aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCosme Domínguez Díaz <cosme.ddiaz@gmail.com>2018-03-31 01:48:50 +0200
committerCosme Domínguez Díaz <cosme.ddiaz@gmail.com>2018-03-31 01:48:50 +0200
commitaa94796eeb4dd0c9e73c4e8f2f2a057ef727fda5 (patch)
treedec0af2723748cf0a2b3cc1a9146df7d6d589141
parent807dacaab8e2e4f4b53ad4dea172476a9602cf7f (diff)
msm8996-common: sepolicy: Fix more SELinux denials.
* We could probably optimize them more, but for now it's enough.
Diffstat
-rw-r--r--sepolicy/bluetooth.te3
-rw-r--r--sepolicy/cnd.te1
-rw-r--r--sepolicy/idmap.te1
-rw-r--r--sepolicy/init.te1
-rw-r--r--sepolicy/system_server.te2
-rw-r--r--sepolicy/tombstoned.te2
-rw-r--r--sepolicy/zygote.te1
-rw-r--r--untrusted_app.te2
8 files changed, 13 insertions, 0 deletions
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
new file mode 100644
index 0000000..d5742fd
--- /dev/null
+++ b/sepolicy/bluetooth.te
@@ -0,0 +1,3 @@
+# Bluetooth app depend on /vendor/lib64/libaptX_encoder.so
+
+allow bluetooth vendor_file:file { r_file_perms execute };
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index b66fa5f..d0d8d59 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1 +1,2 @@
allow cnd cnd:capability { setuid dac_override chown dac_override dac_read_search setgid fsetid net_raw };
+allow cnd system_data_file:dir read;
diff --git a/sepolicy/idmap.te b/sepolicy/idmap.te
new file mode 100644
index 0000000..b268823
--- /dev/null
+++ b/sepolicy/idmap.te
@@ -0,0 +1 @@
+allow idmap install_data_file:file rw_file_perms;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 90c9593..7294485 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,2 +1,3 @@
allow init adsprpcd_file:filesystem { mount relabelfrom relabelto };
allow init debugfs:file write;
+allow init system_data_file:file rename;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 975336c..431e096 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -2,6 +2,8 @@ allow system_server alarm_boot_prop:file { read open getattr };
allow system_server persist_file:dir write;
allow system_server sysfs_fpc_utouch_disable:file rw_file_perms;
+allow system_server install_data_file:file getattr;
+
# /vendor/usr/keylayout
r_dir_file(system_server, idc_file)
# /vendor/usr/idc
diff --git a/sepolicy/tombstoned.te b/sepolicy/tombstoned.te
new file mode 100644
index 0000000..08f529d
--- /dev/null
+++ b/sepolicy/tombstoned.te
@@ -0,0 +1,2 @@
+allow tombstoned system_data_file:dir r_dir_perms;
+allow tombstoned system_data_file:file getattr;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
index e830681..c0e3d3e 100644
--- a/sepolicy/zygote.te
+++ b/sepolicy/zygote.te
@@ -1 +1,2 @@
allow zygote cgroup:file create;
+allow zygote system_data_file:dir write;
diff --git a/untrusted_app.te b/untrusted_app.te
new file mode 100644
index 0000000..8aeb709
--- /dev/null
+++ b/untrusted_app.te
@@ -0,0 +1,2 @@
+dontaudit untrusted_app_all sysfs_zram:dir search;
+dontaudit untrusted_app_all sysfs_zram:file r_file_perms;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-19 23:02:01 +0000