gts3l-common: sepolicy: Update SEPolicy for Android S
Roughly addressed the denials Signed-off-by: Deokgyu Yang <secugyu@gmail.com> Change-Id: I0d761dca3e17d9f16fab9edf947e593fe8a66f34
This commit is contained in:
parent
2962f3cc14
commit
6eb142080f
13 changed files with 48 additions and 3 deletions
|
@ -12,6 +12,7 @@ allow hal_audio_default vendor_audiopcm_data_file:file create_file_perms;
|
||||||
|
|
||||||
allow hal_audio_default vendor_log_file:dir r_dir_perms;
|
allow hal_audio_default vendor_log_file:dir r_dir_perms;
|
||||||
|
|
||||||
|
allow hal_audio_default audio_prop:file { getattr open read };
|
||||||
allow hal_audio_default audio_prop:property_service set;
|
allow hal_audio_default audio_prop:property_service set;
|
||||||
|
|
||||||
allow hal_audio_default imei_efs_file:dir search;
|
allow hal_audio_default imei_efs_file:dir search;
|
||||||
|
|
|
@ -15,3 +15,5 @@ allow hal_gnss_qti qmuxd_socket:dir { add_name write };
|
||||||
allow hal_gnss_qti qmuxd_socket:sock_file { create write };
|
allow hal_gnss_qti qmuxd_socket:sock_file { create write };
|
||||||
|
|
||||||
allow hal_gnss_qti sysfs:file { getattr open write read };
|
allow hal_gnss_qti sysfs:file { getattr open write read };
|
||||||
|
|
||||||
|
allow hal_gnss_qti radio_prop:file { getattr open read };
|
||||||
|
|
|
@ -2,3 +2,5 @@ allow hal_light_default sysfs_lcd_writable:dir search;
|
||||||
allow hal_light_default sysfs_lcd_writable:file { getattr open read write };
|
allow hal_light_default sysfs_lcd_writable:file { getattr open read write };
|
||||||
|
|
||||||
allow hal_light_default sysfs:file { getattr open write };
|
allow hal_light_default sysfs:file { getattr open write };
|
||||||
|
|
||||||
|
allow hal_light_default sysfs_touchkey:lnk_file read;
|
||||||
|
|
|
@ -6,7 +6,7 @@ allow init dsp_file:dir mounton;
|
||||||
allow init system_file:file execute_no_trans;
|
allow init system_file:file execute_no_trans;
|
||||||
allow init vendor_file:file execute_no_trans;
|
allow init vendor_file:file execute_no_trans;
|
||||||
|
|
||||||
allow init socket_device:sock_file create;
|
allow init socket_device:sock_file create_file_perms;
|
||||||
|
|
||||||
allow init sysfs_graphics:file { open read write };
|
allow init sysfs_graphics:file { open read write };
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@ allow init self:netlink_socket { create read bind };
|
||||||
allow init self:tcp_socket { bind create };
|
allow init self:tcp_socket { bind create };
|
||||||
|
|
||||||
allow init sysfs:dir create;
|
allow init sysfs:dir create;
|
||||||
allow init sysfs:file { open setattr write open };
|
allow init sysfs:file { open setattr write read };
|
||||||
|
|
||||||
allow init sysfs_touchkey:lnk_file read;
|
allow init sysfs_touchkey:lnk_file read;
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,7 @@
|
||||||
allow location csc_prop:file { getattr open read };
|
allow location csc_prop:file { getattr open read };
|
||||||
|
|
||||||
allow location sysfs:file { open read };
|
allow location sysfs:file { open read };
|
||||||
|
|
||||||
|
allow location radio_prop:file { getattr open read };
|
||||||
|
|
||||||
|
allow location wifi_hal_prop:file { getattr open read };
|
||||||
|
|
|
@ -8,4 +8,6 @@ allow qti_init_shell self:capability dac_override;
|
||||||
|
|
||||||
allow qti_init_shell sysfs:file write;
|
allow qti_init_shell sysfs:file write;
|
||||||
|
|
||||||
set_prop(qti_init_shell, ctl_default_prop)
|
allow qti_init_shell default_prop:file { getattr open };
|
||||||
|
|
||||||
|
set_prop(qti_init_shell, ctl_default_prop)
|
|
@ -9,10 +9,16 @@ allow rild app_efs_file:file { getattr open read };
|
||||||
|
|
||||||
allow rild default_android_hwservice:hwservice_manager add;
|
allow rild default_android_hwservice:hwservice_manager add;
|
||||||
allow rild default_prop:property_service set;
|
allow rild default_prop:property_service set;
|
||||||
|
allow rild default_prop:file { getattr open read };
|
||||||
|
|
||||||
allow rild imei_efs_file:file { open read setattr getattr write };
|
allow rild imei_efs_file:file { open read setattr getattr write };
|
||||||
|
|
||||||
allow rild system_data_file:dir { write add_name };
|
allow rild system_data_file:dir { write add_name };
|
||||||
allow rild system_data_file:file { create open write setattr };
|
allow rild system_data_file:file { create open write setattr };
|
||||||
|
|
||||||
|
allow rild radio_core_data_file:dir { add_name write };
|
||||||
|
allow rild radio_core_data_file:file { create open setattr write };
|
||||||
|
|
||||||
|
allow rild system_prop:file { getattr open read };
|
||||||
|
|
||||||
get_prop(rild, csc_prop)
|
get_prop(rild, csc_prop)
|
||||||
|
|
13
sepolicy/system_app.te
Normal file
13
sepolicy/system_app.te
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
allow system_app proc_pagetypeinfo:file { getattr open read };
|
||||||
|
|
||||||
|
allow system_app sysfs_zram:dir search;
|
||||||
|
allow system_app sysfs_zram:file { open read getattr };
|
||||||
|
|
||||||
|
allow system_app system_suspend_control_internal_service:service_manager find;
|
||||||
|
allow system_app system_suspend_control_service:service_manager find;
|
||||||
|
|
||||||
|
allow system_app hal_power_default:binder call;
|
||||||
|
|
||||||
|
allow system_app installd:binder call;
|
||||||
|
|
||||||
|
allow system_app netd:binder call;
|
|
@ -1,5 +1,7 @@
|
||||||
allow system_server init:binder call;
|
allow system_server init:binder call;
|
||||||
|
|
||||||
|
allow system_server build_bootimage_prop:file { getattr open read };
|
||||||
|
|
||||||
allow system_server userspace_reboot_config_prop:file { getattr open read };
|
allow system_server userspace_reboot_config_prop:file { getattr open read };
|
||||||
allow system_server userspace_reboot_exported_prop:file { getattr open read };
|
allow system_server userspace_reboot_exported_prop:file { getattr open read };
|
||||||
|
|
||||||
|
|
|
@ -2,3 +2,5 @@ allow thermal-engine self:capability dac_override;
|
||||||
|
|
||||||
allow thermal-engine sysfs:dir { open read };
|
allow thermal-engine sysfs:dir { open read };
|
||||||
allow thermal-engine sysfs:file { getattr open read };
|
allow thermal-engine sysfs:file { getattr open read };
|
||||||
|
|
||||||
|
allow thermal-engine system_prop:file { getattr open read };
|
||||||
|
|
|
@ -1,3 +1,6 @@
|
||||||
r_dir_file(time_daemon, timeservice_app)
|
r_dir_file(time_daemon, timeservice_app)
|
||||||
|
|
||||||
allow time_daemon sysfs:file { open read };
|
allow time_daemon sysfs:file { open read };
|
||||||
|
|
||||||
|
allow time_daemon tee:dir search;
|
||||||
|
allow time_daemon tee:file { open read };
|
||||||
|
|
|
@ -19,6 +19,9 @@ allow vendor_init system_data_file:dir { add_name create setattr write };
|
||||||
allow vendor_init tombstone_data_file:dir getattr;
|
allow vendor_init tombstone_data_file:dir getattr;
|
||||||
allow vendor_init emmcblk_device:blk_file getattr;
|
allow vendor_init emmcblk_device:blk_file getattr;
|
||||||
|
|
||||||
|
allow vendor_init radio_prop:file { getattr open read };
|
||||||
|
allow vendor_init radio_prop:property_service set;
|
||||||
|
|
||||||
set_prop(vendor_init, camera_prop)
|
set_prop(vendor_init, camera_prop)
|
||||||
set_prop(vendor_init, config_prop)
|
set_prop(vendor_init, config_prop)
|
||||||
set_prop(vendor_init, csc_prop)
|
set_prop(vendor_init, csc_prop)
|
||||||
|
@ -27,3 +30,5 @@ set_prop(vendor_init, receiver_error_prop)
|
||||||
set_prop(vendor_init, vendor_iop_prop)
|
set_prop(vendor_init, vendor_iop_prop)
|
||||||
set_prop(vendor_init, vendor_members_prop)
|
set_prop(vendor_init, vendor_members_prop)
|
||||||
set_prop(vendor_init, vold_prop)
|
set_prop(vendor_init, vold_prop)
|
||||||
|
|
||||||
|
get_prop(vendor_init, system_prop)
|
||||||
|
|
|
@ -1,2 +1,5 @@
|
||||||
allow zygote exported_camera_prop:file { getattr open read };
|
allow zygote exported_camera_prop:file { getattr open read };
|
||||||
allow zygote device:file { open write };
|
allow zygote device:file { open write };
|
||||||
|
|
||||||
|
allow zygote sysfs:file create_file_perms;
|
||||||
|
allow zygote sysfs:dir create_dir_perms;
|
||||||
|
|
Loading…
Reference in a new issue