klte-common: sepolicy updates

* Full rewrite is probably best, but this is good for now Change-Id: I4ef137ffd16892ffa562dffd9e4a88d69f4a780d
2016-10-16 17:04:44 -06:00 · 2016-10-16 17:04:44 -06:00 · 41b04289c2
parent c6102245b7
commit 41b04289c2
10 changed files with 23 additions and 3 deletions
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@ -0,0 +1,7 @@
+allow cameraserver camera_socket:sock_file write;
+allow cameraserver init:unix_stream_socket connectto;
+allow cameraserver property_socket:sock_file write;
+allow cameraserver sysfs_camera:dir search;
+allow cameraserver sysfs_camera:file { open read };
+allow cameraserver system_file:file execmod;
+
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -41,9 +41,6 @@
 /efs/gyro_cal_data                                      u:object_r:sensors_efs_file:s0
 /efs/prox_cal                                           u:object_r:sensors_efs_file:s0

-# Thermal
-/system/bin/thermal-engine                              u:object_r:thermal-engine_exec:s0
-
 # WiFi
 /data/.cid.info                                         u:object_r:wifi_data_file:s0
 /data/.wifiver.info                                     u:object_r:wifi_data_file:s0
--- a/sepolicy/fingerprintd.te
+++ b/sepolicy/fingerprintd.te
@ -11,3 +11,4 @@ allow fingerprintd tee_device:chr_file rw_file_perms;
 allow fingerprintd firmware_file:dir r_dir_perms;
 allow fingerprintd firmware_file:file r_file_perms;

+allow fingerprintd vfat:file { getattr open read };
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@ -1,3 +1,4 @@
+allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver sensorservice_service:service_manager find;
 allow mediaserver sysfs_camera:dir search;
 allow mediaserver sysfs_camera:file { getattr open read };
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te
@ -0,0 +1,3 @@
+# neverallow is hit for the below rule
+#allow mpdecision self:capability sys_ptrace;
+allow mpdecision system_data_file:sock_file write;
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@ -0,0 +1,3 @@
+allow platform_app fuseblk:dir { open read remove_name search write };
+allow platform_app fuseblk:file { getattr unlink write };
+
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@ -0,0 +1,3 @@
+allow priv_app device:dir { open read };
+allow priv_app fuseblk:dir { add_name open read search read write };
+allow priv_app fuseblk:file { create getattr open read write };
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@ -2,3 +2,5 @@ allow ueventd sysfs_camera:file rw_file_perms;
 allow ueventd sysfs_sec:file rw_file_perms;
 allow ueventd sysfs_vibeamp:file rw_file_perms;
 allow ueventd vcs_device:chr_file create_file_perms;
+allow ueventd vfat:dir search;
+allow ueventd vfat:file { getattr open read };
--- a/sepolicy/untrusted_app.te
+++ b/sepolicy/untrusted_app.te
@ -0,0 +1,3 @@
+# These are safe for an untrusted_app -- they are the external SD card
+allow untrusted_app fuseblk:dir search;
+allow untrusted_app fuseblk:file { getattr read };