From 35a1e8206f9840efbc5d31e0cfc04f851b42099e Mon Sep 17 00:00:00 2001 From: followmsi Date: Thu, 26 Nov 2020 11:02:35 +0100 Subject: [PATCH] flo: Update sepolicies --- BoardConfigCommon.mk | 1 + sepolicy/bluetooth_loader.te | 7 +-- sepolicy/bridge.te | 2 + sepolicy/camera.te | 12 ++-- sepolicy/cameraserver.te | 19 ++----- sepolicy/conn_init.te | 2 + sepolicy/device.te | 8 --- sepolicy/file.te | 25 ++------ sepolicy/file_contexts | 66 ++-------------------- sepolicy/fsck.te | 2 + sepolicy/genfs_contexts | 24 ++++++++ sepolicy/hal_camera_default.te | 9 +++ sepolicy/hal_graphics_allocator_default.te | 2 + sepolicy/hal_light_default.te | 1 + sepolicy/hal_nfc_default.te | 2 + sepolicy/hal_sensors_default.te | 13 +++++ sepolicy/hci_attach.te | 1 + sepolicy/healthd.te | 1 + sepolicy/hostapd.te | 4 +- sepolicy/init-devstart-sh.te | 1 + sepolicy/init.te | 24 +++++++- sepolicy/irsc_util.te | 6 -- sepolicy/mediacodec.te | 2 +- sepolicy/mpdecision.te | 18 +----- sepolicy/netmgrd.te | 7 --- sepolicy/priv_app.te | 2 + sepolicy/property_contexts | 1 - sepolicy/rmt.te | 11 +++- sepolicy/sensors.te | 28 ++------- sepolicy/surfaceflinger.te | 2 + sepolicy/system_server.te | 18 +++--- sepolicy/te_macros | 13 ----- sepolicy/thermald.te | 42 ++++++++------ sepolicy/ueventd.te | 1 + 34 files changed, 169 insertions(+), 208 deletions(-) create mode 100644 sepolicy/fsck.te create mode 100644 sepolicy/hal_camera_default.te create mode 100644 sepolicy/hal_graphics_allocator_default.te create mode 100644 sepolicy/hal_light_default.te create mode 100644 sepolicy/hal_nfc_default.te create mode 100644 sepolicy/hal_sensors_default.te create mode 100644 sepolicy/healthd.te delete mode 100644 sepolicy/te_macros diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index a1e143a..05c02a1 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -141,6 +141,7 @@ HAVE_ADRENO_SOURCE:= false SELINUX_IGNORE_NEVERALLOWS := true +include device/qcom/sepolicy-legacy/sepolicy.mk BOARD_SEPOLICY_DIRS += device/asus/flo/sepolicy # Security Patch Level diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te index ecd5bcf..9db80a8 100644 --- a/sepolicy/bluetooth_loader.te +++ b/sepolicy/bluetooth_loader.te @@ -1,9 +1,6 @@ # Bluetooth executables and script (bdAddrLoader, init.flo.bt.sh) -type bluetooth_loader, domain, device_domain_deprecated; -type bluetooth_loader_exec, exec_type, file_type; - -# Start bdAddrLoader from init -init_daemon_domain(bluetooth_loader) +# type bluetooth_loader, domain, device_domain_deprecated; +# type bluetooth_loader_exec, exec_type, file_type; # Run init.flo.bt.sh allow bluetooth_loader shell_exec:file rx_file_perms; diff --git a/sepolicy/bridge.te b/sepolicy/bridge.te index 4253de2..c42ff3d 100644 --- a/sepolicy/bridge.te +++ b/sepolicy/bridge.te @@ -14,3 +14,5 @@ qmux_socket(bridge) # Alert the RmNet SMD & SDIO function driver of the correct transport. # (/sys/class/android_usb/f_rmnet_smd_sdio/transport) allow bridge sysfs_rmnet:file { open read write getattr }; + +allow bridge sysfs_android_usb:dir r_dir_perms; diff --git a/sepolicy/camera.te b/sepolicy/camera.te index a6f4a67..34de91f 100644 --- a/sepolicy/camera.te +++ b/sepolicy/camera.te @@ -12,18 +12,16 @@ allow camera video_device:chr_file rw_file_perms; allow camera { surfaceflinger mediaserver cameraserver }:fd use; hal_client_domain(camera, hal_graphics_allocator) -# Create front and back camera sockets (/data/cam_socket[12]) -type_transition camera system_data_file:sock_file camera_socket "cam_socket1"; -type_transition camera system_data_file:sock_file camera_socket "cam_socket2"; -allow camera camera_socket:sock_file { create unlink }; -allow camera system_data_file:dir w_dir_perms; -allow camera system_data_file:sock_file unlink; +# Create camera sockets +allow camera camera_socket:dir w_dir_perms; +allow camera camera_socket:sock_file create_file_perms; type_transition camera system_data_file:file camera_data_file "fdAlbum"; allow camera camera_data_file:file create_file_perms; -# Connect to sensor socket (/data/app/sensor_ctl_socket) +# Connect to sensor socket unix_socket_connect(camera, sensors, sensors) +allow camera sensors_socket:dir search; allow camera sensors_socket:sock_file read; # Read camera files from persist filesystem diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te index 6a502c5..6e470a4 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/cameraserver.te @@ -1,16 +1,9 @@ -# Interact with sockets -unix_socket_send(cameraserver, camera, camera) -allow cameraserver camera_data_file:sock_file write; -allow cameraserver property_socket:sock_file { open read write ioctl }; -allow cameraserver init:unix_stream_socket connectto; +unix_socket_send(cameraserver, camera, camera); +unix_socket_send(cameraserver, mpdecision, mpdecision); -#allow cameraserver system_file:file execmod; +# for libmmjpeg allow cameraserver vendor_file:file execmod; -allow cameraserver camera_device:chr_file { open read write ioctl }; -allow cameraserver cameraserver:fd use; -# Allow writing to mpdecision -unix_socket_send(cameraserver, mpdecision, mpdecision) - -# Allow access to sysfs -allow cameraserver sysfs:file { getattr read open }; +# Allow reading /dev/graphics +allow cameraserver graphics_device:dir r_dir_perms; +allow cameraserver camera_socket:dir r_dir_perms; diff --git a/sepolicy/conn_init.te b/sepolicy/conn_init.te index 23e4b53..c6fa143 100644 --- a/sepolicy/conn_init.te +++ b/sepolicy/conn_init.te @@ -21,3 +21,5 @@ allow conn_init wlan_device:chr_file rw_file_perms; # init.flo.wifi.sh runs toolbox allow conn_init system_file:file execute_no_trans; allow conn_init toolbox_exec:file rx_file_perms; + +allow conn_init wcnss_device:chr_file rw_file_perms ; diff --git a/sepolicy/device.te b/sepolicy/device.te index 83d0b06..9c7bcc8 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,16 +1,8 @@ -type wlan_device, dev_type; - -type diag_device, dev_type; - # Kickstart device used by QC qcks type kickstart_device, dev_type; -# SMD device, used by hci_qcomm_init -type smd_device, dev_type; - # Radio related block device type efs_block_device, dev_type; -type modem_block_device, dev_type; # Shared memory logger type shared_log_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te index 137c3b6..d07257f 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,31 +1,16 @@ -# Qualcomm MSM Interface (QMI) socket -type qmuxd_socket, file_type; -type sensors_socket, file_type, data_file_type, core_data_file_type; -type camera_socket, file_type, data_file_type, core_data_file_type; - -type sensors_data_file, file_type, data_file_type, core_data_file_type; - -type kickstart_data_file, file_type, data_file_type, core_data_file_type; - -type mpdecision_socket, file_type; +type kickstart_data_file, file_type, data_file_type; # Default type for anything under /firmware type radio_efs_file, fs_type, contextmount_type; # Persist firmware types -type persist_file, file_type; -type persist_bluetooth_file, file_type; type persist_camera_file, file_type; -type persist_data_file, file_type; -type persist_drm_file, file_type; type persist_sensors_file, file_type; type persist_wifi_file, file_type; -type firmware_file, file_type; - type sysfs_rmnet, fs_type, sysfs_type; -type sysfs_mpdecision, fs_type, sysfs_type; +type sysfs_soc, sysfs_type, fs_type; type sysfs_surfaceflinger, fs_type, sysfs_type; - -#type for devstart -type sysfs_audio, sysfs_type, fs_type; +type sysfs_rmt_storage, fs_type, sysfs_type; +type sysfs_msm_subsys, fs_type, sysfs_type; +type sensors_vendor_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 38a70db..137f09d 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,54 +1,20 @@ -# Used by keystore to access trustzone -/dev/qseecom u:object_r:tee_device:s0 - -# GPS -/dev/gss u:object_r:sensors_device:s0 - -# WLAN -/dev/wcnss_wlan u:object_r:wlan_device:s0 - ###### GPU device (world r/w) -/dev/kgsl-3d0 u:object_r:gpu_device:s0 /dev/kgsl u:object_r:gpu_device:s0 -# Image Rotator Driver -/dev/msm_rotator u:object_r:video_device:s0 - -# Qualcomm MSM Interface (QMI) devices -/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0 - /dev/bcm2079x-i2c u:object_r:nfc_device:s0 -/dev/diag u:object_r:diag_device:s0 +/dev/stune(/.*)? u:object_r:cgroup:s0 # efs block labeling /dev/block/platform/msm_sdcc\.1/by-name/m9kefs[123c] u:object_r:efs_block_device:s0 -# Root block labeling -/dev/block/mmcblk0 u:object_r:root_block_device:s0 -# modemst1, modemst2, fsg, ssd labeling /dev/block/platform/msm_sdcc\.1/by-name/modemst[12] u:object_r:modem_block_device:s0 -/dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_block_device:s0 -/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:modem_block_device:s0 -# system and recovery labeling -/dev/block/platform/msm_sdcc\.1/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/msm_sdcc\.1/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/platform/msm_sdcc\.1/by-name/boot u:object_r:boot_block_device:s0 -# cache and userdata labeling -/dev/block/platform/msm_sdcc\.1/by-name/cache u:object_r:cache_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/userdata u:object_r:userdata_block_device:s0 # encryption metadata /dev/block/platform/msm_sdcc\.1/by-name/metadata u:object_r:metadata_block_device:s0 -# zram block labeling -/dev/block/zram0 u:object_r:swap_block_device:s0 # CPU governor controls /dev/socket/mpdecision(/.*)? u:object_r:mpdecision_socket:s0 ## Radio related -# modem driver -/dev/mdm u:object_r:radio_device:s0 # high speed inter-chip controls /dev/hsicctl[0-3] u:object_r:radio_device:s0 # mux controller @@ -57,28 +23,21 @@ /dev/qmi[0-2] u:object_r:radio_device:s0 # shared memory drivers /dev/smdcntl[0-7] u:object_r:radio_device:s0 -/dev/smd7 u:object_r:radio_device:s0 # Bluetooth shared memory interfaces /dev/smd2 u:object_r:hci_attach_dev:s0 /dev/smd3 u:object_r:hci_attach_dev:s0 # Default label for shared memory drivers /dev/smd([0-9])+ u:object_r:smd_device:s0 -/dev/smem_log u:object_r:shared_log_device:s0 # Serial console /dev/ttyHS0 u:object_r:hci_attach_dev:s0 -/dev/ttyMSM0 u:object_r:hci_attach_dev:s0 # Serial-to-Usb support /dev/ttyUSB0 u:object_r:radio_device:s0 # Jpeg Engine support /dev/gemini.* u:object_r:video_device:s0 -# MSM camera related -/dev/v4l-subdev.* u:object_r:video_device:s0 -/dev/msm_camera(/.*)? u:object_r:camera_device:s0 -/dev/media([0-9])+ u:object_r:camera_device:s0 # Qualcomm MSM Audio devices /dev/msm_acdb u:object_r:audio_device:s0 @@ -90,15 +49,9 @@ /dev/msm_aac.* u:object_r:audio_device:s0 # MSM Dedicated Sensors Processor Subsystem -/dev/msm_dsps u:object_r:sensors_device:s0 # Sensors shared Memory Packet Interface /dev/smd_sns_dsps u:object_r:sensors_device:s0 -/dev/cpu_dma_latency u:object_r:power_control_device:s0 - -/dev/ks_hsic_bridge u:object_r:kickstart_device:s0 -/dev/efs_hsic_bridge u:object_r:kickstart_device:s0 - /system/vendor/bin/qcks u:object_r:kickstart_exec:s0 /system/vendor/bin/efsks u:object_r:kickstart_exec:s0 /system/vendor/bin/ks u:object_r:kickstart_exec:s0 @@ -106,13 +59,11 @@ /data/cam_socket[0-9] u:object_r:camera_socket:s0 /data/app/sensor_ctl_socket u:object_r:sensors_socket:s0 +/dev/socket/qcamera(/.*)? u:object_r:camera_socket:s0 +/dev/socket/sensors(/.*)? u:object_r:sensors_socket:s0 -/data/nfc(/.*)? u:object_r:nfc_data_file:s0 -/data/qcks(/.*)? u:object_r:kickstart_data_file:s0 -/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0 -/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 +/data/vendor/sensors(/.*)? u:object_r:sensors_vendor_data_file:s0 /data/misc/playready(/.*)? u:object_r:drm_data_file:s0 -/data/fdAlbum u:object_r:camera_data_file:s0 /system/vendor/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0 /system/vendor/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0 @@ -134,15 +85,10 @@ /system/vendor/bin/init\.qcom\.devstart\.sh u:object_r:init-qcom-devstart-sh_exec:s0 /system/vendor/bin/init\.qcom\.devwait\.sh u:object_r:init-qcom-devwait-sh_exec:s0 +#/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 + # Persist firmware filesystem -/persist(/.*)? u:object_r:persist_file:s0 -/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0 /persist/camera_calibration(/.*)? u:object_r:persist_camera_file:s0 -/persist/data(/.*)? u:object_r:persist_data_file:s0 -/persist/sensors(/.*)? u:object_r:persist_sensors_file:s0 /persist/playready(/.*)? u:object_r:persist_drm_file:s0 /persist/widevine(/.*)? u:object_r:persist_drm_file:s0 /persist/wifi(/.*)? u:object_r:persist_wifi_file:s0 - -# firmware -/firmware(/.*)? u:object_r:firmware_file:s0 diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..450f6c2 --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1,2 @@ +allow fsck self:capability dac_override; +allow fsck tmpfs:blk_file getattr; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index 397f21d..4a8b85a 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -7,4 +7,28 @@ genfscon sysfs /module/pm_8x60/modes u:object genfscon sysfs /devices/virtual/graphics/fb1/format_3d u:object_r:sysfs_surfaceflinger:s0 genfscon sysfs /devices/virtual/graphics/fb1/hpd u:object_r:sysfs_surfaceflinger:s0 genfscon sysfs /kernel/boot_adsp/boot u:object_r:sysfs_audio:s0 +#genfscon sysfs /devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/rev u:object_r:sysfs_disk_stat:s0 +#genfscon sysfs /devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/block/mmcblk0/stat u:object_r:sysfs_disk_stat:s0 +genfscon sysfs /devices/system/soc/soc0 u:object_r:sysfs_soc:s0 +# remote storage +genfscon sysfs /class/uio u:object_r:sysfs_rmt_storage:s0 +genfscon sysfs /devices/platform/msm_sharedmem/uio u:object_r:sysfs_rmt_storage:s0 + +# graphics +genfscon sysfs /devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/gpuclk u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/max_gpuclk u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/reset_count u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:sysfs_graphics:s0 + +# thermald +genfscon sysfs /devices/platform/msm_ssbi.0/pm8921-core/pm8xxx-adc/batt_therm u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0 + +# lights +genfscon sysfs /devices/platform/msm_fb.591617/leds/lcd-backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/msm_ssbi.0/pm8921-core/pm8xxx-led u:object_r:sysfs_leds:s0 + +# Networking +genfscon sysfs /devices/platform/msm_hsic_host/usb1/1-1/1-1:1.5/net/rmnet_usb0/mtu u:object_r:sysfs_net:s0 diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..04941e1 --- /dev/null +++ b/sepolicy/hal_camera_default.te @@ -0,0 +1,9 @@ +vndbinder_use(hal_camera_default); + +# Text relocations in libmmjpeg +allow hal_camera_default vendor_file:file execmod; + +allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; +allow hal_camera_default camera_socket:dir search; + +unix_socket_send(hal_camera_default, camera, camera) diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te new file mode 100644 index 0000000..3e18c96 --- /dev/null +++ b/sepolicy/hal_graphics_allocator_default.te @@ -0,0 +1,2 @@ +allow hal_graphics_allocator_default graphics_device:chr_file rw_file_perms; +allow hal_graphics_allocator_default graphics_device:dir search; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te new file mode 100644 index 0000000..30f6408 --- /dev/null +++ b/sepolicy/hal_light_default.te @@ -0,0 +1 @@ +allow hal_light_default sysfs_leds:file rw_file_perms; diff --git a/sepolicy/hal_nfc_default.te b/sepolicy/hal_nfc_default.te new file mode 100644 index 0000000..f8f829f --- /dev/null +++ b/sepolicy/hal_nfc_default.te @@ -0,0 +1,2 @@ +allow hal_nfc_default nfc_data_file:dir create_dir_perms; +allow hal_nfc_default nfc_data_file:file create_file_perms; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te new file mode 100644 index 0000000..da2cf9b --- /dev/null +++ b/sepolicy/hal_sensors_default.te @@ -0,0 +1,13 @@ +unix_socket_connect(hal_sensors_default, sensors, sensors) + +# Read /dev/socket/sensors/ctl +allow hal_sensors_default sensors_socket:sock_file read; + +# Monitor /dev/socket/sensors +allow hal_sensors_default sensors_socket:dir { search read }; + +# Read directories under /data/vendor/sensors +allow hal_sensors_default sensors_vendor_data_file:dir search; + +# Read sensor nodes (/dev/msm_dsps) +allow hal_sensors_default sensors_device:chr_file read; diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index 4fd2a50..eebf2b5 100644 --- a/sepolicy/hci_attach.te +++ b/sepolicy/hci_attach.te @@ -5,4 +5,5 @@ allow hci_attach kernel:system module_request; allow hci_attach hci_attach_dev:chr_file rw_file_perms; allow hci_attach bluetooth_efs_file:dir r_dir_perms; allow hci_attach bluetooth_efs_file:file r_file_perms; +r_dir_file(hci_attach, bluetooth_prop) diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..db2b956 --- /dev/null +++ b/sepolicy/healthd.te @@ -0,0 +1 @@ +allow healthd sysfs:file rw_file_perms; diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te index 6b6462e..f7a4b92 100644 --- a/sepolicy/hostapd.te +++ b/sepolicy/hostapd.te @@ -1,3 +1,3 @@ # Reading from /persist/wifi/.macaddr -#allow hostapd persist_file:dir r_dir_perms; -#r_dir_file(hostapd, persist_wifi_file) +allow hostapd persist_file:dir r_dir_perms; +r_dir_file(hostapd, persist_wifi_file) diff --git a/sepolicy/init-devstart-sh.te b/sepolicy/init-devstart-sh.te index 6702afc..ce9e432 100644 --- a/sepolicy/init-devstart-sh.te +++ b/sepolicy/init-devstart-sh.te @@ -13,3 +13,4 @@ set_prop(init-qcom-devstart-sh, system_prop) # Set boot_adsp and boot_slpi to 1 allow init-qcom-devstart-sh sysfs_audio:file w_file_perms; +allow init-qcom-devstart-sh sysfs_boot_adsp:file w_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te index 33cbf02..465e6ca 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,2 +1,24 @@ allow init diag_device:chr_file unlink; -allow init tmpfs:lnk_file create_file_perms; +allow init sysfs_mmc_host:file rw_file_perms; +allow init sysfs:file { rw_file_perms setattr }; + +# Symlink /sdcard to backing block +allow init tmpfs:lnk_file create; + +allow init { + sysfs_devices_system_cpu + sysfs_livedisplay_tuneable + sysfs_mpdecision + sysfs_msm_subsys + sysfs_net +}:file w_file_perms; + +allow init { + proc_slabinfo + sysfs_graphics + sysfs_msm_subsys + sysfs_rmnet + sysfs_surfaceflinger + sysfs_usb + sysfs_wlan_fwpath +}:file setattr; diff --git a/sepolicy/irsc_util.te b/sepolicy/irsc_util.te index 1bb2daf..1c47798 100644 --- a/sepolicy/irsc_util.te +++ b/sepolicy/irsc_util.te @@ -1,8 +1,2 @@ -# irsc_util (used to configure IPC Router with security rules for QMI services) -type irsc_util, domain, device_domain_deprecated; -type irsc_util_exec, exec_type, file_type; - -init_daemon_domain(irsc_util) - allow irsc_util self:socket create_socket_perms; allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te index 2642401..d83220e 100644 --- a/sepolicy/mediacodec.te +++ b/sepolicy/mediacodec.te @@ -1,2 +1,2 @@ allow mediacodec audio_device:chr_file rw_file_perms; - +r_dir_file(mediacodec, camera_prop) diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te index b9d9375..33fc43f 100644 --- a/sepolicy/mpdecision.te +++ b/sepolicy/mpdecision.te @@ -1,13 +1,6 @@ -# CPU governor (root process) -type mpdecision, domain, device_domain_deprecated; -type mpdecision_exec, exec_type, file_type; - # DAC overrides -#allow mpdecision self:capability dac_override; -#auditallow mpdecision self:capability dac_override; - -# Started by init -init_daemon_domain(mpdecision) +allow mpdecision self:capability dac_override; +auditallow mpdecision self:capability dac_override; # CPU hotplug uevent to manage cores allow mpdecision self:netlink_kobject_uevent_socket { create setopt bind read }; @@ -29,13 +22,6 @@ allow mpdecision sysfs_devices_system_cpu:file rw_file_perms; allow mpdecision sysfs_mpdecision:dir r_dir_perms; allow mpdecision sysfs_mpdecision:file rw_file_perms; -# Some files in /sys/devices/system/cpu may pop in and out of existance, -# defeating our attempt to label them. As a result, they could have the -# sysfs label, not the sysfs_devices_system_cpu label. -# Allow write access for now until we figure out a better solution. -# For example, the following files pop in and out of existance: -# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq -# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq allow mpdecision sysfs:file write; # This is needed to allow mpdecision to look at system_server's diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index 5551a37..7c30a5d 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -1,10 +1,3 @@ -# Network utilities (radio process) -type netmgrd, domain, device_domain_deprecated; -type netmgrd_exec, exec_type, file_type; - -# Started by init -init_daemon_domain(netmgrd) - # Starts as (root,radio) changes to (radio,radio) allow netmgrd self:capability { setuid setgid net_admin net_raw }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te index c73e10c..e0a4383 100644 --- a/sepolicy/priv_app.te +++ b/sepolicy/priv_app.te @@ -1,2 +1,4 @@ allow priv_app device:dir r_dir_perms; allowxperm priv_app self:udp_socket ioctl { SIOCGIWESSID }; +dontaudit priv_app proc_interrupts:file { open read }; +dontaudit priv_app sysfs_android_usb:file open; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 6b2dc61..2667358 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,2 +1 @@ ctl.rmt_storage u:object_r:ctl_rmt_prop:s0 -ctl.mpdecision u:object_r:ctl_mpdecision:s0 diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te index 26dce40..44dfc4e 100644 --- a/sepolicy/rmt.te +++ b/sepolicy/rmt.te @@ -14,6 +14,7 @@ allow rmt block_device:dir r_dir_perms; # Allow reads/writes to modem related block devices allow rmt modem_block_device:blk_file rw_file_perms; +allow rmt smem_log_device:chr_file rw_file_perms; # Allow shared memory logging access allow rmt shared_log_device:chr_file rw_file_perms; @@ -28,9 +29,15 @@ wakelock_use(rmt) # Allow access to /dev/uio0. allow rmt uio_device:chr_file rw_file_perms; +allow rmt smem_log_device:chr_file rw_file_perms; +allow rmt sysfs_uio:dir r_dir_perms; + +allow rmt modem_efs_partition_device:blk_file rw_file_perms; +allow rmt ssd_device:blk_file rw_file_perms; + # rmt_storage shuts itself down if there is an unknown value of ro.baseband set_prop(rmt, ctl_rmt_prop) # Access to sysfs -allow rmt sysfs:file { open append read getattr write }; -#allow rmt sysfs:dir rw_dir_perms; +r_dir_file(rmt, sysfs_rmt_storage) +r_dir_file(rmt, sysfs_uio) diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te index d3c971a..0641993 100644 --- a/sepolicy/sensors.te +++ b/sepolicy/sensors.te @@ -1,31 +1,14 @@ -# Integrated qualcomm sensor process -type sensors, domain, device_domain_deprecated; -type sensors_exec, exec_type, file_type; - # Started by init init_daemon_domain(sensors) -# Change own perms to (nobody,nobody) -allow sensors self:capability { setuid setgid }; -# Chown /data/misc/sensors/debug/ to nobody -allow sensors self:capability chown; -dontaudit sensors self:capability fsetid; - -# Access /data/misc/sensors/debug and /data/system/sensors/settings -#allow sensors self:capability { dac_read_search dac_override }; - -# Create /data/app/sensor_ctl_socket (Might want to change location). -type_transition sensors apk_data_file:sock_file sensors_socket "sensor_ctl_socket"; +# Create /dev/socket/sensors/ctl +allow sensors sensors_socket:dir w_dir_perms; allow sensors sensors_socket:sock_file create_file_perms; -# Trying to be restrictive with perms on apk_data_file -allow sensors apk_data_file:dir { add_name write }; -# Socket can be deleted. So might have to keep in order to work. -allow sensors apk_data_file:dir remove_name; # Create directories and files under /data/misc/sensors # and /data/system/sensors. Allow generic r/w file access. -allow sensors sensors_data_file:dir create_dir_perms; -allow sensors sensors_data_file:file create_file_perms; +allow sensors sensors_vendor_data_file:dir create_dir_perms; +allow sensors sensors_vendor_data_file:file create_file_perms; # Access sensor nodes (/dev/msm_dsps) allow sensors sensors_device:chr_file rw_file_perms; @@ -41,4 +24,5 @@ allow sensors persist_sensors_file:file rw_file_perms; # Wake lock access wakelock_use(sensors) -allow sensors cgroup:dir { create add_name }; +allow sensors sysfs_soc:dir r_dir_perms; +allow sensors sysfs_soc:file r_file_perms; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te index 6d10487..9b1b457 100644 --- a/sepolicy/surfaceflinger.te +++ b/sepolicy/surfaceflinger.te @@ -1 +1,3 @@ allow surfaceflinger sysfs_surfaceflinger:file rw_file_perms; +allow surfaceflinger sysfs_soc:dir r_dir_perms; +allow surfaceflinger sysfs_soc:file r_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 098cb7f..78bdbee 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -7,6 +7,10 @@ unix_socket_connect(system_server, sensors, sensors) unix_socket_send(system_server, sensors, sensors) allow system_server sensors:unix_stream_socket sendto; allow system_server sensors_socket:sock_file r_file_perms; +allow system_server sensors_socket:dir r_dir_perms; + +allow system_server persist_file:dir r_dir_perms; +allow system_server sensors_device:chr_file rw_file_perms; # mpdecision socket access unix_socket_connect(system_server, mpdecision, mpdecision) @@ -14,13 +18,13 @@ unix_socket_send(system_server, mpdecision, mpdecision) allow system_server mpdecision:unix_stream_socket sendto; allow system_server mpdecision_socket:dir search; -# Read /data/misc/sensors or /data/system/sensors. -allow system_server sensors_data_file:dir r_dir_perms; -allow system_server sensors_data_file:file r_file_perms; - -allow system_server persist_file:dir r_dir_perms; -allow system_server sensors_device:chr_file rw_file_perms; - # use MSM ipc router ioctls allow system_server self:socket ioctl; allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls; + +allow system_server sensors_data_file:dir search; +allow system_server sensors_data_file:dir r_file_perms; + +allow system_server sensors_socket:sock_file getattr; + +allow system_server thermal_service:service_manager find; diff --git a/sepolicy/te_macros b/sepolicy/te_macros deleted file mode 100644 index 68100e2..0000000 --- a/sepolicy/te_macros +++ /dev/null @@ -1,13 +0,0 @@ -##################################### -# qmux_socket(clientdomain) -# Allow client domain to connecto and send -# via a local socket to the qmux domain. -# Also allow the client domain to remove -# its own socket. -define(`qmux_socket', ` -type $1_qmuxd_socket, file_type; -file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket) -allow $1 qmuxd_socket:dir remove_name; -unix_socket_connect($1, qmuxd, qmux) -allow qmux $1_qmuxd_socket:sock_file { getattr unlink }; -') diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te index 90af8d6..1fdf14c 100644 --- a/sepolicy/thermald.te +++ b/sepolicy/thermald.te @@ -1,39 +1,47 @@ # Temperature sensor daemon (root process) -type thermald, domain, device_domain_deprecated; +type thermald, domain; type thermald_exec, exec_type, file_type; # Started by init init_daemon_domain(thermald) -# DAC overrides -#allow thermald self:capability dac_override; -#auditallow thermald self:capability dac_override; - allow thermald self:socket create_socket_perms; allowxperm thermald self:socket ioctl msm_sock_ipc_ioctls; # CPU hotplug uevent -allow thermald self:netlink_kobject_uevent_socket { create setopt bind read }; +allow thermald self:netlink_kobject_uevent_socket { create getopt setopt bind read }; allow thermald self:capability net_admin; # Talk to qmuxd (/dev/socket/qmux_radio) qmux_socket(thermald) # Access shared logger (/dev/smem_log) -allow thermald shared_log_device:chr_file rw_file_perms; +allow thermald smem_log_device:chr_file rw_file_perms; -# Access /sys/devices/system/cpu/ -allow thermald sysfs_devices_system_cpu:file rw_file_perms; +# Allow writing in /sys/devices/system/cpu +allow thermald sysfs_devices_system_cpu:file w_file_perms; -# Some files in /sys/devices/system/cpu may pop in and out of existance, -# defeating our attempt to label them. As a result, they could have the -# sysfs label, not the sysfs_devices_system_cpu label. -# Allow write access for now until we figure out a better solution. -# For example, the following files pop in and out of existance: -# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq -# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq -allow thermald sysfs:file write; +# Access leds +allow thermald sysfs_leds:file rw_file_perms; +allow thermald sysfs_leds:dir r_dir_perms; + +# Allow accessing thermal related sysfs nodes +allow thermald sysfs_thermal:file rw_file_perms; +allow thermald sysfs_thermal:dir r_dir_perms; + +# Read the /sys/devices/virtual folder +allow thermald sysfs:dir r_dir_perms; +allow thermald sysfs:file r_file_perms; + +# Access graphics related sysfs nodes +allow thermald sysfs_graphics:file rw_file_perms; + +# Access /sys/devices/system/soc/soc0 +r_dir_file(thermald, sysfs_socinfo) # Connect to mpdecision. allow thermald mpdecision_socket:dir r_dir_perms; unix_socket_connect(thermald, mpdecision, mpdecision) + +allow thermald sysfs_soc:dir r_dir_perms; +allow thermald sysfs_soc:file r_file_perms; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index e82337d..38d9351 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -1,2 +1,3 @@ allow ueventd { radio_efs_file wifi_data_file }:dir search; allow ueventd { radio_efs_file wifi_data_file }:file r_file_perms; +allow ueventd self:capability sys_nice;