sdm660-common: Address SELiunx denials and clean up
Change-Id: I997a268c9ce23eab80f1981293720e17d21bbb7a
This commit is contained in:
Max Weffers
OdSazib
parent
880ca53df2
commit
eb97b49f0c
11 changed files with 48 additions and 51 deletions
6
sepolicy/vendor/file_contexts
vendored
6
sepolicy/vendor/file_contexts
vendored
|
|
@ -1,14 +1,14 @@
|
|||
# Biometric
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
|
||||
|
||||
# Goodix Fingerprint
|
||||
/dev/goodix_fp* u:object_r:fingerprint_device:s0
|
||||
/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0
|
||||
/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0
|
||||
/persist/data/gf* u:object_r:fingerprint_data_file:s0
|
||||
/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
|
||||
/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
|
||||
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
|
||||
/dev/goodix_fp u:object_r:fingerprint_device:s0
|
||||
|
||||
# FPC Fingerprint
|
||||
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
|
||||
|
|
@ -43,7 +43,7 @@
|
|||
/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0
|
||||
|
||||
# Light HAL
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0
|
||||
|
||||
# Mlipay
|
||||
/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
|
||||
|
|
|
|||
6
sepolicy/vendor/genfs_contexts
vendored
6
sepolicy/vendor/genfs_contexts
vendored
|
|
@ -30,6 +30,6 @@ genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:
|
|||
genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0
|
||||
|
||||
# LED
|
||||
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0
|
||||
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0
|
||||
|
|
|
|||
2
sepolicy/vendor/hal_audio_default.te
vendored
2
sepolicy/vendor/hal_audio_default.te
vendored
|
|
@ -3,4 +3,4 @@ get_prop(hal_audio_default, dirac_prop)
|
|||
set_prop(hal_audio_default, dirac_prop)
|
||||
allow hal_audio_default vendor_data_file:dir { create write add_name };
|
||||
allow hal_audio_default vendor_data_file:file { append create getattr open read };
|
||||
dontaudit hal_audio_default sysfs:dir read;
|
||||
allow hal_audio_default sysfs:dir r_dir_perms;
|
||||
|
|
|
|||
41
sepolicy/vendor/hal_fingerprint_sdm660.te
vendored
41
sepolicy/vendor/hal_fingerprint_sdm660.te
vendored
|
|
@ -1,19 +1,24 @@
|
|||
type hal_fingerprint_sdm660, domain, binder_in_vendor_violators;
|
||||
type hal_fingerprint_sdm660, domain;
|
||||
hal_server_domain(hal_fingerprint_sdm660, hal_fingerprint)
|
||||
|
||||
type hal_fingerprint_sdm660_exec, exec_type, vendor_file_type, file_type;
|
||||
typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators;
|
||||
binder_use(hal_fingerprint_sdm660)
|
||||
init_daemon_domain(hal_fingerprint_sdm660)
|
||||
|
||||
allow hal_fingerprint_sdm660 fingerprint_device:chr_file { read write open ioctl };
|
||||
allow hal_fingerprint_sdm660 { tee_device uhid_device }:chr_file { read write open ioctl };
|
||||
allow hal_fingerprint_sdm660 fingerprint_data_file:file rw_file_perms;
|
||||
allow hal_fingerprint_sdm660 {
|
||||
fingerprint_device
|
||||
tee_device
|
||||
uhid_device
|
||||
}:chr_file rw_file_perms;
|
||||
|
||||
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
|
||||
# hal_fingerprint no longer directly accesses fingerprintd_data_file.
|
||||
typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators;
|
||||
# access to /data/system/users/[0-9]+/fpdata
|
||||
|
||||
allow hal_fingerprint_sdm660 fingerprintd_data_file:dir rw_dir_perms;
|
||||
allow hal_fingerprint_sdm660 fingerprintd_data_file:file create_file_perms;
|
||||
allow hal_fingerprint_sdm660 { fuse mnt_user_file storage_file }:dir search;
|
||||
allow hal_fingerprint_sdm660 { mnt_user_file storage_file }:lnk_file read;
|
||||
allow hal_fingerprint_sdm660 fingerprint_sysfs:dir r_dir_perms;
|
||||
allow hal_fingerprint_sdm660 fingerprint_data_file:file rw_file_perms;
|
||||
|
||||
allow hal_fingerprint_sdm660 fingerprint_sysfs:file rw_file_perms;
|
||||
|
||||
allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
|
||||
|
|
@ -25,22 +30,12 @@ allow hal_fingerprint_sdm660 vendor_fp_prop:file { getattr open read };
|
|||
|
||||
allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read };
|
||||
|
||||
binder_call(hal_fingerprint_sdm660, vndservicemanager)
|
||||
allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl;
|
||||
|
||||
allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
|
||||
binder_call(hal_fingerprint_sdm660, hal_perf_default)
|
||||
|
||||
binder_use(hal_fingerprint_sdm660)
|
||||
|
||||
r_dir_file(hal_fingerprint_sdm660, firmware_file)
|
||||
|
||||
add_service(hal_fingerprint_sdm660, goodixvnd_service)
|
||||
|
||||
allow hal_fingerprint_sdm660 vndbinder_device:chr_file ioctl;
|
||||
|
||||
set_prop(hal_fingerprint_sdm660, hal_fingerprint_prop)
|
||||
|
||||
vndbinder_use(hal_fingerprint_sdm660)
|
||||
|
||||
dontaudit hal_fingerprint_sdm660 { media_rw_data_file sdcardfs}:dir search;
|
||||
dontaudit hal_fingerprint_sdm660 media_rw_data_file:dir { read open };
|
||||
dontaudit hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
|
||||
dontaudit hal_fingerprint_sdm660 hal_fingerprint_hwservice:hwservice_manager add;
|
||||
dontaudit hal_fingerprint_default storage_file:dir search;
|
||||
|
|
|
|||
1
sepolicy/vendor/hal_power_default.te
vendored
1
sepolicy/vendor/hal_power_default.te
vendored
|
|
@ -3,4 +3,3 @@ allow hal_power_default sysfs_tap_to_wake:file rw_file_perms;
|
|||
# Allow writing to files in /proc/tp_gesture
|
||||
allow hal_power_default proc:file rw_file_perms;
|
||||
allow hal_power_default proc:dir search;
|
||||
|
||||
|
|
|
|||
1
sepolicy/vendor/hwservice.te
vendored
1
sepolicy/vendor/hwservice.te
vendored
|
|
@ -1,2 +1 @@
|
|||
type goodixhw_service, hwservice_manager_type;
|
||||
type hal_mlipay_hwservice, hwservice_manager_type;
|
||||
|
|
|
|||
38
sepolicy/vendor/property_contexts
vendored
38
sepolicy/vendor/property_contexts
vendored
|
|
@ -1,12 +1,24 @@
|
|||
sys.fp.goodix u:object_r:hal_fingerprint_prop:s0
|
||||
sys.fp.vendor u:object_r:hal_fingerprint_prop:s0
|
||||
persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
|
||||
persist.vendor.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0
|
||||
persist.vendor.sys.pay.fido u:object_r:mlipay_prop:s0
|
||||
persist.vendor.sys.pay.ifaa u:object_r:mlipay_prop:s0
|
||||
persist.vendor.sys.pay.soter u:object_r:mlipay_prop:s0
|
||||
# Audio
|
||||
audio.sys.noisy.broadcast.delay u:object_r:vendor_default_prop:s0
|
||||
audio.sys.offload.pstimeout.secs u:object_r:vendor_default_prop:s0
|
||||
audio_hal.in_period_size u:object_r:vendor_default_prop:s0
|
||||
audio_hal.period_multiplier u:object_r:vendor_default_prop:s0
|
||||
persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0
|
||||
|
||||
# Mlipay
|
||||
persist.vendor.sys.pay. u:object_r:mlipay_prop:s0
|
||||
persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0
|
||||
|
||||
# Fingerprint
|
||||
fpc_kpi u:object_r:vendor_default_prop:s0
|
||||
gf.debug.dump_data u:object_r:hal_fingerprint_prop:s0
|
||||
persist.sys.fp. u:object_r:hal_fingerprint_prop:s0
|
||||
persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0
|
||||
ro.boot.fp. u:object_r:hal_fingerprint_prop:s0
|
||||
sys.fp. u:object_r:hal_fingerprint_prop:s0
|
||||
ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0
|
||||
persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
|
||||
|
||||
# Camera
|
||||
camera. u:object_r:camera_prop:s0
|
||||
cameradaemon.SaveMemAtBoot u:object_r:camera_prop:s0
|
||||
|
|
@ -16,23 +28,17 @@ persist.camera. u:object_r:camera_prop:s0
|
|||
persist.vendor.camera. u:object_r:vendor_camera_prop:s0
|
||||
vendor.camera.eis.gyro_name u:object_r:vendor_camera_prop:s0
|
||||
|
||||
# Fingerprint
|
||||
gf.debug.dump_data u:object_r:vendor_fp_prop:s0
|
||||
persist.sys.fp. u:object_r:vendor_fp_prop:s0
|
||||
persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0
|
||||
ro.boot.fp. u:object_r:vendor_fp_prop:s0
|
||||
sys.fp. u:object_r:vendor_fp_prop:s0
|
||||
ro.boot.fpsensor u:object_r:vendor_fp_prop:s0
|
||||
|
||||
# Thermal engine
|
||||
persist.sys.thermal. u:object_r:thermal_engine_prop:s0
|
||||
sys.thermal. u:object_r:thermal_engine_prop:s0
|
||||
|
||||
# vendor_default_prop
|
||||
fpc_kpi u:object_r:vendor_default_prop:s0
|
||||
gpu.stats.debug.level u:object_r:vendor_default_prop:s0
|
||||
vendor.display.lcd_density u:object_r:vendor_default_prop:s0
|
||||
|
||||
# Media
|
||||
gpu.stats.debug.level u:object_r:vendor_default_prop:s0
|
||||
|
||||
# Dirac
|
||||
persist.audio.dirac. u:object_r:dirac_prop:s0
|
||||
|
||||
|
|
|
|||
1
sepolicy/vendor/thermal-engine.te
vendored
1
sepolicy/vendor/thermal-engine.te
vendored
|
|
@ -1,5 +1,6 @@
|
|||
allow thermal-engine thermal_data_file:dir rw_dir_perms;
|
||||
allow thermal-engine thermal_data_file:file create_file_perms;
|
||||
allow thermal-engine sysfs:dir r_dir_perms;
|
||||
allow thermal-engine self:capability { chown fowner };
|
||||
allow thermal-engine property_socket:sock_file write;
|
||||
dontaudit thermal-engine self:capability dac_override;
|
||||
|
|
|
|||
1
sepolicy/vendor/vendor_init.te
vendored
1
sepolicy/vendor/vendor_init.te
vendored
|
|
@ -10,7 +10,6 @@ allow vendor_init {
|
|||
|
||||
allow vendor_init unlabeled:{ dir file } { getattr relabelfrom };
|
||||
|
||||
set_prop(vendor_init, camera_prop)
|
||||
allow vendor_init media_rw_data_file:file { getattr relabelfrom };
|
||||
|
||||
allow vendor_init rootfs:dir { add_name create setattr write };
|
||||
|
|
|
|||
1
sepolicy/vendor/vndservice.te
vendored
1
sepolicy/vendor/vndservice.te
vendored
|
|
@ -1 +0,0 @@
|
|||
type goodixvnd_service, vndservice_manager_type;
|
||||
1
sepolicy/vendor/vndservice_contexts
vendored
1
sepolicy/vendor/vndservice_contexts
vendored
|
|
@ -1 +0,0 @@
|
|||
android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixvnd_service:s0
|
||||
Loading…
Reference in a new issue