From 16db6a4456d01a633d29632ae25e8a2e2907ae56 Mon Sep 17 00:00:00 2001 From: sabarop Date: Sat, 15 Oct 2022 09:49:18 +0700 Subject: [PATCH] sdm660-common: sepolicy: address multiple denials Signed-off-by: pix106 --- sepolicy/vendor/gmscore_app.te | 2 ++ sepolicy/vendor/hal_camera_default.te | 1 + sepolicy/vendor/property_contexts | 3 +++ sepolicy/vendor/ueventd.te | 1 + sepolicy/vendor/untrusted_app.te | 3 +++ sepolicy/vendor/vendor_init.te | 1 + sepolicy/vendor/wcnss_service.te | 1 + 7 files changed, 12 insertions(+) create mode 100644 sepolicy/vendor/untrusted_app.te diff --git a/sepolicy/vendor/gmscore_app.te b/sepolicy/vendor/gmscore_app.te index 7e1617c2..0b453cd2 100644 --- a/sepolicy/vendor/gmscore_app.te +++ b/sepolicy/vendor/gmscore_app.te @@ -6,3 +6,5 @@ allow gmscore_app adsprpcd_file:dir{ search }; allow gmscore_app exported_camera_prop:file { read open getattr }; allow gmscore_app traced_producer_socket:sock_file { write }; allow gmscore_app traced:unix_stream_socket { connectto }; +allow gmscore_app zygote:unix_stream_socket getopt; + diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index 306e90ef..7994493a 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -12,6 +12,7 @@ allow hal_camera_default diag_device:chr_file rw_file_perms; allow hal_camera_default mnt_vendor_file:dir search; allow hal_camera_default sysfs:file { getattr open read }; allow hal_camera_default self:socket { read write }; +allow hal_camera_default vendor_default_prop:file read; r_dir_file(hal_camera_default, sysfs_kgsl) diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index b0f846d2..b4899aed 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -65,6 +65,9 @@ persist.service.folio_daemon u:object_r:system_prop:s0 # Hardware ro.hardware.chipname u:object_r:exported_default_prop:s0 +ro.board.variant u:object_r:exported_default_prop:s0 +ro.hwversion u:object_r:exported_default_prop:s0 +persist.vendor.slm.enable u:object_r:exported_default_prop:s0 # Media gpu.stats.debug.level u:object_r:vendor_default_prop:s0 diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te index 9d1e2181..bd218d01 100644 --- a/sepolicy/vendor/ueventd.te +++ b/sepolicy/vendor/ueventd.te @@ -2,3 +2,4 @@ allow ueventd hall_dev:dir r_dir_perms; allow ueventd hall_dev:file rw_file_perms; allow ueventd hall_dev:lnk_file r_file_perms; allow ueventd metadata_file:dir search; +allow ueventd ueventd:capability kill; diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te new file mode 100644 index 00000000..edc33614 --- /dev/null +++ b/sepolicy/vendor/untrusted_app.te @@ -0,0 +1,3 @@ +allow untrusted_app_25 zygote:unix_stream_socket getopt; +allow untrusted_app_29 zygote:unix_stream_socket getopt; +allow untrusted_app_30 zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index 1e9f905a..977ad233 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -10,6 +10,7 @@ allow vendor_init tee_device:chr_file getattr; allow vendor_init persist_file:lnk_file r_file_perms; allow vendor_init proc:file w_file_perms; allow vendor_init proc_sched_energy_aware:file w_file_perms; +allow vendor_init cache_file:dir search; get_prop(vendor_init, hal_fingerprint_prop) diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te index 857ed911..20c4e0f9 100644 --- a/sepolicy/vendor/wcnss_service.te +++ b/sepolicy/vendor/wcnss_service.te @@ -3,3 +3,4 @@ allow wcnss_service proc_net:file r_file_perms; allow wcnss_service sysfs:file r_file_perms; allow wcnss_service sysfs_net:dir search; allow wcnss_service vendor_shell_exec:file { x_file_perms execute_no_trans }; +allow wcnss_service rootfs:dir { read write open };