kunlun2: addressed some denials

2021-02-15 15:35:27 +01:00 · 2021-02-15 15:35:27 +01:00 · e0a7933eff
commit e0a7933eff
parent 6ab15e1726
15 changed files with 78 additions and 1 deletions
--- a/sepolicy/private/app.te
+++ b/sepolicy/private/app.te
@ -1,2 +1,4 @@
 # Allow appdomain to get vendor_camera_prop
 get_prop(appdomain, vendor_camera_prop)
+
+get_prop(appdomain, vendor_default_prop)
--- a/sepolicy/private/dontaudit.te
+++ b/sepolicy/private/dontaudit.te
@ -0,0 +1 @@
+dontaudit gmscore_app firmware_file:filesystem getattr;
--- a/sepolicy/private/file.te
+++ b/sepolicy/private/file.te
@ -2,6 +2,7 @@ type adsprpcd_file, file_type;
 type bt_firmware_file, file_type;
 type firmware_file, file_type;
 type persist_file, file_type;
+type sensors_persist_file, file_type;
 type proc_touchpanel, fs_type, proc_type;
 type sysfs_graphics, sysfs_type, fs_type;
 type sysfs_devfreq, sysfs_type, fs_type;
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@ -1,6 +1,9 @@
 # Data files
 /data/display(/.*)?                 u:object_r:display_data_file:s0

+# Dev nodes
+/dev/diag                           u:object_r:diag_device:s0
+
 # Files in rootfs
 /bt_firmware(/.*)?       u:object_r:bt_firmware_file:s0
 /dsp(/.*)?               u:object_r:adsprpcd_file:s0
@ -12,6 +15,12 @@
 /system/bin/hw/lineage\.livedisplay@2\.0-service-sdm                                         u:object_r:shal_livedisplay_default_exec:s0
 /(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0

+# IMS
+/vendor/bin/imsdatadaemon            u:object_r:ims_exec:s0
+
+# Thermal config
+/(system|system/vendor)/etc/thermal-engine.conf   u:object_r:vendor_configs_file:s0
+
 # Touch
 /sys/class/touch/tp_dev/gesture_on  u:object_r:sysfs_tp:s0

--- a/sepolicy/private/hal_audio.te
+++ b/sepolicy/private/hal_audio.te
@ -1 +1,8 @@
+allow hal_audio diag_device:chr_file rw_file_perms;
+
+allow hal_audio sysfs:dir read;
+
 allow hal_audio hal_power_pixel:binder call;
+
+get_prop(hal_audio, default_prop)
+get_prop(hal_audio, audio_prop)
--- a/sepolicy/private/hal_bluetooth.te
+++ b/sepolicy/private/hal_bluetooth.te
@ -1 +1,2 @@
 allow hal_bluetooth vendor_fm_app:binder call;
+allow hal_bluetooth diag_device:chr_file rw_file_perms;
--- a/sepolicy/private/hal_camera.te
+++ b/sepolicy/private/hal_camera.te
@ -0,0 +1,2 @@
+get_prop(hal_camera, system_prop)
+get_prop(hal_camera, default_prop)
--- a/sepolicy/private/ims.te
+++ b/sepolicy/private/ims.te
@ -0,0 +1,7 @@
+type ims, domain;
+type ims_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(ims)
+net_domain(ims)
+
+allow ims diag_device:chr_file rw_file_perms;
--- a/sepolicy/private/init.te
+++ b/sepolicy/private/init.te
@ -7,3 +7,10 @@ allow init vendor_configs_file:file mounton;

 # Allow init to mount vendor overlay
 allow init vendor_overlay_file:dir mounton;
+
+allow init self:netlink_generic_socket read;
+
+allow init sysfs:file rw_file_perms;
+allow init sysfs_tp:file setattr;
+
+allow init vendor_file:file execute;
--- a/sepolicy/private/property.te
+++ b/sepolicy/private/property.te
@ -1,3 +1,5 @@
 type vendor_camera_prop, property_type;
 type vendor_display_prop, property_type;
 type vendor_power_prop, property_type;
+type vendor_ssr_prop, property_type;
+type vendor_cap_configstore_dbg_prop, property_type;
--- a/sepolicy/private/property_contexts
+++ b/sepolicy/private/property_contexts
@ -2,3 +2,4 @@ vendor.powerhal.state      u:object_r:vendor_power_prop:s0
 vendor.powerhal.audio      u:object_r:vendor_power_prop:s0
 vendor.powerhal.init       u:object_r:vendor_power_prop:s0
 vendor.powerhal.rendering  u:object_r:vendor_power_prop:s0
+ro.vendor.fm.use_audio_session     u:object_r:vendor_default_prop:s0
--- a/sepolicy/private/qti_init_shell.te
+++ b/sepolicy/private/qti_init_shell.te
@ -2,3 +2,21 @@ type qti_init_shell, domain;

 allow qti_init_shell sysfs_io_sched_tuneable:file w_file_perms;
 dontaudit qti_init_shell self:capability { dac_override dac_read_search };
+
+allow qti_init_shell configfs:dir create_dir_perms;
+allow qti_init_shell configfs:file create_file_perms;
+allow qti_init_shell configfs:lnk_file create_file_perms;
+
+allow qti_init_shell persist_file:lnk_file read;
+
+allow qti_init_shell sensors_persist_file:fifo_file create_file_perms;
+
+allow qti_init_shell shell_exec:file rx_file_perms;
+
+allow qti_init_shell sysfs:file setattr;
+allow qti_init_shell sysfs_leds:file setattr;
+
+allow qti_init_shell toolbox_exec:file rx_file_perms;
+allow qti_init_shell vendor_file:file entrypoint;
+
+get_prop(qti_init_shell, default_prop)
--- a/sepolicy/private/ssr_setup.te
+++ b/sepolicy/private/ssr_setup.te
@ -0,0 +1,7 @@
+type vendor_ssr_setup, domain;
+type vendor_ssr_setup_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_ssr_setup);
+
+allow vendor_ssr_setup sysfs:file rw_file_perms;
+
+get_prop(vendor_ssr_setup, vendor_ssr_prop)
--- a/sepolicy/private/system_server.te
+++ b/sepolicy/private/system_server.te
@ -1,2 +1,5 @@
-get_prop(system_server, vendor_camera_prop)
 allow system_server hal_power_pixel:binder call;
+
+allow system_server sysfs:file read;
+
+get_prop(system_server, vendor_camera_prop)
--- a/sepolicy/private/vendor_init.te
+++ b/sepolicy/private/vendor_init.te
@ -2,3 +2,12 @@ typeattribute vendor_init data_between_core_and_vendor_violators;

 # Allow vendor_init to check encryption status of system_data_file
 allow vendor_init system_data_file:dir { ioctl open read setattr };
+
+allow vendor_init block_device:lnk_file setattr;
+
+allow vendor_init persist_file:lnk_file read;
+
+get_prop(vendor_init, default_prop)
+get_prop(vendor_init, persist_debug_prop)
+
+set_prop(vendor_init, default_prop)
				`@ -0,0 +1 @@`
				`dontaudit gmscore_app firmware_file:filesystem getattr;`