From 5351cc35f9c1e1a509e3f8510adf6f3073efb50d Mon Sep 17 00:00:00 2001 From: OdSazib Date: Fri, 16 Jul 2021 14:41:24 +0600 Subject: [PATCH] sdm66-common: sepolicy: Fix labeling sysfs nodes for K4.19 - Address more denials and label some new nodes Signed-off-by: OdSazib --- sepolicy/private/system_suspend.te | 1 + sepolicy/vendor/file_contexts | 74 +++++++++++----------- sepolicy/vendor/genfs_contexts | 10 +++ sepolicy/vendor/hal_power_stats_default.te | 3 +- sepolicy/vendor/init.te | 1 + sepolicy/vendor/qti_init_shell.te | 2 + sepolicy/vendor/ueventd.te | 1 + sepolicy/vendor/vendor_init.te | 1 + 8 files changed, 55 insertions(+), 38 deletions(-) create mode 100644 sepolicy/vendor/ueventd.te diff --git a/sepolicy/private/system_suspend.te b/sepolicy/private/system_suspend.te index 21ff8c68..4799b06d 100644 --- a/sepolicy/private/system_suspend.te +++ b/sepolicy/private/system_suspend.te @@ -1,3 +1,4 @@ # To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks. allow system_suspend sysfs_type:dir r_dir_perms; +allow system_suspend sysfs_wakeup:file r_file_perms; dontaudit system_suspend sysfs:file r_file_perms; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 9dd2411f..4e40e539 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,79 +1,79 @@ # Amplifier -/(vendor|system/vendor)/bin/tinymix u:object_r:vendor_tinyalsa_exec:s0 +/(vendor|system/vendor)/bin/tinymix u:object_r:vendor_tinyalsa_exec:s0 # Biometric -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0 -# Biometric -/data/misc/camera u:object_r:camera_data_file:s0 +# Camera +/data/misc/camera u:object_r:camera_data_file:s0 # blkio -/dev/blkio(/.*)? u:object_r:blkio_dev:s0 -/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0 +/dev/blkio(/.*)? u:object_r:blkio_dev:s0 +/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0 # CNE -/(vendor|system/vendor)/bin/mutualex u:object_r:vendor_mutualex_exec:s0 - -# Debug -/sys/kernel/debug/mmc0/mmc0:0001/ext_csd u:object_r:debugfs_mmc:s0 +/(vendor|system/vendor)/bin/mutualex u:object_r:vendor_mutualex_exec:s0 # Executables -/vendor/bin/sh u:object_r:vendor_shell_exec:s0 +/vendor/bin/sh u:object_r:vendor_shell_exec:s0 # Fingerprint -/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 -/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/dev/goodix_fp u:object_r:fingerprint_device:s0 +/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 # Firmware -/firmware(/.*)? u:object_r:firmware_file:s0 -/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 -/persist(/.*)? u:object_r:persist_file:s0 +/firmware(/.*)? u:object_r:firmware_file:s0 +/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 +/persist(/.*)? u:object_r:persist_file:s0 # Hexagon DSP-side executable needed for Halide operation # This is labeled as public_adsprpcd_file as it needs to be read by apps # (e.g. Google Camera App) -/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0 +/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0 # IR -/dev/lirc0 u:object_r:spidev_device:s0 -/dev/spidev7.1 u:object_r:spidev_device:s0 +/dev/lirc0 u:object_r:spidev_device:s0 +/dev/spidev7.1 u:object_r:spidev_device:s0 # Kcal -/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:kcal_dev:s0 -/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0 +/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:kcal_dev:s0 +/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0 # Light HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0 # Mlipay -/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 +/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 # Notification LED -/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/max_brightness u:object_r:sysfs_graphics:s0 -/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/brightness u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/blue(/.*)? u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/green(/.*)? u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/red(/.*)? u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white(/.*)? u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d300/leds/flashlight(/.*)? u:object_r:sysfs_graphics:s0 # Power -/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.xiaomi_sdm660-libperfmgr u:object_r:hal_power_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock u:object_r:hal_power_stats_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.xiaomi_sdm660-libperfmgr u:object_r:hal_power_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock u:object_r:hal_power_stats_default_exec:s0 # Root files -/proc/sys/fs/protected_regular u:object_r:proc:s0 +/proc/sys/fs/protected_regular u:object_r:proc:s0 # Service HALs -/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0 # Sockets -/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 +/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 # Thermal -/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mock u:object_r:hal_thermal_default_exec:s0 +/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mock u:object_r:hal_thermal_default_exec:s0 # USB -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.xiaomi_sdm660 u:object_r:hal_usb_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.xiaomi_sdm660 u:object_r:hal_usb_default_exec:s0 # Video4linux sysfs nodes -/sys/devices/platform/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index 7cfce5a8..2c2e8cd3 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -1,7 +1,11 @@ # Battery +genfscon sysfs /devices/platform/soc/c175000.i2c/i2c-1/1-0062 u:object_r:sysfs_battery_supply:s0 genfscon sysfs /devices/platform/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs_battery_supply:s0 # Camera +genfscon sysfs /devices/platform/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@0/video4linux/video2/name u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/platform/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@1/video4linux/video3/name u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/platform/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@2/video4linux/video4/name u:object_r:sysfs_graphics:s0 genfscon sysfs /devices/platform/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0 genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0 @@ -22,6 +26,11 @@ genfscon sysfs /devices/platform/soc/soc:fpc1020/fingerdown_wait genfscon sysfs /devices/platform/soc/soc:fpc1020/irq u:object_r:sysfs_fingerprint:s0 genfscon sysfs /devices/platform/soc/soc:fpc1020/irq_enable u:object_r:sysfs_fingerprint:s0 genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:goodix_fp/device_prepare u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:goodix_fp/fingerdown_wait u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:goodix_fp/irq u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:goodix_fp/irq_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup_enable u:object_r:sysfs_fingerprint:s0 # Graphics genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0 @@ -32,6 +41,7 @@ genfscon sysfs /devices/virtual/graphics/fb2 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d300/leds/flashlight u:object_r:sysfs_graphics:s0 # Power genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_devfreq:s0 diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te index b454d201..0a63f353 100644 --- a/sepolicy/vendor/hal_power_stats_default.te +++ b/sepolicy/vendor/hal_power_stats_default.te @@ -1 +1,2 @@ -allow hal_power_stats_default sysfs:dir read; +allow hal_power_stats_default sysfs:dir { open read }; +allow hal_power_stats_default sysfs:file { open read }; diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index bfd5aa19..2aee7b26 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -1,4 +1,5 @@ allow init adsprpcd_file:file mounton; +allow init apex_metadata_file:lnk_file read; allow init socket_device:sock_file { unlink setattr create }; allow init sysfs_graphics:file { read open }; allow init sysfs_battery_supply:file setattr; diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te index db9b3583..a123a8aa 100644 --- a/sepolicy/vendor/qti_init_shell.te +++ b/sepolicy/vendor/qti_init_shell.te @@ -1,5 +1,7 @@ allow qti_init_shell ctl_start_prop:property_service set; allow qti_init_shell ctl_stop_prop:property_service set; +allow qti_init_shell self:perf_event cpu; +allow qti_init_shell sysfs:file { setattr write }; dontaudit qti_init_shell system_prop:property_service set; dontaudit qti_init_shell self:capability { dac_override dac_read_search }; diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te new file mode 100644 index 00000000..985c8ec4 --- /dev/null +++ b/sepolicy/vendor/ueventd.te @@ -0,0 +1 @@ +allow ueventd metadata_file:dir search; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index 3062345f..8253f4d3 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -1,6 +1,7 @@ typeattribute vendor_init data_between_core_and_vendor_violators; allow vendor_init { + camera_data_file system_data_file tombstone_data_file }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };