sdm660-common: sepolicy: Label more sepolicies for k4.19

Signed-off-by: clarencelol <clarencekuiek@icloud.com> Signed-off-by: pix106 <sbordenave@gmail.com>
2021-11-30 21:14:50 +08:00 · 2021-11-30 21:14:50 +08:00 · 10087c76b8
commit 10087c76b8
parent 9730b3c65c
27 changed files with 57 additions and 1 deletions
--- a/sepolicy/private/mediaprovider_app.te
+++ b/sepolicy/private/mediaprovider_app.te
@ -0,0 +1,2 @@
+allow mediaprovider_app rootfs:dir { read };
+allow mediaprovider_app rootfs:file { getattr };
--- a/sepolicy/private/system_server.te
+++ b/sepolicy/private/system_server.te
@ -4,3 +4,4 @@ get_prop(system_server, vendor_persist_camera_prop)

 get_prop(system_server, userspace_reboot_config_prop)
 get_prop(system_server, userspace_reboot_exported_prop)
+get_prop(system_server, exported_camera_prop)
--- a/sepolicy/vendor/app.te
+++ b/sepolicy/vendor/app.te
@ -5,3 +5,4 @@ allow { appdomain -isolated_app } adsprpcd_file:dir r_dir_perms;
 allow { appdomain -isolated_app } public_adsprpcd_file:file r_file_perms;

 get_prop(appdomain, exported_camera_prop)
+get_prop(appdomain, vendor_persist_camera_prop)
--- a/sepolicy/vendor/fsck_untrusted.te
+++ b/sepolicy/vendor/fsck_untrusted.te
@ -0,0 +1 @@
+allow fsck_untrusted sysfs:file { getattr };
--- a/sepolicy/vendor/hal_audio_default.te
+++ b/sepolicy/vendor/hal_audio_default.te
@ -8,3 +8,10 @@ set_prop(hal_audio_default, dirac_prop)

 set_prop(hal_audio_default, vendor_audio_prop)
 get_prop(hal_audio_default, vendor_audio_prop)
+
+allow hal_audio_default audio_device:dir r_dir_perms;
+
+allow hal_audio_default init:unix_stream_socket connectto;
+
+allow hal_audio_default vendor_data_file:dir { create write add_name };
+allow hal_audio_default vendor_data_file:file { append create getattr open read };
--- a/sepolicy/vendor/hal_dpmQmiMgr.te
+++ b/sepolicy/vendor/hal_dpmQmiMgr.te
@ -0,0 +1 @@
+allow hal_dpmQmiMgr sysfs:file { open  read };
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@ -0,0 +1,5 @@
+allow hal_graphics_composer_default diag_device:chr_file { read };
+allow hal_graphics_composer_default sysfs_graphics:file r_file_perms;
+allow hal_graphics_composer_default sysfs:file rw_file_perms;
+allow hal_graphics_composer_default sysfs_graphics:lnk_file read;
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read };
--- a/sepolicy/vendor/hal_imsrtp.te
+++ b/sepolicy/vendor/hal_imsrtp.te
@ -0,0 +1 @@
+allow hal_imsrtp diag_device:chr_file { read };
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@ -1,5 +1,6 @@
 allow hal_sensors_default audio_socket:sock_file rw_file_perms;
 allow hal_sensors_default sysfs_info:file { read write };
+allow hal_sensors_default diag_device:chr_file { read };

 unix_socket_connect(hal_sensors_default, audio, hal_audio_default)
 set_prop(hal_sensors_default, camera_prop)
--- a/sepolicy/vendor/hal_vibrator_default.te
+++ b/sepolicy/vendor/hal_vibrator_default.te
@ -0,0 +1,2 @@
+allow hal_vibrator_default sysfs_leds:file { read write open getattr };
+allow hal_vibrator_default sysfs:file { write open read getattr };
--- a/sepolicy/vendor/hvdcp.te
+++ b/sepolicy/vendor/hvdcp.te
@ -1 +1,2 @@
 allow hvdcp vendor_sysfs_hvdcp:file r_file_perms;
+allow hvdcp sysfs:file { open  read };
--- a/sepolicy/vendor/ims.te
+++ b/sepolicy/vendor/ims.te
@ -0,0 +1,2 @@
+allow ims sysfs:file { open  read };
+allow ims diag_device:chr_file { read };
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@ -14,3 +14,9 @@ allow init {
 allow init firmware_file:filesystem { getattr };
 allow init bt_firmware_file:filesystem { getattr };
 allow init apex_metadata_file:lnk_file { read };
+
+# Vibrator
+allow init sysfs_leds: file { rw_file_perms };
+
+allow init sysfs:file { setattr };
+allow init debugfs_tracing_debug:dir { mounton };
--- a/sepolicy/vendor/ipacm-diag.te
+++ b/sepolicy/vendor/ipacm-diag.te
@ -0,0 +1 @@
+allow ipacm-diag diag_device:chr_file { read };
--- a/sepolicy/vendor/ipacm.te
+++ b/sepolicy/vendor/ipacm.te
@ -0,0 +1 @@
+allow ipacm ipacm_socket:sock_file { write };
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@ -1 +1,8 @@
+allow netmgrd init:unix_stream_socket { connectto };
+allow netmgrd property_socket:sock_file { write };
+allow netmgrd sysfs:file { open  read };
+allow netmgrd vendor_data_ko_prop:property_service { set };
+allow netmgrd vendor_default_prop:property_service { set };
+allow netmgrd diag_device:chr_file { read };
+
 set_prop(netmgrd, vendor_radio_prop)
--- a/sepolicy/vendor/port-bridge.te
+++ b/sepolicy/vendor/port-bridge.te
@ -0,0 +1 @@
+allow port-bridge sysfs:file { open  read };
--- a/sepolicy/vendor/proc_net.te
+++ b/sepolicy/vendor/proc_net.te
@ -0,0 +1 @@
+allow proc_net proc:filesystem { associate };
--- a/sepolicy/vendor/qti_init_shell.te
+++ b/sepolicy/vendor/qti_init_shell.te
@ -1,3 +1,8 @@
+typeattribute qti_init_shell data_between_core_and_vendor_violators;
+
+allow qti_init_shell vendor_radio_data_file:dir rw_dir_perms;;
+allow qti_init_shell vendor_radio_data_file:file create_file_perms;
+allow qti_init_shell system_data_file:dir rw_dir_perms;
 allow qti_init_shell ctl_start_prop:property_service set;
 allow qti_init_shell ctl_stop_prop:property_service set;
 allow qti_init_shell self:perf_event cpu;
@ -9,4 +14,6 @@ allow qti_init_shell system_prop:property_service { set };
 dontaudit qti_init_shell system_prop:property_service set;
 dontaudit qti_init_shell self:capability { dac_override dac_read_search };

+set_prop(qti_init_shell, debug_prop);
+set_prop(qti_init_shell, radio_prop);
 get_prop(vendor_qti_init_shell, radio_control_prop)
--- a/sepolicy/vendor/rmt_storage.te
+++ b/sepolicy/vendor/rmt_storage.te
@ -0,0 +1 @@
+allow rmt_storage sysfs:file { open  read };
--- a/sepolicy/vendor/sensors.te
+++ b/sepolicy/vendor/sensors.te
@ -0,0 +1 @@
+allow sensors diag_device:chr_file { read };
--- a/sepolicy/vendor/vendor_dpmd.te
+++ b/sepolicy/vendor/vendor_dpmd.te
@ -0,0 +1 @@
+allow vendor_dpmd diag_device:chr_file { read };
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@ -12,5 +12,6 @@ allow vendor_init proc:file w_file_perms;
 get_prop(vendor_init, hal_fingerprint_prop)

 set_prop(vendor_init, camera_prop)
+set_prop(vendor_init, vendor_persist_camera_prop)
 set_prop(vendor_init, vendor_freq_prop)
 set_prop(vendor_init, vendor_power_prop)
--- a/sepolicy/vendor/vendor_per_mgr.te
+++ b/sepolicy/vendor/vendor_per_mgr.te
@ -0,0 +1 @@
+allow vendor_per_mgr sysfs:file { open  read };
--- a/sepolicy/vendor/vold.te
+++ b/sepolicy/vendor/vold.te
@ -1,2 +1,3 @@
 allow vold sysfs_mmc_host:file write;
+allow vold sysfs_mmc_host:file create_file_perms;
 allow vold vendor_apex_file:file { getattr };
--- a/sepolicy/vendor/wcnss_service.te
+++ b/sepolicy/vendor/wcnss_service.te
@ -2,4 +2,4 @@ allow wcnss_service kmsg_device:chr_file w_file_perms;
 allow wcnss_service proc_net:file r_file_perms;
 allow wcnss_service sysfs:file r_file_perms;
 allow wcnss_service sysfs_net:dir search;
-allow wcnss_service vendor_shell_exec:file x_file_perms;
+allow wcnss_service vendor_shell_exec:file { x_file_perms execute_no_trans };
--- a/sepolicy/vendor/zygote.te
+++ b/sepolicy/vendor/zygote.te
@ -1,3 +1,4 @@
 allow zygote exported_camera_prop:file { open read getattr write };

 get_prop(zygote, exported_camera_prop)
+allow zygote unlabeled:dir { search };
				`@ -0,0 +1 @@`
				`allow fsck_untrusted sysfs:file { getattr };`
				`@ -0,0 +1 @@`
				`allow hal_dpmQmiMgr sysfs:file { open read };`
				`@ -0,0 +1 @@`
				`allow hal_imsrtp diag_device:chr_file { read };`
				`@ -0,0 +1 @@`
				`allow ipacm-diag diag_device:chr_file { read };`
				`@ -0,0 +1 @@`
				`allow ipacm ipacm_socket:sock_file { write };`
				`@ -0,0 +1 @@`
				`allow proc_net proc:filesystem { associate };`
				`@ -0,0 +1 @@`
				`allow sensors diag_device:chr_file { read };`
				`@ -0,0 +1 @@`
				`allow vendor_dpmd diag_device:chr_file { read };`
				`@ -0,0 +1 @@`
				`allow vendor_per_mgr sysfs:file { open read };`