From f30354722b9e331406210e37b6559e8fb6fff91c Mon Sep 17 00:00:00 2001 From: clarencelol Date: Fri, 28 May 2021 18:04:47 +0800 Subject: [PATCH] sdm660-common: sepolicy: Address more denials Signed-off-by: clarencelol Signed-off-by: pix106 --- sepolicy/private/bootanim.te | 1 + sepolicy/private/fsck.te | 1 + sepolicy/private/init.te | 2 ++ sepolicy/private/kernel.te | 1 + sepolicy/private/platform_app.te | 4 ++++ sepolicy/private/system_server.te | 4 ++++ sepolicy/vendor/cameraserver.te | 2 ++ sepolicy/vendor/hal_power_stats_default.te | 2 +- 8 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 sepolicy/private/bootanim.te create mode 100644 sepolicy/private/fsck.te create mode 100644 sepolicy/private/kernel.te create mode 100644 sepolicy/private/platform_app.te diff --git a/sepolicy/private/bootanim.te b/sepolicy/private/bootanim.te new file mode 100644 index 00000000..596b7d41 --- /dev/null +++ b/sepolicy/private/bootanim.te @@ -0,0 +1 @@ +get_prop(bootanim, userspace_reboot_exported_prop) diff --git a/sepolicy/private/fsck.te b/sepolicy/private/fsck.te new file mode 100644 index 00000000..0729f110 --- /dev/null +++ b/sepolicy/private/fsck.te @@ -0,0 +1 @@ +allow fsck self:capability { kill }; diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te index 4acf420a..a0c4f2e0 100644 --- a/sepolicy/private/init.te +++ b/sepolicy/private/init.te @@ -1 +1,3 @@ allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write }; +allow init iorapd_data_file:file { getattr }; +allow init hwservicemanager:binder { call transfer }; diff --git a/sepolicy/private/kernel.te b/sepolicy/private/kernel.te new file mode 100644 index 00000000..95fb85c1 --- /dev/null +++ b/sepolicy/private/kernel.te @@ -0,0 +1 @@ +allow kernel self:capability { kill }; diff --git a/sepolicy/private/platform_app.te b/sepolicy/private/platform_app.te new file mode 100644 index 00000000..20ff6468 --- /dev/null +++ b/sepolicy/private/platform_app.te @@ -0,0 +1,4 @@ +get_prop(platform_app, exported_camera_prop) + +# Allow systemui to read audio prop +get_prop(platform_app, exported_audio_prop) diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te index 4cdfaafb..93c92dda 100644 --- a/sepolicy/private/system_server.te +++ b/sepolicy/private/system_server.te @@ -1,2 +1,6 @@ + # Allow system_server to set persist_camera_prop get_prop(system_server, vendor_persist_camera_prop) + +get_prop(system_server, userspace_reboot_config_prop) +get_prop(system_server, userspace_reboot_exported_prop) diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te index 567844df..d3fe35f1 100644 --- a/sepolicy/vendor/cameraserver.te +++ b/sepolicy/vendor/cameraserver.te @@ -1,3 +1,5 @@ binder_call(cameraserver, mediacodec); get_prop(cameraserver, vendor_persist_camera_prop) get_prop(cameraserver, vendor_video_prop) +set_prop(cameraserver, camera_prop) +binder_call(cameraserver, mediacodec) diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te index a0fcd51e..2f45c6a8 100644 --- a/sepolicy/vendor/hal_power_stats_default.te +++ b/sepolicy/vendor/hal_power_stats_default.te @@ -11,7 +11,7 @@ r_dir_file(hal_power_stats_default, sysfs_power_stats) # The following folders are incidentally accessed by hal_power_stats_default and are not needed. dontaudit hal_power_stats_default sysfs_power_stats_ignore:dir r_dir_perms; dontaudit hal_power_stats_default sysfs_power_stats_ignore:file r_file_perms; -dontaudit hal_power_stats_default sysfs:file read; +dontaudit hal_power_stats_default sysfs:file { open read }; vndbinder_use(hal_power_stats) add_service(hal_power_stats_server, power_stats_service)