From e9d3739c75cece92e6ed15ecccb6c63dd975fbc3 Mon Sep 17 00:00:00 2001 From: followmsi Date: Fri, 21 Sep 2018 15:41:36 +0200 Subject: [PATCH] sepolicy: Pie (bring up) --- sepolicy/cameraserver.te | 15 +++++++++++++++ sepolicy/file.te | 8 ++++---- sepolicy/hostapd.te | 4 ++-- sepolicy/mpdecision.te | 4 ++-- sepolicy/rmt.te | 4 ++++ sepolicy/sensors.te | 2 +- sepolicy/thermald.te | 4 ++-- 7 files changed, 30 insertions(+), 11 deletions(-) diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te index 354dbb0..6a502c5 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/cameraserver.te @@ -1 +1,16 @@ +# Interact with sockets +unix_socket_send(cameraserver, camera, camera) +allow cameraserver camera_data_file:sock_file write; +allow cameraserver property_socket:sock_file { open read write ioctl }; +allow cameraserver init:unix_stream_socket connectto; + +#allow cameraserver system_file:file execmod; allow cameraserver vendor_file:file execmod; +allow cameraserver camera_device:chr_file { open read write ioctl }; +allow cameraserver cameraserver:fd use; + +# Allow writing to mpdecision +unix_socket_send(cameraserver, mpdecision, mpdecision) + +# Allow access to sysfs +allow cameraserver sysfs:file { getattr read open }; diff --git a/sepolicy/file.te b/sepolicy/file.te index c3d93d0..83ce676 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,11 +1,11 @@ # Qualcomm MSM Interface (QMI) socket type qmuxd_socket, file_type; -type sensors_socket, file_type; -type camera_socket, file_type; +type sensors_socket, file_type, data_file_type, core_data_file_type; +type camera_socket, file_type, data_file_type, core_data_file_type; -type sensors_data_file, file_type, data_file_type; +type sensors_data_file, file_type, data_file_type, core_data_file_type; -type kickstart_data_file, file_type, data_file_type; +type kickstart_data_file, file_type, data_file_type, core_data_file_type; type mpdecision_socket, file_type; diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te index f7a4b92..6b6462e 100644 --- a/sepolicy/hostapd.te +++ b/sepolicy/hostapd.te @@ -1,3 +1,3 @@ # Reading from /persist/wifi/.macaddr -allow hostapd persist_file:dir r_dir_perms; -r_dir_file(hostapd, persist_wifi_file) +#allow hostapd persist_file:dir r_dir_perms; +#r_dir_file(hostapd, persist_wifi_file) diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te index e2c5468..b9d9375 100644 --- a/sepolicy/mpdecision.te +++ b/sepolicy/mpdecision.te @@ -3,8 +3,8 @@ type mpdecision, domain, device_domain_deprecated; type mpdecision_exec, exec_type, file_type; # DAC overrides -allow mpdecision self:capability dac_override; -auditallow mpdecision self:capability dac_override; +#allow mpdecision self:capability dac_override; +#auditallow mpdecision self:capability dac_override; # Started by init init_daemon_domain(mpdecision) diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te index 595c1d8..48c0531 100644 --- a/sepolicy/rmt.te +++ b/sepolicy/rmt.te @@ -30,3 +30,7 @@ allow rmt uio_device:chr_file rw_file_perms; # rmt_storage shuts itself down if there is an unknown value of ro.baseband set_prop(rmt, ctl_rmt_prop) + +# Access to sysfs +allow rmt sysfs:file { open append read getattr write }; +#allow rmt sysfs:dir rw_dir_perms; diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te index 9c0a9c2..d3c971a 100644 --- a/sepolicy/sensors.te +++ b/sepolicy/sensors.te @@ -12,7 +12,7 @@ allow sensors self:capability chown; dontaudit sensors self:capability fsetid; # Access /data/misc/sensors/debug and /data/system/sensors/settings -allow sensors self:capability { dac_read_search dac_override }; +#allow sensors self:capability { dac_read_search dac_override }; # Create /data/app/sensor_ctl_socket (Might want to change location). type_transition sensors apk_data_file:sock_file sensors_socket "sensor_ctl_socket"; diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te index 85b62b7..90af8d6 100644 --- a/sepolicy/thermald.te +++ b/sepolicy/thermald.te @@ -6,8 +6,8 @@ type thermald_exec, exec_type, file_type; init_daemon_domain(thermald) # DAC overrides -allow thermald self:capability dac_override; -auditallow thermald self:capability dac_override; +#allow thermald self:capability dac_override; +#auditallow thermald self:capability dac_override; allow thermald self:socket create_socket_perms; allowxperm thermald self:socket ioctl msm_sock_ipc_ioctls;