gts3l-common: sepolicy: Address some denials

This includes crash_dump, gmscore_app, and so on. Signed-off-by: Deokgyu Yang <secugyu@gmail.com> Change-Id: I97496ba8aa380d45c8374e52eba2050a757ec27d
2022-02-09 14:29:27 +09:00 · 2022-02-09 14:29:27 +09:00 · 6d630439d2
commit 6d630439d2
parent 85805b0000
5 changed files with 19 additions and 2 deletions
--- a/sepolicy/crash_dump.te
+++ b/sepolicy/crash_dump.te
@ -0,0 +1,7 @@
+allow crash_dump {
+    exported_camera_prop
+    gpu_device
+    hwservicemanager_prop
+    media_variant_prop
+    resourcecache_data_file
+}:file r_file_perms;
--- a/sepolicy/gmscore_app.te
+++ b/sepolicy/gmscore_app.te
@ -1 +1,7 @@
 binder_call(gmscore_app, hal_memtrack_default);
+
+allow gmscore_app {
+    adbd_prop
+    apexd_prop
+    apk_verity_prop
+}:file r_file_perms;
--- a/sepolicy/hal_wifi_default.te
+++ b/sepolicy/hal_wifi_default.te
@ -1 +1,2 @@
 allow hal_wifi_default vendor_convergence_data_file:file { open read write };
+allow hal_wifi_default proc_net:file write;
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -4,3 +4,6 @@ allow system_server userspace_reboot_config_prop:file { getattr open read };
 allow system_server userspace_reboot_exported_prop:file { getattr open read };

 allow system_server proc_last_kmsg:file r_file_perms;
+
+allow system_server app_zygote:process getpgid;
+allow system_server system_data_root_file:file r_file_perms;
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@ -41,8 +41,8 @@ allow tee vaultkeeper_efs_file:file rw_file_perms;
 allow tee vendor_data_file:dir create_dir_perms;
 allow tee vendor_data_file:file create_file_perms;

-allow tee gatekeeper_data_file:dir read;
-allow tee gatekeeper_data_file:file getattr;
+allow tee gatekeeper_data_file:dir { read open };
+allow tee gatekeeper_data_file:file { getattr open read write };

 get_prop(tee, hwservicemanager_prop)
 set_prop(tee, vendor_qseecomd_prop)