From 2c7ad967d1c9be71a50a9c27e336e180c035e648 Mon Sep 17 00:00:00 2001 From: Davide Garberi Date: Thu, 2 May 2019 16:52:20 +0200 Subject: msm8996-common: sepolicy: Cleanup * Add back the fstab contexts to prevent some vfat denials * Remove a lot of not needed addresses * Create a domain for double tap to wake to not let the powerhal access all the sysfs files Change-Id: I44dfc5e9903eb562748215541f2d71f9a3d111d7 --- rootdir/etc/fstab.qcom | 6 +++--- sepolicy/adbd.te | 1 - sepolicy/adsprpcd.te | 2 +- sepolicy/charger.te | 1 - sepolicy/cnd.te | 1 - sepolicy/file.te | 1 + sepolicy/file_contexts | 11 +++++------ sepolicy/genfs_contexts | 1 + sepolicy/hal_audio_default.te | 1 - sepolicy/hal_bluetooth_default.te | 3 --- sepolicy/hal_bluetooth_qti.te | 2 -- sepolicy/hal_drm_default.te | 4 ---- sepolicy/hal_fingerprint_default.te | 2 -- sepolicy/hal_health_default.te | 1 - sepolicy/hal_light_default.te | 1 - sepolicy/hal_perf_default.te | 1 - sepolicy/hal_power_default.te | 2 +- sepolicy/hal_vibrator_default.te | 1 - sepolicy/hwservicemanager.te | 1 - sepolicy/ims.te | 1 - sepolicy/init.te | 4 +--- sepolicy/installd.te | 1 - sepolicy/kernel.te | 2 -- sepolicy/location.te | 1 - sepolicy/mediaextractor.te | 1 - sepolicy/mediaprovider.te | 1 - sepolicy/mm-qcamerad.te | 1 - sepolicy/netd.te | 1 - sepolicy/netutils_wrapper.te | 1 + sepolicy/peripheral_manager.te | 2 -- sepolicy/priv_app.te | 12 ------------ sepolicy/qti_init_shell.te | 3 --- sepolicy/rmt_storage.te | 2 -- sepolicy/system_app.te | 3 --- sepolicy/system_server.te | 2 -- sepolicy/ueventd.te | 2 -- sepolicy/untrusted_app.te | 2 -- sepolicy/vendor_init.te | 5 ----- sepolicy/wcnss_service.te | 6 ++---- sepolicy/webview_zygote.te | 1 - 40 files changed, 16 insertions(+), 81 deletions(-) delete mode 100644 sepolicy/adbd.te delete mode 100644 sepolicy/cnd.te delete mode 100644 sepolicy/hal_bluetooth_qti.te delete mode 100644 sepolicy/hal_drm_default.te delete mode 100644 sepolicy/hal_health_default.te delete mode 100644 sepolicy/hal_light_default.te delete mode 100644 sepolicy/hal_vibrator_default.te delete mode 100644 sepolicy/ims.te delete mode 100644 sepolicy/installd.te delete mode 100644 sepolicy/kernel.te delete mode 100644 sepolicy/location.te delete mode 100644 sepolicy/mediaextractor.te delete mode 100644 sepolicy/mediaprovider.te create mode 100644 sepolicy/netutils_wrapper.te delete mode 100644 sepolicy/peripheral_manager.te delete mode 100644 sepolicy/priv_app.te delete mode 100644 sepolicy/rmt_storage.te delete mode 100644 sepolicy/ueventd.te delete mode 100644 sepolicy/untrusted_app.te delete mode 100644 sepolicy/webview_zygote.te diff --git a/rootdir/etc/fstab.qcom b/rootdir/etc/fstab.qcom index b1985f6..4c4ccdb 100644 --- a/rootdir/etc/fstab.qcom +++ b/rootdir/etc/fstab.qcom @@ -16,9 +16,9 @@ /dev/block/bootdevice/by-name/cache /cache ext4 nosuid,nodev,noatime,barrier=1 wait,check /dev/block/bootdevice/by-name/cache /cache f2fs nosuid,nodev,noatime,inline_xattr,flush_merge,data_flush wait,check /dev/block/bootdevice/by-name/persist /mnt/vendor/persist ext4 nosuid,nodev,noatime,barrier=1 wait -/dev/block/bootdevice/by-name/dsp /vendor/dsp ext4 ro,nosuid,nodev,barrier=1 wait -/dev/block/bootdevice/by-name/modem /vendor/firmware_mnt vfat ro,shortname=lower,uid=0,gid=1000,dmask=227,fmask=337 wait -/dev/block/bootdevice/by-name/bluetooth /vendor/bt_firmware vfat ro,shortname=lower,uid=1002,gid=3002,dmask=222,fmask=333 wait +/dev/block/bootdevice/by-name/dsp /vendor/dsp ext4 ro,nosuid,nodev,barrier=1,context=u:object_r:adsprpcd_file:s0 wait +/dev/block/bootdevice/by-name/modem /vendor/firmware_mnt vfat ro,shortname=lower,uid=0,gid=1000,dmask=227,fmask=337,context=u:object_r:firmware_file:s0 wait +/dev/block/bootdevice/by-name/bluetooth /vendor/bt_firmware vfat ro,shortname=lower,uid=1002,gid=3002,dmask=222,fmask=333,context=u:object_r:bt_firmware_file:s0 wait /dev/block/bootdevice/by-name/misc /misc emmc defaults defaults /dev/block/zram0 none swap defaults zramsize=536870912,max_comp_streams=4 /mnt/vendor/persist /persist none bind wait diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te deleted file mode 100644 index 01a14f2..0000000 --- a/sepolicy/adbd.te +++ /dev/null @@ -1 +0,0 @@ -allow adbd ctl_mdnsd_prop:property_service set; diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te index cbb5d4d..8707457 100644 --- a/sepolicy/adsprpcd.te +++ b/sepolicy/adsprpcd.te @@ -1 +1 @@ -allow adsprpcd_file self:filesystem { associate getattr }; +allow adsprpcd_file self:filesystem associate; diff --git a/sepolicy/charger.te b/sepolicy/charger.te index 944a1c0..f9509e4 100644 --- a/sepolicy/charger.te +++ b/sepolicy/charger.te @@ -1,2 +1 @@ -allow charger rtc_device:chr_file r_file_perms; allow charger sysfs_battery_supply:file read; diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te deleted file mode 100644 index 9589b02..0000000 --- a/sepolicy/cnd.te +++ /dev/null @@ -1 +0,0 @@ -allow cnd system_data_file:file { getattr ioctl read }; diff --git a/sepolicy/file.te b/sepolicy/file.te index b33eadf..486a6d0 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -10,6 +10,7 @@ type sysfs_fingerprint, sysfs_type, fs_type; type sysfs_pcie, sysfs_type, fs_type, mlstrustedobject; type sysfs_wifi, sysfs_type, fs_type, mlstrustedobject; type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_doubletap, sysfs_type, fs_type; # /vendor type idc_file, file_type, vendor_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index ce36adc..429d4c4 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,6 +1,6 @@ # Binaries -/vendor/bin/init.wlan.sh u:object_r:qti_init_shell_exec:s0 -/vendor/bin/wcg_mac_tool u:object_r:wcg_mac_exec:s0 +/(vendor|system/vendor)/bin/init.wlan.sh u:object_r:qti_init_shell_exec:s0 +/(vendor|system/vendor)/bin/wcg_mac_tool u:object_r:wcg_mac_exec:s0 # Data files /data/fpc(/.*)? u:object_r:fpc_data_file:s0 @@ -12,13 +12,12 @@ /dev/tfa9890 u:object_r:audio_device:s0 # HALs -/vendor/bin/hw/android\.hardware\.light@2\.0-service\.zuk_8996 u:object_r:hal_light_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.0-service\.zuk u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.zuk_8996 u:object_r:hal_light_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.zuk_8996 u:object_r:hal_lineage_touch_default_exec:s0 # Misc files on /vendor -/vendor/usr/idc(/.*)? u:object_r:idc_file:s0 -/vendor/usr/keylayout(/.*)? u:object_r:keylayout_file:s0 +/(vendor|system/vendor)/usr/idc(/.*)? u:object_r:idc_file:s0 +/(vendor|system/vendor)/usr/keylayout(/.*)? u:object_r:keylayout_file:s0 # Sys files /sys/devices/soc/soc:fpc1020(/.*)? u:object_r:sysfs_fingerprint:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index 989b76b..65f4c90 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -10,3 +10,4 @@ genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-02/400f000.qcom,spmi: genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-02/400f000.qcom,spmi:qcom,pmi8994@2:qcom,qpnp-smbcharger/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-02/400f000.qcom,spmi:qcom,pmi8994@2:bcl@4200/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-03/400f000.qcom,spmi:qcom,pmi8994@3:qcom,haptics@c000/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/virtual/touch/tp_dev/gesture_on u:object_r:sysfs_doubletap:s0 diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te index 8a9e7d8..f841aaa 100644 --- a/sepolicy/hal_audio_default.te +++ b/sepolicy/hal_audio_default.te @@ -4,4 +4,3 @@ allow hal_audio_default vendor_data_file:file create_file_perms; allow hal_audio_default vendor_data_file:dir rw_dir_perms; allow hal_audio_default thermal_socket:sock_file write; allow hal_audio_default thermal-engine:unix_stream_socket connectto; -allow hal_audio_default sysfs:dir { open read }; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te index 2ee676b..35da311 100644 --- a/sepolicy/hal_bluetooth_default.te +++ b/sepolicy/hal_bluetooth_default.te @@ -1,6 +1,3 @@ typeattribute hal_bluetooth_default data_between_core_and_vendor_violators; allow hal_bluetooth_default bluetooth_data_file:dir rw_dir_perms; - allow hal_bluetooth_default bluetooth_data_file:file create_file_perms; - -allow hal_bluetooth_default wcnss_filter:unix_stream_socket connectto; diff --git a/sepolicy/hal_bluetooth_qti.te b/sepolicy/hal_bluetooth_qti.te deleted file mode 100644 index 6143159..0000000 --- a/sepolicy/hal_bluetooth_qti.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_bluetooth_qti vfat:dir create_dir_perms; -allow hal_bluetooth_qti vfat:file create_file_perms; diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te deleted file mode 100644 index 172d7d3..0000000 --- a/sepolicy/hal_drm_default.te +++ /dev/null @@ -1,4 +0,0 @@ -typeattribute hal_drm_default data_between_core_and_vendor_violators; - -allow hal_drm_default media_data_file:dir create_dir_perms; -allow hal_drm_default media_data_file:file create_file_perms; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te index cccf8a6..3f3d799 100644 --- a/sepolicy/hal_fingerprint_default.te +++ b/sepolicy/hal_fingerprint_default.te @@ -12,5 +12,3 @@ allow hal_fingerprint_default { fpc_data_file system_data_file }:dir create_dir_ allow hal_fingerprint_default fpc_data_file:sock_file { create setattr unlink }; allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms; allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; -allow hal_fingerprint_default vfat:dir { read search }; -allow hal_fingerprint_default vfat:file { getattr open read setattr }; diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te deleted file mode 100644 index 64e4b19..0000000 --- a/sepolicy/hal_health_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_health_default sysfs:file { getattr open read }; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te deleted file mode 100644 index 8c63d4c..0000000 --- a/sepolicy/hal_light_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_light_default sysfs:file rw_file_perms; diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te index 10fe797..83c9892 100644 --- a/sepolicy/hal_perf_default.te +++ b/sepolicy/hal_perf_default.te @@ -1,3 +1,2 @@ set_prop(hal_perf_default, freq_prop) -allow hal_perf_default hal_graphics_composer_default:process signull; dontaudit hal_perf_default { hal_perf_default self }:capability { dac_override dac_read_search }; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te index c6a2a02..9618dac 100644 --- a/sepolicy/hal_power_default.te +++ b/sepolicy/hal_power_default.te @@ -1,6 +1,6 @@ -allow hal_power_default sysfs:file rw_file_perms; allow hal_power_default sysfs_kgsl:lnk_file { open read write }; allow hal_power_default sysfs_devfreq:dir search; allow hal_power_default sysfs_devfreq:file { open write }; allow hal_power_default sysfs_kgsl:file { open write }; allow hal_power_default device_latency:chr_file { open write }; +allow hal_power_default sysfs_doubletap:file { open write }; diff --git a/sepolicy/hal_vibrator_default.te b/sepolicy/hal_vibrator_default.te deleted file mode 100644 index 1a81647..0000000 --- a/sepolicy/hal_vibrator_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_vibrator_default sysfs:file { read write }; diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te index 7eaf0e4..fe3d17b 100644 --- a/sepolicy/hwservicemanager.te +++ b/sepolicy/hwservicemanager.te @@ -1,3 +1,2 @@ allow hwservicemanager init:dir search; allow hwservicemanager init:file r_file_perms; -allow hwservicemanager init:process getattr; diff --git a/sepolicy/ims.te b/sepolicy/ims.te deleted file mode 100644 index d3fdc76..0000000 --- a/sepolicy/ims.te +++ /dev/null @@ -1 +0,0 @@ -allow ims ctl_default_prop:property_service set; diff --git a/sepolicy/init.te b/sepolicy/init.te index 8b4e30e..5f80ca1 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,9 +1,7 @@ allow init { ion_device tee_device }:chr_file ioctl; allow init hidl_base_hwservice:hwservice_manager add; allow init sysfs_fingerprint:file { open read setattr write }; -allow init sysfs:file setattr; allow init tee_device:chr_file write; allow init hidl_base_hwservice:hwservice_manager add; allow init sysfs_graphics:lnk_file read; -allow init system_file:file mounton; -allow init hal_vibrator_default:process noatsecure; +allow init adsprpcd_file:filesystem { mount relabelfrom relabelto }; diff --git a/sepolicy/installd.te b/sepolicy/installd.te deleted file mode 100644 index 0195b22..0000000 --- a/sepolicy/installd.te +++ /dev/null @@ -1 +0,0 @@ -allow installd adsprpcd_file:filesystem quotaget; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te deleted file mode 100644 index ba628d5..0000000 --- a/sepolicy/kernel.te +++ /dev/null @@ -1,2 +0,0 @@ -allow kernel vfat:dir search; -allow kernel vfat:file open; diff --git a/sepolicy/location.te b/sepolicy/location.te deleted file mode 100644 index 642c588..0000000 --- a/sepolicy/location.te +++ /dev/null @@ -1 +0,0 @@ -allow location location_data_file:sock_file unlink; diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te deleted file mode 100644 index 3e22092..0000000 --- a/sepolicy/mediaextractor.te +++ /dev/null @@ -1 +0,0 @@ -allow mediaextractor sdcardfs:file r_file_perms; diff --git a/sepolicy/mediaprovider.te b/sepolicy/mediaprovider.te deleted file mode 100644 index cd1717a..0000000 --- a/sepolicy/mediaprovider.te +++ /dev/null @@ -1 +0,0 @@ -allow mediaprovider{ cache_private_backup_file cache_recovery_file }:dir r_dir_perms; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te index f79c7e4..1100a7b 100644 --- a/sepolicy/mm-qcamerad.te +++ b/sepolicy/mm-qcamerad.te @@ -2,4 +2,3 @@ typeattribute mm-qcamerad data_between_core_and_vendor_violators; allow mm-qcamerad camera_data_file:dir create_dir_perms; allow mm-qcamerad camera_data_file:file create_file_perms; -allow mm-qcamerad vfat:dir search; diff --git a/sepolicy/netd.te b/sepolicy/netd.te index 3df4322..7196642 100644 --- a/sepolicy/netd.te +++ b/sepolicy/netd.te @@ -1,2 +1 @@ -allow netd self:capability sys_resource; allow netd sysfs_net:file rw_file_perms; diff --git a/sepolicy/netutils_wrapper.te b/sepolicy/netutils_wrapper.te new file mode 100644 index 0000000..c5233ee --- /dev/null +++ b/sepolicy/netutils_wrapper.te @@ -0,0 +1 @@ +allow netutils_wrapper netmgrd:socket { read write }; diff --git a/sepolicy/peripheral_manager.te b/sepolicy/peripheral_manager.te deleted file mode 100644 index af7f4bf..0000000 --- a/sepolicy/peripheral_manager.te +++ /dev/null @@ -1,2 +0,0 @@ -allow vendor_per_mgr vfat:dir search; -allow vendor_per_mgr vfat:file { open read }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te deleted file mode 100644 index cc763ca..0000000 --- a/sepolicy/priv_app.te +++ /dev/null @@ -1,12 +0,0 @@ -allow priv_app adsprpcd_file:filesystem getattr; -allow priv_app { asec_apk_file bt_firmware_file cache_private_backup_file cgroup configfs mnt_media_rw_file radio_data_file }:dir r_dir_perms; -allow priv_app { file_contexts_file firmware_file hwservice_contexts_file keylayout_file mac_perms_file nonplat_service_contexts_file proc_interrupts proc_modules proc_stat seapp_contexts_file sepolicy_file service_contexts_file vendor_file vndservice_contexts_file }:file r_file_perms; -allow priv_app hal_memtrack_hwservice:hwservice_manager find; -allow priv_app device:dir open; - -binder_call(priv_app, hal_memtrack_default); - -# Clean up logspam -dontaudit priv_app device:dir read; -dontaudit priv_app proc_interrupts:file read; -dontaudit priv_app proc_modules:file read; diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te index 64ab2bc..cc3ba68 100644 --- a/sepolicy/qti_init_shell.te +++ b/sepolicy/qti_init_shell.te @@ -1,7 +1,4 @@ -allow qti_init_shell sysfs:file write; allow qti_init_shell vendor_radio_data_file:dir { getattr open read search setattr }; -allow qti_init_shell vfat:file { getattr open read setattr }; -allow qti_init_shell vfat:dir { open read search }; allow qti_init_shell file_contexts_file:file { getattr open read }; # Allow qti_init_shell to fully access wlan_mac.bin persist file diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te deleted file mode 100644 index 69b2634..0000000 --- a/sepolicy/rmt_storage.te +++ /dev/null @@ -1,2 +0,0 @@ -allow rmt_storage debugfs_rmt:dir search; -allow rmt_storage debugfs_rmt:file rw_file_perms; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index c0c4408..5fe4bd9 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -3,6 +3,3 @@ allow system_app sysfs_fingerprint:dir search; allow system_app shell_prop:property_service set; binder_call(system_app, wificond); - -dontaudit system_app netd_service:service_manager find; -dontaudit system_app installd_service:service_manager find; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 6784b22..6d95c6d 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,6 +1,4 @@ allow system_server vendor_alarm_boot_prop:file r_file_perms; -allow system_server install_data_file:file getattr; -allow system_server zygote:process getpgid; allow system_server sysfs_vibrator:file read; # /vendor/usr/keylayout diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te deleted file mode 100644 index 39b21e5..0000000 --- a/sepolicy/ueventd.te +++ /dev/null @@ -1,2 +0,0 @@ -allow ueventd vfat:dir search; -allow ueventd vfat:file r_file_perms; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te deleted file mode 100644 index 8aeb709..0000000 --- a/sepolicy/untrusted_app.te +++ /dev/null @@ -1,2 +0,0 @@ -dontaudit untrusted_app_all sysfs_zram:dir search; -dontaudit untrusted_app_all sysfs_zram:file r_file_perms; diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te index 8042ec2..d64d798 100644 --- a/sepolicy/vendor_init.te +++ b/sepolicy/vendor_init.te @@ -2,17 +2,12 @@ typeattribute vendor_init data_between_core_and_vendor_violators; allow vendor_init { camera_data_file - cnd_data_file fpc_data_file media_rw_data_file - rootfs system_data_file time_data_file thermal_data_file tombstone_data_file }:dir create_dir_perms; -allow vendor_init media_rw_data_file:{ dir file } getattr; -allow vendor_init media_rw_data_file:file relabelfrom; allow vendor_init device:file create_file_perms; -allow vendor_init sysfs:file write; diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te index 340658d..35908ad 100644 --- a/sepolicy/wcnss_service.te +++ b/sepolicy/wcnss_service.te @@ -1,4 +1,2 @@ -allow wcnss_service sysfs_pcie:dir search; -allow wcnss_service sysfs_pcie:file rw_file_perms; -allow wcnss_service sysfs_wifi:dir search; -allow wcnss_service sysfs_wifi:file rw_file_perms; +allow wcnss_service { sysfs_pcie sysfs_wifi }:dir search; +allow wcnss_service { sysfs_pcie sysfs_wifi }:file rw_file_perms; diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te deleted file mode 100644 index c8a7ec2..0000000 --- a/sepolicy/webview_zygote.te +++ /dev/null @@ -1 +0,0 @@ -allow webview_zygote zygote:unix_dgram_socket write; -- cgit v1.2.3