From a5de89d28b604f924598e002d9c3919f2463b9f2 Mon Sep 17 00:00:00 2001 From: Bruno Martins Date: Thu, 24 Dec 2020 10:34:23 +0000 Subject: [PATCH] sdm660-common: sepolicy: Add rules for older IMS blobs Since Android 10 blobs are being used, org.codeaurora.ims still runs as phone UID as seen by these denials: m.android.phone: type=1400 audit(0.0:2914): avc: denied { read } for name="u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=13660 scontext=u:r:radio:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=0 m.android.phone: type=1400 audit(0.0:473): avc: denied { call } for scontext=u:r:radio:s0 tcontext=u:r:hal_imsrtp:s0 tclass=binder permissive=0 Change-Id: Ic8c1b7996b9e0e7b63ba2a153441c9e8467a8a31 Signed-off-by: clarencelol --- sepolicy/vendor/hal_imsrtp.te | 1 + sepolicy/vendor/radio.te | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 sepolicy/vendor/hal_imsrtp.te diff --git a/sepolicy/vendor/hal_imsrtp.te b/sepolicy/vendor/hal_imsrtp.te new file mode 100644 index 00000000..e130c8d3 --- /dev/null +++ b/sepolicy/vendor/hal_imsrtp.te @@ -0,0 +1 @@ +binder_call(hal_imsrtp, radio) diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te index c84eff05..51fb2c0c 100644 --- a/sepolicy/vendor/radio.te +++ b/sepolicy/vendor/radio.te @@ -1,3 +1,5 @@ allow radio hal_datafactory_hwservice:hwservice_manager find; binder_call(radio, cnd) +binder_call(radio, hal_imsrtp) +allow radio { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service drmserver_service audioserver_service }:service_manager find; get_prop(radio, qcom_ims_prop)