/qmuxd.te +++ b/sepolicy/qmuxd.te @@ -1,3 +1,3 @@ -allow qmuxd diag_prop:property_service set; +set_prop(qmuxd, diag_prop) allow qmuxd init:unix_stream_socket connectto; allow qmuxd property_socket:sock_file write; diff --git a/sepolicy/qti.te b/sepolicy/qti.te index 2121a58..861eb5d 100644 --- a/sepolicy/qti.te +++ b/sepolicy/qti.te @@ -1,3 +1,3 @@ -allow qti diag_prop:property_service set; +set_prop(qti, diag_prop) allow qti init:unix_stream_socket connectto; allow qti property_socket:sock_file write; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index c176c48..424aab7 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,3 +1,3 @@ -allow rild nv_data_file:dir { getattr search write add_name }; -allow rild nv_data_file:file { write open create }; +allow rild nv_data_file:dir rw_dir_perms; +allow rild nv_data_file:file create_file_perms; allow rild diag_prop:property_service set; diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te new file mode 100644 index 0000000..f082cae --- /dev/null +++ b/sepolicy/rmt_storage.te @@ -0,0 +1 @@ +allow rmt_storage debugfs_rmts:file rw_file_perms; diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts new file mode 100644 index 0000000..63f4cb1 --- /dev/null +++ b/sepolicy/seapp_contexts @@ -0,0 +1 @@ +user=_app seinfo=alipay name=com.eg.android.AlipayGphone* domain=alipay_app type=app_data_file diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te index fc45cdd..14a5ad1 100644 --- a/sepolicy/sensors.te +++ b/sepolicy/sensors.te @@ -1,3 +1,3 @@ allow sensors property_socket:sock_file write; allow sensors init:unix_stream_socket connectto; -allow sensors diag_prop:property_service set; +set_prop(sensors, diag_prop) diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..5b71d70 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1 @@ +ifaadaemon u:object_r:ifaadaemon_service:s0 diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index d4f37b1..f9df2ec 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,2 +1,4 @@ allow system_app proc_touchpanel:dir search; -allow system_app proc_touchpanel:file { write read getattr open read }; +allow system_app proc_touchpanel:file rw_file_perms; + +allow system_app sysfs_fpc_proximity:file rw_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 503b1df..7bd7016 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,5 +1,6 @@ allow system_server persist_file:dir { read write }; allow system_server proc_touchpanel:dir search; -allow system_server proc_touchpanel:file { write open getattr read }; -allow system_server sensors_persist_file:file { read getattr open }; +allow system_server proc_touchpanel:file rw_file_perms; +allow system_server sensors_persist_file:file r_file_perms; allow system_server sensors_persist_file:dir search; +allow system_server proc_stat:file r_file_perms; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index d57ef05..525394e 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -1,3 +1,3 @@ -allow thermal-engine diag_prop:property_service set; +set_prop(thermal-engine, diag_prop) allow thermal-engine init:unix_stream_socket connectto; allow thermal-engine property_socket:sock_file write; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te deleted file mode 100644 index 70de2b0..0000000 --- a/sepolicy/untrusted_app.te +++ /dev/null @@ -1 +0,0 @@ -allow untrusted_app ifaadaemon_service:service_manager { find }; diff --git a/sepolicy/vold.te b/sepolicy/vold.te index 9dfc1e9..be2bf87 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -1,2 +1,2 @@ -allow vold proc_touchpanel:dir { read open }; +allow vold proc_touchpanel:dir r_dir_perms; allow vold system_block_device:blk_file getattr; diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te new file mode 100644 index 0000000..46c74a3 --- /dev/null +++ b/sepolicy/wcnss_service.te @@ -0,0 +1 @@ +allow wcnss_service self:capability { setgid setuid }; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te index d9874bc..32f3157 100644 --- a/sepolicy/zygote.te +++ b/sepolicy/zygote.te @@ -1,2 +1,2 @@ -allow zygote input_device:dir { r_file_perms search }; +allow zygote input_device:dir r_dir_perms; allow zygote input_device:chr_file rw_file_perms; |