gts3l-common: sepolicy: Resolve almost warnings

Signed-off-by: Deokgyu Yang <secugyu@gmail.com>
Change-Id: Ife457f032ac33b6c330b79d08bb841b3c1c0c19e
This commit is contained in:
Deokgyu Yang 2021-08-24 00:41:09 +09:00
parent 225025d013
commit b9043c7f89
27 changed files with 111 additions and 0 deletions

View file

@ -1,6 +1,8 @@
allow adsprpcd mnt_vendor_file:dir create_dir_perms;
allow adsprpcd mnt_vendor_file:file create_file_perms;
allow adsprpcd vendor_file:dir read;
allow adsprpcd sysfs_sensors:dir r_dir_perms;
allow adsprpcd sysfs_sensors:file r_file_perms;
allow adsprpcd sysfs_sensors:lnk_file r_file_perms;

1
sepolicy/bootanim.te Normal file
View file

@ -0,0 +1 @@
allow bootanim userspace_reboot_exported_prop:file { getattr open read };

View file

@ -5,6 +5,8 @@ allow hal_bluetooth_qti bluetooth_efs_file:file create_file_perms;
allow hal_bluetooth_qti diag_device:chr_file rw_file_perms;
allow hal_bluetooth_qti sysfs:file write;
r_dir_file(hal_bluetooth_qti, vendor_convergence_data_file)
get_prop(hal_bluetooth_qti, vendor_factory_prop)

View file

@ -19,3 +19,5 @@ allow hal_fingerprint_default biometrics_vendor_data_file:file create_file_perms
allow hal_fingerprint_default vendor_data_file:dir create_dir_perms;
allow hal_fingerprint_default vendor_data_file:file create_file_perms;
allow hal_fingerprint_default fingerprintd_data_file:dir write;

View file

@ -7,3 +7,11 @@ allow hal_gnss_qti vendor_data_file:dir rw_dir_perms;
allow hal_gnss_qti vendor_gps_file:dir rw_dir_perms;
allow hal_gnss_qti vendor_gps_file:file create_file_perms;
allow hal_gnss_qti csc_prop:file { getattr open read };
allow hal_gnss_qti qmuxd:unix_stream_socket connectto;
allow hal_gnss_qti qmuxd_socket:dir { add_name write };
allow hal_gnss_qti qmuxd_socket:sock_file { create write };
allow hal_gnss_qti sysfs:file { getattr open write };

View file

@ -1,5 +1,11 @@
allow hal_health_default mnt_vendor_file:dir search;
allow hal_health_default app_efs_file:file { setattr write };
allow hal_health_default default_android_hwservice:hwservice_manager add;
allow hal_health_default sysfs:file { getattr open read write };
r_dir_file(hal_health_default, app_efs_file)
r_dir_file(hal_health_default, efs_file)
r_dir_file(hal_health_default, battery_efs_file)

View file

@ -1,5 +1,12 @@
allow hal_perf_default self:capability kill;
allow hal_perf_default self:capability dac_override;
allow hal_perf_default proc_sched:file rw_file_perms;
allow hal_perf_default property_socket:sock_file write;
allow hal_perf_default init:unix_stream_socket connectto;
allow hal_perf_default vendor_default_prop:property_service set;
get_prop(hal_perf_default, sec_camera_prop)

View file

@ -7,3 +7,6 @@ allow hal_power_default sysfs_batteryinfo:file rw_file_perms;
allow hal_power_default sysfs_tsp:dir r_dir_perms;
allow hal_power_default sysfs_tsp:file rw_file_perms;
allow hal_power_default sysfs_tsp:lnk_file read;
allow hal_power_default sysfs:file { open read write };

View file

@ -1,6 +1,9 @@
allow hal_sensors_default input_device:dir r_dir_perms;
allow hal_sensors_default input_device:chr_file rw_file_perms;
allow hal_sensors_default sysfs:dir { open read };
allow hal_sensors_default sysfs:file { open getattr write };
allow hal_sensors_default sysfs_sensors:dir r_dir_perms;
allow hal_sensors_default sysfs_sensors:file rw_file_perms;

View file

@ -0,0 +1 @@
allow hal_wifi_default vendor_convergence_data_file:file { open read write };

View file

@ -0,0 +1 @@
allow hwservicemanager init:binder call;

View file

@ -3,6 +3,29 @@ allow init omr_file:dir mounton;
allow init vendor_firmware_file:file mounton;
allow init dsp_file:dir mounton;
allow init system_file:file execute_no_trans;
allow init vendor_file:file execute_no_trans;
allow init socket_device:sock_file create;
allow init sysfs_graphics:file { open read write };
allow init default_android_hwservice:hwservice_manager add;
allow init diag_device:chr_file { open read write ioctl };
allow init hal_light_hwservice:hwservice_manager { add find };
allow init hidl_base_hwservice:hwservice_manager add;
allow init hwservicemanager:binder { call transfer };
allow init node:tcp_socket node_bind;
allow init proc:file setattr;
allow init self:netlink_socket { create read bind };
allow init self:tcp_socket { bind create };
allow init sysfs:dir create;
allow init sysfs:file { open setattr write };

View file

@ -3,3 +3,5 @@ allow kernel block_device:dir search;
allow kernel debug_block_device:blk_file rw_file_perms;
allow kernel { tmpfs system_block_device }:blk_file read;
allow kernel sysfs:file { open read };

1
sepolicy/location.te Normal file
View file

@ -0,0 +1 @@
allow location csc_prop:file { getattr open read };

View file

@ -4,6 +4,7 @@ type macloader_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(macloader)
allow macloader self:capability { chown fowner fsetid net_admin net_raw sys_module };
allow macloader self:capability dac_override;
allow macloader self:udp_socket { ioctl create };
allowxperm macloader self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };

1
sepolicy/mediaserver.te Normal file
View file

@ -0,0 +1 @@
allow mediaserver exported_camera_prop:file { open read getattr };

View file

@ -6,6 +6,7 @@ allow mm-qcamerad camera_socket:sock_file { create unlink write };
allow mm-qcamerad sysfs_camera_writable:dir search;
allow mm-qcamerad sysfs_camera_writable:file { read write open getattr };
allow mm-qcamerad sysfs_leds:dir search;
allow mm-qcamerad sec_camera_prop:file { read open getattr };
allow mm-qcamerad sec_camera_prop:property_service set;

1
sepolicy/qmuxd.te Normal file
View file

@ -0,0 +1 @@
allow qmuxd vendor_radio_prop:file { getattr open read };

View file

@ -2,4 +2,10 @@ allow qti_init_shell mnt_vendor_file:dir create_dir_perms;
allow qti_init_shell sensors_persist_file:dir create_dir_perms;
allow qti_init_shell persist_file:lnk_file read;
allow qti_init_shell self:capability dac_override;
allow qti_init_shell sysfs:file write;
set_prop(qti_init_shell, ctl_default_prop)

View file

@ -5,4 +5,14 @@ allowxperm rild tun_device:chr_file ioctl { TUNSETIFF TUNSETPERSIST };
allow rild proc_net:file write;
allow rild app_efs_file:file { getattr open read };
allow rild default_android_hwservice:hwservice_manager add;
allow rild default_prop:property_service set;
allow rild imei_efs_file:file { open read setattr getattr write };
allow rild system_data_file:dir { write add_name };
allow rild system_data_file:file { create open write };
get_prop(rild, csc_prop)

2
sepolicy/sensors.te Normal file
View file

@ -0,0 +1,2 @@
allow sensors app_efs_file:dir { getattr open read search };
allow sensors app_efs_file:file { getattr open read write };

View file

@ -0,0 +1,4 @@
allow system_server init:binder call;
allow system_server userspace_reboot_config_prop:file { getattr open read };
allow system_server userspace_reboot_exported_prop:file { getattr open read };

View file

@ -0,0 +1,4 @@
allow thermal-engine self:capability dac_override;
allow thermal-engine sysfs:dir { open read };
allow thermal-engine sysfs:file { getattr open read };

1
sepolicy/toolbox.te Normal file
View file

@ -0,0 +1 @@
allow toolbox rootfs:dir { open read setattr };

View file

@ -5,6 +5,18 @@ allow vendor_init proc_hung_task:file rw_file_perms;
allow vendor_init proc_sched:file rw_file_perms;
allow vendor_init proc_swappiness:file rw_file_perms;
allow vendor_init proc_sysrq:file rw_file_perms;
allow vendor_init proc_dirty:file write;
allow vendor_init proc_min_free_order_shift:file write;
allow vendor_init proc_overcommit_memory:file write;
allow vendor_init proc_panic:file write;
allow vendor_init asec_apk_file:dir { getattr open read };
allow vendor_init device:file { create write };
allow vendor_init mnt_product_file:dir { getattr open read };
allow vendor_init persist_file:lnk_file read;
allow vendor_init self:capability sys_rawio;
allow vendor_init system_data_file:dir { add_name create setattr write };
allow vendor_init tombstone_data_file:dir getattr;
set_prop(vendor_init, camera_prop)
set_prop(vendor_init, config_prop)

View file

@ -0,0 +1 @@
allow vendor_per_mgr self:capability net_raw;

5
sepolicy/vold.te Normal file
View file

@ -0,0 +1,5 @@
allow vold hal_bootctl_hwservice:hwservice_manager find;
allow vold rootfs:dir setattr;
allow vold sysfs_mmc_host:file write;