From b4a746c5ee3eb2c483629244d28598a7f99e83b6 Mon Sep 17 00:00:00 2001 From: Valera1978 Date: Fri, 6 Dec 2019 13:18:49 +0300 Subject: [PATCH] update sepolicy --- BoardConfig.mk | 6 +- sepolicy/add.te | 191 +++++++++++++++++++++++++++++- sepolicy/add1.te | 123 ++++--------------- sepolicy/add2.te | 50 -------- sepolicy/add3.te | 31 ----- sepolicy/add4.te | 16 --- sepolicy/add5.te | 33 ------ sepolicy/add_p.te | 32 ----- sepolicy/adddd.te | 58 --------- sepolicy/energyawareness.te | 5 - sepolicy/file.te | 2 +- sepolicy/file_contexts | 5 + sepolicy/genfs_contexts | 2 - sepolicy/hal_bluetooth_default.te | 1 - sepolicy/hal_bluetooth_qti.te | 2 - sepolicy/mm-qcamerad.te | 14 --- sepolicy/netmgrd.te | 1 - sepolicy/property_contexts | 1 - sepolicy/system_app.te | 3 - sepolicy/tbaseLoader.te | 4 - sepolicy/timekeep.te | 3 - sepolicy/toolbox.te | 1 - sepolicy_tmp/common/file.te | 2 - sepolicy_tmp/common/file_contexts | 4 - sepolicy_tmp/sepolicy.mk | 18 --- 25 files changed, 220 insertions(+), 388 deletions(-) mode change 100755 => 100644 sepolicy/add1.te delete mode 100755 sepolicy/add2.te delete mode 100755 sepolicy/add3.te delete mode 100755 sepolicy/add4.te delete mode 100755 sepolicy/add5.te delete mode 100755 sepolicy/add_p.te delete mode 100755 sepolicy/adddd.te delete mode 100755 sepolicy/energyawareness.te delete mode 100755 sepolicy/hal_bluetooth_qti.te delete mode 100755 sepolicy/mm-qcamerad.te delete mode 100755 sepolicy/tbaseLoader.te delete mode 100644 sepolicy_tmp/common/file.te delete mode 100644 sepolicy_tmp/common/file_contexts delete mode 100644 sepolicy_tmp/sepolicy.mk diff --git a/BoardConfig.mk b/BoardConfig.mk index a678859..2e00fec 100755 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -213,10 +213,8 @@ VENDOR_SECURITY_PATCH := 2019-08-01 SELINUX_IGNORE_NEVERALLOWS := true # SELinux -#include device/qcom/sepolicy/sepolicy.mk -#BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy - -include $(DEVICE_PATH)/sepolicy_tmp/sepolicy.mk +include device/qcom/sepolicy/sepolicy.mk +BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy # Wifi BOARD_HAS_QCOM_WLAN := true diff --git a/sepolicy/add.te b/sepolicy/add.te index bc8e705..7e26e96 100755 --- a/sepolicy/add.te +++ b/sepolicy/add.te @@ -1,2 +1,189 @@ -#============= sensors ============== -allow sensors efs_file:dir search; +#============= bluetooth ============== +allow bluetooth init:binder { call transfer }; + +#============= cameraserver ============== +allow cameraserver init:binder call; +allow cameraserver init:unix_dgram_socket sendto; +allow cameraserver sysfs:file { getattr open read }; +allow cameraserver vendor_camera_data_file:sock_file write; + +#============= fsck ============== +allow fsck block_device:blk_file { open read write }; + +#============= hal_fingerprint_default ============== +allow hal_fingerprint_default fingerprintd_data_file:dir write; +allow hal_fingerprint_default vendor_data_file:dir { add_name create open read remove_name rmdir write }; +allow hal_fingerprint_default vendor_data_file:file { create getattr open read rename unlink write }; + +#============= hal_gnss_qti ============== +allow hal_gnss_qti init:binder { call transfer }; +allow hal_gnss_qti init:unix_dgram_socket sendto; +allow hal_gnss_qti init:unix_stream_socket connectto; +allow hal_gnss_qti netmgrd_socket:sock_file write; +allow hal_gnss_qti self:netlink_generic_socket { bind create }; +allow hal_gnss_qti self:socket { create ioctl read write }; +allow hal_gnss_qti sysfs:file { open read }; + +#============= hal_graphics_composer_default ============== +allow hal_graphics_composer_default init:binder call; + +#============= hal_health_default ============== +allow hal_health_default sysfs:file { getattr open read }; + +#============= hal_power_default ============== +allow hal_power_default init:binder call; + +#============= hal_sensors_default ============== +allow hal_sensors_default persist_data_file:file { open read }; +allow hal_sensors_default sysfs:file { open read write getattr }; + +#============= hwservicemanager ============== +allow hwservicemanager init:binder { call transfer }; + +#============= init ============== +allow init audio_device:chr_file { ioctl open read write }; +allow init block_device:blk_file write; +allow init bluetooth:binder call; +allow init cameraserver:fd use; +allow init debugfs_rmt_storage:file write; +allow init device:chr_file { ioctl open read write }; +allow init dnsproxyd_socket:sock_file write; +allow init dnsresolver_service:service_manager find; +allow init graphics_device:chr_file { ioctl open read write }; +allow init hal_alarm_qti_hwservice:hwservice_manager { add find }; +allow init hal_bluetooth_hwservice:hwservice_manager { add find }; +allow init hal_display_color_hwservice:hwservice_manager add; +allow init hal_display_postproc_hwservice:hwservice_manager add; +allow init hal_drm_hwservice:hwservice_manager add; +allow init hal_fm_hwservice:hwservice_manager find; +allow init hal_iop_hwservice:hwservice_manager { add find }; +allow init hal_perf_hwservice:hwservice_manager add; +allow init hal_tetheroffload_hwservice:hwservice_manager add; +allow init hci_attach_dev:chr_file { ioctl open read write }; +allow init ion_device:chr_file { open read }; +allow init ipa_dev:chr_file { ioctl open read write }; +allow init ipa_vendor_data_file:file lock; +allow init location_data_file:file { ioctl lock }; +allow init location_socket:sock_file write; +allow init netd:binder call; +allow init netd_service:service_manager find; +allow init netutils_wrapper_exec:file { execute execute_no_trans getattr open read }; +allow init persist_data_file:dir mounton; +allow init persist_data_file:file rename; +allow init proc:file setattr; +allow init qdsp_device:chr_file { ioctl open read }; +allow init rmnet_device:chr_file { open read write }; +allow init rtc_device:chr_file { ioctl open read }; +allow init self:binder { call transfer }; +allow init self:capability { net_bind_service sys_module }; +allow init self:capability2 block_suspend; +allow init self:netlink_generic_socket { bind create read write }; +allow init self:netlink_kobject_uevent_socket { bind create getopt read setopt }; +allow init self:netlink_route_socket { bind create getattr getopt nlmsg_read read setopt write }; +allow init self:netlink_socket { setopt write }; +allow init self:netlink_xfrm_socket { bind create }; +allow init self:rawip_socket { create getopt setopt }; +allow init self:socket { bind connect create ioctl read write }; +allow init self:tcp_socket { read write }; +allow init self:udp_socket { ioctl read write }; +allow init sensors_device:chr_file { ioctl open read }; +allow init ssr_device:chr_file { open read }; +allow init sysfs:file { open read write }; +allow init sysfs_camera:file { open read write }; +allow init sysfs_graphics:file { open read }; +allow init sysfs_kgsl:file { open read }; +allow init sysfs_mpctl:file { open read write }; +allow init sysfs_thermal:file write; +allow init sysfs_wake_lock:file { append open write }; +allow init system_file:file execute_no_trans; +allow init system_net_netd_hwservice:hwservice_manager find; +allow init system_suspend_hwservice:hwservice_manager find; +allow init tee_device:chr_file { open read }; +allow init uio_device:chr_file { open read write }; +allow init vendor_bt_data_file:file append; +allow init vendor_file:file execute_no_trans; +allow init vendor_per_mgr_service:service_manager { add find }; +allow init video_device:chr_file { ioctl open read write }; +allow init vndbinder_device:chr_file { ioctl open read write }; +allow init vndservicemanager:binder { call transfer }; + +allow init hal_gnss_qti:unix_dgram_socket sendto; +allow init hal_graphics_allocator_default:fd use; +allow init rild:binder call; +allow init rmnet_device:chr_file ioctl; +allow init self:netlink_generic_socket { getattr setopt }; +allow init self:netlink_route_socket nlmsg_write; +allow init self:udp_socket ioctl; +allow init sysfs_net:file { open write }; + +allow init hal_gnss_qti:binder call; +allow init self:udp_socket ioctl; + +allow init fwmarkd_socket:sock_file write; +allow init netd:unix_stream_socket connectto; +allow init self:tcp_socket { getopt setopt }; +allow init self:udp_socket ioctl; +allow init vendor_data_file:file { ioctl lock }; + +#============= netd ============== +allow netd init:tcp_socket { getopt read setopt write }; + +#============= installd ============== +allow installd device:file { open write }; + +#============= location ============== +allow location init:unix_stream_socket { read write }; +allow location mnt_vendor_file:dir getattr; +allow location persist_data_file:file { open read }; +allow location self:capability net_bind_service; +allow location self:socket { bind create ioctl read write }; +allow location sysfs:file { open read }; + +#============= mediacodec ============== +allow mediacodec init:binder call; + +#============= netd ============== +allow netd device:file { open write }; + +#============= rild ============== +allow rild init:binder { call transfer }; + +#============= system_app ============== +allow system_app apex_service:service_manager find; +allow system_app proc_pagetypeinfo:file read; +allow system_app system_suspend_control_service:service_manager find; + +#============= system_server ============== +allow system_server proc:file { getattr open read }; + +#============= ueventd ============== +allow ueventd persist_data_file:dir search; + +#============= vendor_init ============== +allow vendor_init camera_data_file:dir { create setattr }; +allow vendor_init nfc_data_file:dir setattr; +allow vendor_init system_data_file:dir { add_name create setattr write }; + +#============= vndservicemanager ============== +allow vndservicemanager init:binder transfer; + +#============= vold ============== +allow vold hal_bootctl_hwservice:hwservice_manager find; +allow vold persist_data_file:dir { ioctl open read }; + +#============= webview_zygote ============== +allow webview_zygote app_data_file:dir getattr; + +#============= cameraserver ============== +allow cameraserver default_prop:property_service set; +allow cameraserver vendor_data_file:sock_file write; + +#============= hal_audio_default ============== +allow hal_audio_default vendor_data_file:file { append getattr open read }; + +#============= hal_wifi_default ============== +allow hal_wifi_default default_prop:property_service set; + +#============= rild ============== +allow rild vendor_data_file:dir { add_name open read remove_name write }; +allow rild vendor_data_file:file { create getattr ioctl lock open read unlink write }; diff --git a/sepolicy/add1.te b/sepolicy/add1.te old mode 100755 new mode 100644 index 4536de5..83088bc --- a/sepolicy/add1.te +++ b/sepolicy/add1.te @@ -1,100 +1,23 @@ -#============= rfs_access ============== -allow rfs_access self:capability dac_override; - -#============= system_app ============== -allow system_app proc_pagetypeinfo:file { getattr open read }; - -#============= atfwd ============== -allow atfwd sysfs:file { open read }; - -#============= audioserver ============== -allow audioserver vendor_data_file:dir { add_name write }; -allow audioserver vendor_data_file:file { getattr append create open read }; - -#============= cameraserver ============== -allow cameraserver default_prop:property_service set; -allow cameraserver mm-qcamerad:unix_dgram_socket sendto; -allow cameraserver sysfs:file { getattr open read }; - -#============= fsck ============== -allow fsck block_device:blk_file { open read write }; -allow fsck mnt_vendor_file:dir getattr; -allow fsck e2fsck_device:blk_file ioctl; - -#============= hal_bluetooth_qti ============== -allow hal_bluetooth_qti default_prop:property_service set; - -#============= hal_fingerprint_default ============== -allow hal_fingerprint_default fingerprintd_data_file:dir write; - -#============= hal_gnss_qti ============== -allow hal_gnss_qti sysfs:file { read open }; - -#============= hal_health_default ============== -allow hal_health_default sysfs:file { getattr open read }; - -#============= hal_perf_default ============== -allow hal_perf_default default_prop:property_service set; -allow hal_perf_default self:capability dac_override; - -#============= healthd ============== -allow healthd sysfs:file { getattr open read }; - -#============= init ============== -allow init hal_drm_hwservice:hwservice_manager add; -allow init proc:file { open write }; -allow init sysfs:file { open setattr write }; -allow init sysfs_boot_adsp:file { open setattr }; -allow init sysfs_cpu_boost:file { open write }; -allow init sysfs_devices_system_cpu:file write; -allow init sysfs_lowmemorykiller:file { open write }; -allow init sysfs_msm_perf:file setattr; -allow init sysfs_msm_power:file { open write }; -allow init sysfs_poweron_alarm:file { open write }; -allow init sysfs_slpi:file open; -allow init sysfs_thermal:file write; -allow init vendor_file:file execute_no_trans; -allow init sysfs_devfreq:file { open write }; -allow init vndbinder_device:chr_file read; -allow init shell_exec:file execute_no_trans; -allow init sysfs_ea:file setattr; -allow init sysfs_camera:file setattr; -allow init sysfs_lib:file setattr; -allow init sysfs_sensors:lnk_file read; -allow init sysfs_wlan_fwpath:file setattr; - -#============= netmgrd ============== -allow netmgrd sysfs:file { open read }; - -#============= mm-qcamerad ============== -allow mm-qcamerad vendor_default_prop:property_service set; -allow mm-qcamerad default_prop:property_service set; - -#============= rild ============== -allow rild system_prop:property_service set; - -#============= sensors ============== -allow sensors sysfs:file { open read }; - -#============= location ============== -allow location sysfs:file { open read }; - -#============= system_server ============== -allow system_server dalvikcache_data_file:file execute; -allow system_server sensors_persist_file:dir search; -allow system_server sensors_persist_file:file { open read }; -allow system_server vendor_camera_prop:file { getattr open read }; - -#============= tee ============== -allow tee system_prop:property_service set; - -#============= time_daemon ============== -allow time_daemon sysfs:file { open read }; -allow time_daemon time_data_file:dir { add_name write }; -allow time_daemon time_data_file:file { create open read write }; - -#============= vold ============== -allow vold mnt_vendor_file:dir { open read ioctl }; - -#============= webview_zygote ============== -allow webview_zygote zygote:unix_dgram_socket write; +#============= hal_dpmQmiMgr ============== +allow hal_dpmQmiMgr sysfs:file { open read }; + +#============= hal_graphics_composer_default ============== +allow hal_graphics_composer_default persist_data_file:dir search; + +#============= hal_sensors_default ============== +allow hal_sensors_default persist_data_file:dir search; + +#============= hwservicemanager ============== +allow hwservicemanager init:file open; +allow hwservicemanager init:process getattr; + +#============= init ============== +allow init default_android_hwservice:hwservice_manager add; +allow init netmgrd_socket:sock_file write; +allow init self:netlink_tcpdiag_socket { bind create getopt setopt }; +allow init self:udp_socket ioctl; + +#============= vndservicemanager ============== +allow vndservicemanager init:dir search; +allow vndservicemanager init:file { open read }; +allow vndservicemanager init:process getattr; diff --git a/sepolicy/add2.te b/sepolicy/add2.te deleted file mode 100755 index d6feedd..0000000 --- a/sepolicy/add2.te +++ /dev/null @@ -1,50 +0,0 @@ -#============= cnd ============== -allow cnd default_android_hwservice:hwservice_manager add; - -#============= hal_rcsservice ============== -allow hal_rcsservice sysfs:file { open read }; - -#============= ims ============== -allow ims sysfs:file { open read }; - -#============= netmgrd ============== -allow netmgrd default_prop:property_service set; -allow netmgrd init:unix_stream_socket connectto; -allow netmgrd property_socket:sock_file write; - -#============= rmt_storage ============== -allow rmt_storage debugfs:file { open write }; - -#============= shell ============== -allow shell hal_telephony_hwservice:hwservice_manager add; -allow shell hidl_base_hwservice:hwservice_manager add; -allow shell kernel:system syslog_read; -allow shell rild_exec:file execute_no_trans; -allow shell self:socket getattr; -allow shell sysfs:file { open read }; -allow shell vendor_per_mgr_service:service_manager find; - -#============= hal_dpmQmiMgr ============== -allow hal_dpmQmiMgr sysfs:file { open read }; - -#============= hal_imsrtp ============== -allow hal_imsrtp sysfs:file { open read }; - -#============= init ============== -allow init node:tcp_socket node_bind; -allow init self:tcp_socket bind; -allow init diag_device:chr_file { read write ioctl }; - -#============= sensors ============== -allow sensors self:capability dac_override; - -#============= thermal-engine ============== -allow thermal-engine self:capability dac_override; - -#============= qti_init_shell ============== -allow qti_init_shell self:capability dac_override; -allow qti_init_shell system_data_file:dir { add_name create write read open getattr setattr }; -allow qti_init_shell vendor_radio_data_file:dir { add_name create write read open getattr setattr }; - -#============= init ============== -allow init sysfs:file read; diff --git a/sepolicy/add3.te b/sepolicy/add3.te deleted file mode 100755 index 3a44aa2..0000000 --- a/sepolicy/add3.te +++ /dev/null @@ -1,31 +0,0 @@ -#============= audioserver ============== -allow audioserver vendor_audio_data_file:dir { add_name write }; -allow audioserver vendor_audio_data_file:file { append create open read getattr }; - -#============= shell ============== -allow shell self:socket { read write ioctl create }; -allow shell sysfs:file getattr; -allow shell vendor_radio_data_file:dir getattr; -allow shell vendor_radio_prop:file { getattr open read }; -allow shell vndbinder_device:chr_file { ioctl open read write }; -allow shell vndservicemanager:binder call; -allow shell vendor_per_mgr:binder { transfer call }; -allow shell radio_prop:property_service set; -allow shell vendor_radio_prop:property_service set; - -#============= vndservicemanager ============== -allow vndservicemanager shell:dir search; -allow vndservicemanager shell:file { open read }; -allow vndservicemanager shell:process getattr; -allow vndservicemanager shell:binder transfer; - -#============= hal_memtrack_default ============== -allow hal_memtrack_default debugfs:file { getattr open read }; - -#============= tee ============== -allow tee gatekeeper_data_file:dir { add_name open write }; -allow tee gatekeeper_data_file:file getattr; -allow tee system_data_file:dir { open read }; - -#============= hal_gnss_qti ============== -allow hal_gnss_qti qmuxd_socket:dir write; diff --git a/sepolicy/add4.te b/sepolicy/add4.te deleted file mode 100755 index f2e19c9..0000000 --- a/sepolicy/add4.te +++ /dev/null @@ -1,16 +0,0 @@ -#============= qti_init_shell ============== -allow qti_init_shell sysfs:file { setattr write }; -allow qti_init_shell sysfs_devfreq:file setattr; -allow qti_init_shell sysfs_devices_system_cpu:file setattr; -allow qti_init_shell sysfs_msm_power:file setattr; -allow qti_init_shell vendor_radio_data_file:file { create read open write getattr setattr }; -allow qti_init_shell default_prop:property_service set; -allow qti_init_shell kmsg_device:chr_file { open write }; -allow qti_init_shell system_prop:property_service set; - -#============= hal_gnss_qti ============== -allow hal_gnss_qti qmuxd_socket:dir { add_name remove_name }; -allow hal_gnss_qti qmuxd_socket:sock_file { create unlink }; - -#============= tee ============== -allow tee gatekeeper_data_file:file { create write }; diff --git a/sepolicy/add5.te b/sepolicy/add5.te deleted file mode 100755 index b91082e..0000000 --- a/sepolicy/add5.te +++ /dev/null @@ -1,33 +0,0 @@ -#============= dataservice_app ============== -allow dataservice_app default_android_hwservice:hwservice_manager find; - -#============= hal_sensors_default ============== -allow hal_sensors_default sysfs:file { open read }; - -#============= qti ============== -allow qti sysfs:file { open read }; - -#============= surfaceflinger ============== -allow surfaceflinger default_android_service:service_manager { add find }; -allow surfaceflinger hal_display_config_hwservice:hwservice_manager add; - -#============= cnd ============== -allow cnd sysfs:file { open read }; - -#============= hal_sensors_default ============== -allow hal_sensors_default sysfs:file { getattr write }; - -#============= audioserver ============== -allow audioserver vendor_audio_data_file:dir search; -allow audioserver efs_file:dir search; - -#============= qti_init_shell ============== -allow qti_init_shell ctl_start_prop:property_service set; -allow qti_init_shell ctl_stop_prop:property_service set; -allow qti_init_shell vendor_radio_data_file:dir search; - -#============= surfaceflinger ============== -allow surfaceflinger sysfs_leds:dir search; -allow surfaceflinger mnt_vendor_file:dir search; -allow surfaceflinger display_vendor_data_file:dir search; -allow surfaceflinger persist_display_file:dir search; diff --git a/sepolicy/add_p.te b/sepolicy/add_p.te deleted file mode 100755 index 6ee79a8..0000000 --- a/sepolicy/add_p.te +++ /dev/null @@ -1,32 +0,0 @@ -#============= system_server ============== -allow system_server mnt_vendor_file:dir search; - -#============= crash_dump ============== -allow crash_dump init:process ptrace; - -#============= init ============== -allow init vndbinder_device:chr_file { open read write ioctl }; - -#============= mm-qcamerad ============== -allow mm-qcamerad sysfs_leds:dir search; - -#============= priv_app ============== -allow priv_app firmware_file:filesystem getattr; -allow priv_app su_exec:file { open read }; -allow priv_app sysfs:file { open read }; - -#============= system_server ============== -allow system_server thermal_service:service_manager find; -allow system_server vfat:dir { open read }; - -#============= untrusted_app ============== -allow untrusted_app proc_tty_drivers:file read; -allow untrusted_app selinuxfs:file read; -allow untrusted_app serialno_prop:file read; - -#============= untrusted_app_27 ============== -allow untrusted_app_27 proc:file read; -allow untrusted_app_27 sysfs_net:dir search; - -#============= hal_bluetooth_qti ============== -allow hal_bluetooth_qti bluetooth_data_file:dir search; diff --git a/sepolicy/adddd.te b/sepolicy/adddd.te deleted file mode 100755 index 7bdf33a..0000000 --- a/sepolicy/adddd.te +++ /dev/null @@ -1,58 +0,0 @@ -#============= hal_bluetooth_qti ============== -allow hal_bluetooth_qti bluetooth_data_file:dir { write add_name }; -allow hal_bluetooth_qti bluetooth_data_file:file { create open read write }; - -#============= init ============== -allow init proc:file { read getattr }; -allow init rootfs:file execute_no_trans; -allow init vendor_toolbox_exec:file execute_no_trans; -allow init hal_lineage_touch_hwservice:hwservice_manager add; - -#============= system_app ============== -allow system_app perfprofd:binder call; -allow system_app wificond:binder call; - -#============= system_server ============== -allow system_server init:binder call; - -#============= hwservicemanager ============== -allow hwservicemanager init:binder call; -allow hwservicemanager init:file open; -allow hwservicemanager init:process getattr; - -#============= untrusted_app ============== -allow untrusted_app selinuxfs:file open; - -#============= untrusted_app_27 ============== -allow untrusted_app_27 apk_data_file:file setattr; -allow untrusted_app_27 proc:file open; -allow untrusted_app_27 proc:file getattr; - -#============= cameraserver ============== -allow cameraserver sysfs_graphics:file read; - -#============= mm-qcamerad ============== -allow mm-qcamerad camera_data_file:dir write; - -#============= system_app ============== -allow system_app init:binder call; - -#============= keystore ============== -allow keystore vendor_tee_listener_prop:file { read open getattr }; - -#============= hal_fingerprint_default ============== -allow hal_fingerprint_default vendor_data_file:dir { read write open add_name create remove_name rmdir }; -allow hal_fingerprint_default vendor_data_file:file { read write open create getattr rename unlink }; - -#============= tee ============== -allow tee vendor_default_prop:property_service set; - -#============= netutils_wrapper ============== -allow netutils_wrapper netmgrd:socket { read write }; - - -#============= hal_lineage_touch_default ============== -allow hal_lineage_touch_default sysfs:file read; - -#============= system_server ============== -allow system_server mnt_vendor_file:dir getattr; diff --git a/sepolicy/energyawareness.te b/sepolicy/energyawareness.te deleted file mode 100755 index f74d870..0000000 --- a/sepolicy/energyawareness.te +++ /dev/null @@ -1,5 +0,0 @@ -allow energyawareness sysfs_uio:dir { open read search }; -allow energyawareness sysfs_uio:lnk_file read; -allow energyawareness sysfs_uio_file:dir search; -allow energyawareness sysfs_uio_file:file { getattr open read }; -allow energyawareness sysfs:file { getattr open read }; diff --git a/sepolicy/file.te b/sepolicy/file.te index c8b38a7..d846ff7 100755 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -5,5 +5,5 @@ type sysfs_mdnie, fs_type, sysfs_type; type biometrics_data_file, file_type, data_file_type; type dsp_file, fs_type, contextmount_type; type sysfs_sec, fs_type, sysfs_type; -type sysfs_camera, fs_type, sysfs_type; +#type sysfs_camera, fs_type, sysfs_type; type battery_efs_file, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index b4e42ad..b7196fe 100755 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -39,6 +39,11 @@ /sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 /sys/devices/virtual/sec/sec_key/hall_irq_ctrl u:object_r:sysfs_sec:s0 +/firmware(/.*)? u:object_r:vendor_firmware_file:s0 +/firmware-modem(/.*)? u:object_r:vendor_firmware_file:s0 +/bt_firmware(/.*)? u:object_r:vendor_firmware_file:s0 +/persist(/.*)? u:object_r:persist_data_file:s0 + # HALs /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index c8163b2..37162b4 100755 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -1,5 +1,3 @@ -genfscon debugfs /rmt_storage u:object_r:debugfs_rmt:s0 - genfscon sysfs /devices/soc/6a00000.ssusb/6a00000.dwc3/gadget/lun0/ u:object_r:sysfs_android_usb:s0 genfscon sysfs /devices/soc/6a00000.ssusb/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/soc/75b5000.i2c/i2c-7/7-001d/power_supply u:object_r:sysfs_batteryinfo:s0 diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te index 6d878ee..9c21128 100755 --- a/sepolicy/hal_bluetooth_default.te +++ b/sepolicy/hal_bluetooth_default.te @@ -3,4 +3,3 @@ allow hal_bluetooth_default bluetooth_data_file:dir { write add_name }; allow hal_bluetooth_default firmware_file:dir search; allow hal_bluetooth_default firmware_file:file { getattr open read }; allow hal_bluetooth_default sysfs:file write; -allow hal_bluetooth_default wcnss_filter:unix_stream_socket connectto; diff --git a/sepolicy/hal_bluetooth_qti.te b/sepolicy/hal_bluetooth_qti.te deleted file mode 100755 index 86662c9..0000000 --- a/sepolicy/hal_bluetooth_qti.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_bluetooth_qti efs_file:dir search; -allow hal_bluetooth_qti sysfs:file write; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te deleted file mode 100755 index 41472fd..0000000 --- a/sepolicy/mm-qcamerad.te +++ /dev/null @@ -1,14 +0,0 @@ -allow mm-qcamerad camera_data_file:sock_file { create unlink }; -allow mm-qcamerad camera_data_file:dir search; - -allow mm-qcamerad camera_socket:dir w_dir_perms; -allow mm-qcamerad camera_socket:sock_file { create unlink write }; - -allow mm-qcamerad dsp_file:dir r_dir_perms; -allow mm-qcamerad dsp_file:file r_file_perms; -allow mm-qcamerad unlabeled:file { getattr open read }; -allow mm-qcamerad sysfs:file { getattr open read write }; -allow mm-qcamerad camera_data_file:sock_file { create unlink }; -allow mm-qcamerad system_prop:property_service set; -allow mm-qcamerad sysfs_camera:dir search; -allow mm-qcamerad sysfs_camera:file { getattr open read write }; \ No newline at end of file diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index c274bc2..33d5f22 100755 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -1,3 +1,2 @@ allow netmgrd self:capability dac_override; allow netmgrd unlabeled:file { getattr open read }; -allow netmgrd netd_socket:sock_file write; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 8833024..72a6f33 100755 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,5 +1,4 @@ persist.sys.timeadjust u:object_r:timekeep_prop:s0 -service.camera.hdmi_preview u:object_r:camera_prop:s0 storage.efs_sync.done u:object_r:rmt_storage_prop:s0 ro.sys.oem.sno u:object_r:system_radio_prop:s0 diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index a1262a8..afd6bb6 100755 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -2,7 +2,4 @@ set_prop(system_app, timekeep_prop) allow system_app sysfs_mdnie:file rw_file_perms; -allow system_app time_data_file:dir search; -allow system_app time_data_file:file rw_file_perms; - allow system_app time_daemon:unix_stream_socket connectto; diff --git a/sepolicy/tbaseLoader.te b/sepolicy/tbaseLoader.te deleted file mode 100755 index 493e488..0000000 --- a/sepolicy/tbaseLoader.te +++ /dev/null @@ -1,4 +0,0 @@ -allow tbaseLoader ion_device:chr_file { ioctl open read }; -allow tbaseLoader system_prop:property_service set; -allow tbaseLoader init:unix_stream_socket connectto; -allow tbaseLoader property_socket:sock_file write; diff --git a/sepolicy/timekeep.te b/sepolicy/timekeep.te index 8a5be9f..ba48fe7 100755 --- a/sepolicy/timekeep.te +++ b/sepolicy/timekeep.te @@ -13,7 +13,4 @@ allow timekeep self:capability { dac_read_search }; -allow timekeep time_data_file:file create_file_perms; -allow timekeep time_data_file:dir create_dir_perms; - set_prop(timekeep, timekeep_prop) diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te index c68807e..483fe93 100755 --- a/sepolicy/toolbox.te +++ b/sepolicy/toolbox.te @@ -9,5 +9,4 @@ allow toolbox property_socket:sock_file write; allow toolbox sensors_prop:property_service set; allow toolbox radio_data_file:dir { add_name create getattr open read setattr write }; allow toolbox self:capability dac_override; -allow toolbox sensors_persist_file:dir getattr; allow toolbox proc:file { open read }; diff --git a/sepolicy_tmp/common/file.te b/sepolicy_tmp/common/file.te deleted file mode 100644 index 342fe3f..0000000 --- a/sepolicy_tmp/common/file.te +++ /dev/null @@ -1,2 +0,0 @@ -type firmware_file, file_type; -type persist_file, file_type; diff --git a/sepolicy_tmp/common/file_contexts b/sepolicy_tmp/common/file_contexts deleted file mode 100644 index e1b3246..0000000 --- a/sepolicy_tmp/common/file_contexts +++ /dev/null @@ -1,4 +0,0 @@ -/firmware(/.*)? u:object_r:firmware_file:s0 -/firmware-modem(/.*)? u:object_r:firmware_file:s0 -/bt_firmware(/.*)? u:object_r:firmware_file:s0 -/persist(/.*)? u:object_r:persist_file:s0 diff --git a/sepolicy_tmp/sepolicy.mk b/sepolicy_tmp/sepolicy.mk deleted file mode 100644 index 6849b06..0000000 --- a/sepolicy_tmp/sepolicy.mk +++ /dev/null @@ -1,18 +0,0 @@ -# -# Copyright (C) 2018 The LineageOS Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -BOARD_SEPOLICY_DIRS += \ - device/samsung/gts3llte/sepolicy_tmp/common