gts3l-common: sepolicy: Update SEPolicy for Android S

Roughly addressed the denials Signed-off-by: Deokgyu Yang <secugyu@gmail.com> Change-Id: I0d761dca3e17d9f16fab9edf947e593fe8a66f34
2022-03-16 00:10:37 +09:00 · 2022-03-16 00:10:37 +09:00 · 6eb142080f
commit 6eb142080f
parent 2962f3cc14
13 changed files with 48 additions and 3 deletions
--- a/sepolicy/hal_audio_default.te
+++ b/sepolicy/hal_audio_default.te
@ -12,6 +12,7 @@ allow hal_audio_default vendor_audiopcm_data_file:file create_file_perms;

 allow hal_audio_default vendor_log_file:dir r_dir_perms;

+allow hal_audio_default audio_prop:file { getattr open read };
 allow hal_audio_default audio_prop:property_service set;

 allow hal_audio_default imei_efs_file:dir search;
--- a/sepolicy/hal_gnss_qti.te
+++ b/sepolicy/hal_gnss_qti.te
@ -15,3 +15,5 @@ allow hal_gnss_qti qmuxd_socket:dir { add_name write };
 allow hal_gnss_qti qmuxd_socket:sock_file { create write };

 allow hal_gnss_qti sysfs:file { getattr open write read };
+
+allow hal_gnss_qti radio_prop:file { getattr open read };
--- a/sepolicy/hal_light_default.te
+++ b/sepolicy/hal_light_default.te
@ -2,3 +2,5 @@ allow hal_light_default sysfs_lcd_writable:dir search;
 allow hal_light_default sysfs_lcd_writable:file { getattr open read write };

 allow hal_light_default sysfs:file { getattr open write };
+
+allow hal_light_default sysfs_touchkey:lnk_file read;
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@ -6,7 +6,7 @@ allow init dsp_file:dir mounton;
 allow init system_file:file execute_no_trans;
 allow init vendor_file:file execute_no_trans;

-allow init socket_device:sock_file create;
+allow init socket_device:sock_file create_file_perms;

 allow init sysfs_graphics:file { open read write };

@ -30,7 +30,7 @@ allow init self:netlink_socket { create read bind };
 allow init self:tcp_socket { bind create };

 allow init sysfs:dir create;
-allow init sysfs:file { open setattr write open };
+allow init sysfs:file { open setattr write read };

 allow init sysfs_touchkey:lnk_file read;

--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@ -1,3 +1,7 @@
 allow location csc_prop:file { getattr open read };

 allow location sysfs:file { open read };
+
+allow location radio_prop:file { getattr open read };
+
+allow location wifi_hal_prop:file { getattr open read };
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@ -8,4 +8,6 @@ allow qti_init_shell self:capability dac_override;

 allow qti_init_shell sysfs:file write;

-set_prop(qti_init_shell, ctl_default_prop)
+allow qti_init_shell default_prop:file { getattr open };
+
+set_prop(qti_init_shell, ctl_default_prop)
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@ -9,10 +9,16 @@ allow rild app_efs_file:file { getattr open read };

 allow rild default_android_hwservice:hwservice_manager add;
 allow rild default_prop:property_service set;
+allow rild default_prop:file { getattr open read };

 allow rild imei_efs_file:file { open read setattr getattr write };

 allow rild system_data_file:dir { write add_name };
 allow rild system_data_file:file { create open write setattr };

+allow rild radio_core_data_file:dir { add_name write };
+allow rild radio_core_data_file:file { create open setattr write };
+
+allow rild system_prop:file { getattr open read };
+
 get_prop(rild, csc_prop)
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -0,0 +1,13 @@
+allow system_app proc_pagetypeinfo:file { getattr open read };
+
+allow system_app sysfs_zram:dir search;
+allow system_app sysfs_zram:file { open read getattr };
+
+allow system_app system_suspend_control_internal_service:service_manager find;
+allow system_app system_suspend_control_service:service_manager find;
+
+allow system_app hal_power_default:binder call;
+
+allow system_app installd:binder call;
+
+allow system_app netd:binder call;
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -1,5 +1,7 @@
 allow system_server init:binder call;

+allow system_server build_bootimage_prop:file { getattr open read };
+
 allow system_server userspace_reboot_config_prop:file { getattr open read };
 allow system_server userspace_reboot_exported_prop:file { getattr open read };

--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@ -2,3 +2,5 @@ allow thermal-engine self:capability dac_override;

 allow thermal-engine sysfs:dir { open read };
 allow thermal-engine sysfs:file { getattr open read };
+
+allow thermal-engine system_prop:file { getattr open read };
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@ -1,3 +1,6 @@
 r_dir_file(time_daemon, timeservice_app)

 allow time_daemon sysfs:file { open read };
+
+allow time_daemon tee:dir search;
+allow time_daemon tee:file { open read };
--- a/sepolicy/vendor_init.te
+++ b/sepolicy/vendor_init.te
@ -19,6 +19,9 @@ allow vendor_init system_data_file:dir { add_name create setattr write };
 allow vendor_init tombstone_data_file:dir getattr;
 allow vendor_init emmcblk_device:blk_file getattr;

+allow vendor_init radio_prop:file { getattr open read };
+allow vendor_init radio_prop:property_service set;
+
 set_prop(vendor_init, camera_prop)
 set_prop(vendor_init, config_prop)
 set_prop(vendor_init, csc_prop)
@ -27,3 +30,5 @@ set_prop(vendor_init, receiver_error_prop)
 set_prop(vendor_init, vendor_iop_prop)
 set_prop(vendor_init, vendor_members_prop)
 set_prop(vendor_init, vold_prop)
+
+get_prop(vendor_init, system_prop)
--- a/sepolicy/zygote.te
+++ b/sepolicy/zygote.te
@ -1,2 +1,5 @@
 allow zygote exported_camera_prop:file { getattr open read };
 allow zygote device:file { open write };
+
+allow zygote sysfs:file create_file_perms;
+allow zygote sysfs:dir create_dir_perms;