gts3l-common: sepolicy: Add some missing policies and add genfs_contexts

Temporarility

Signed-off-by: Deokgyu Yang <secugyu@gmail.com>
Change-Id: I4611d613a38f64fb0156f329983d1d6248f0b37b
This commit is contained in:
Deokgyu Yang 2022-02-08 17:26:06 +09:00
parent 5307ee113a
commit b9bf9bca14
24 changed files with 89 additions and 6 deletions

View file

@ -22,4 +22,6 @@ allow charger efs_file:file create_file_perms;
allow charger sec_efs_file:dir rw_dir_perms;
allow charger sec_efs_file:file create_file_perms;
allow charger proc_reset_reason:file r_file_perms;
set_prop(charger, powerctl_prop)

View file

@ -11,3 +11,4 @@ type paramblk_device, dev_type;
type sec_efsblk_device, dev_type;
type steady_block_device, dev_type;
type tz_device, dev_type;
type emmcblk_device, file_type;

View file

@ -40,6 +40,8 @@ type wifi_efs_file, file_type, mlstrustedobject;
type proc_default_smp_affinity, fs_type, proc_type;
type proc_simslot_count, fs_type, proc_type;
type proc_swappiness, fs_type, proc_type;
type proc_last_kmsg, fs_type, proc_type;
type proc_reset_reason, fs_type, proc_type;
# rootfs
type firmware-modem_file, file_type, contextmount_type, vendor_file_type;
@ -57,3 +59,6 @@ type sysfs_tsp, fs_type, sysfs_type;
type sysfs_wifi, fs_type, sysfs_type;
type sysfs_touchkey, fs_type, sysfs_type;
type dsp_file, fs_type, contextmount_type;
# debugfs
type debugfs_rmt, debugfs_type, fs_type;

View file

@ -1,4 +1,5 @@
# Block devices
/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0
/dev/block/platform/soc/624000\.sdhci/by-name/bota u:object_r:botablk_device:s0
/dev/block/platform/soc/624000\.sdhci/by-name/config u:object_r:frp_block_device:s0
/dev/block/platform/soc/624000\.sdhci/by-name/debug u:object_r:debug_block_device:s0

27
sepolicy/genfs_contexts Normal file
View file

@ -0,0 +1,27 @@
genfscon debugfs /rmt_storage u:object_r:debugfs_rmt:s0
genfscon proc /irq/default_smp_affinity u:object_r:proc_default_smp_affinity:s0
genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0
genfscon proc /reset_reason u:object_r:proc_reset_reason:s0
genfscon proc /schedstat u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_cfs_bandwidth_slice_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_cfs_boost u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_cstate_aware u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_migration_cost_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_min_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_nr_migrate u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rr_timeslice_ms u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_shares_window_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_sync_hint_enable u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_time_avg_ms u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_use_walt_cpu_util u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_use_walt_task_util u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_walt_cpu_high_irqload u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_walt_init_task_load_pct u:object_r:proc_sched:s0
genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0
genfscon sysfs /devices/soc/6a00000.ssusb/6a00000.dwc3/gadget/lun0/ u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/soc/6a00000.ssusb/power_supply u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/soc/soc:i2c@11/i2c-1/1-0071/power_supply u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/soc/soc:i2c@13/i2c-0/0-0049/sm5705-charger/power_supply u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/virtual/lcd/panel u:object_r:sysfs_lcd_writable:s0

View file

@ -1,3 +1,9 @@
binder_call(hal_fingerprint_default, qfp-daemon)
binder_use(hal_fingerprint_default)
# Allow hal_fingerprint_default to open firmware images
r_dir_file(hal_fingerprint_default, firmware_file)
allow hal_fingerprint_default fp_sensor_device:chr_file rw_file_perms;
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
@ -20,4 +26,8 @@ allow hal_fingerprint_default biometrics_vendor_data_file:file create_file_perms
allow hal_fingerprint_default vendor_data_file:dir create_dir_perms;
allow hal_fingerprint_default vendor_data_file:file create_file_perms;
allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
allow hal_fingerprint_default fingerprintd_data_file:dir write;
# Ignore all logging requests
dontaudit hal_fingerprint_default storage_file:dir search;

View file

@ -14,4 +14,4 @@ allow hal_gnss_qti qmuxd:unix_stream_socket connectto;
allow hal_gnss_qti qmuxd_socket:dir { add_name write };
allow hal_gnss_qti qmuxd_socket:sock_file { create write };
allow hal_gnss_qti sysfs:file { getattr open write };
allow hal_gnss_qti sysfs:file { getattr open write read };

View file

@ -2,7 +2,7 @@ allow hal_sensors_default input_device:dir r_dir_perms;
allow hal_sensors_default input_device:chr_file rw_file_perms;
allow hal_sensors_default sysfs:dir { open read };
allow hal_sensors_default sysfs:file { open getattr write };
allow hal_sensors_default sysfs:file { open getattr write read };
allow hal_sensors_default sysfs_sensors:dir r_dir_perms;
allow hal_sensors_default sysfs_sensors:file rw_file_perms;

View file

@ -24,11 +24,14 @@ allow init node:tcp_socket node_bind;
allow init proc:file setattr;
allow init proc_last_kmsg:file { r_file_perms setattr };
allow init self:netlink_socket { create read bind };
allow init self:tcp_socket { bind create };
allow init sysfs:dir create;
allow init sysfs:file { open setattr write };
allow init sysfs:file { open setattr write open };
allow init sysfs_touchkey:lnk_file read;
allow init emmcblk_device:blk_file { ioctl open read };

View file

@ -1 +1,3 @@
allow location csc_prop:file { getattr open read };
allow location sysfs:file { open read };

View file

@ -7,6 +7,7 @@ allow mm-qcamerad camera_socket:sock_file { create unlink write };
allow mm-qcamerad sysfs_camera_writable:dir search;
allow mm-qcamerad sysfs_camera_writable:file { read write open getattr };
allow mm-qcamerad sysfs_leds:dir search;
allow mm-qcamerad sysfs:file { open read };
allow mm-qcamerad sec_camera_prop:file { read open getattr };
allow mm-qcamerad sec_camera_prop:property_service set;

1
sepolicy/netmgrd.te Normal file
View file

@ -0,0 +1 @@
allow netmgrd sysfs:file { open read };

View file

@ -1 +1,3 @@
allow qmuxd vendor_radio_prop:file { getattr open read };
allow qmuxd sysfs:file { open read };

View file

@ -13,6 +13,6 @@ allow rild default_prop:property_service set;
allow rild imei_efs_file:file { open read setattr getattr write };
allow rild system_data_file:dir { write add_name };
allow rild system_data_file:file { create open write };
allow rild system_data_file:file { create open write setattr };
get_prop(rild, csc_prop)

7
sepolicy/rmt_storage.te Normal file
View file

@ -0,0 +1,7 @@
# debugfs access
userdebug_or_eng(`
allow rmt_storage debugfs_rmt:dir search;
allow rmt_storage debugfs_rmt:file rw_file_perms;
')
allow rmt_storage sysfs:file { open read };

View file

@ -1,2 +1,4 @@
allow sensors app_efs_file:dir { getattr open read search };
allow sensors app_efs_file:file { getattr open read write };
allow sensors sysfs:file { open read };

View file

@ -2,3 +2,5 @@ allow system_server init:binder call;
allow system_server userspace_reboot_config_prop:file { getattr open read };
allow system_server userspace_reboot_exported_prop:file { getattr open read };
allow system_server proc_last_kmsg:file r_file_perms;

View file

@ -41,5 +41,8 @@ allow tee vaultkeeper_efs_file:file rw_file_perms;
allow tee vendor_data_file:dir create_dir_perms;
allow tee vendor_data_file:file create_file_perms;
allow tee gatekeeper_data_file:dir read;
allow tee gatekeeper_data_file:file getattr;
get_prop(tee, hwservicemanager_prop)
set_prop(tee, vendor_qseecomd_prop)

View file

@ -1 +1,3 @@
r_dir_file(time_daemon, timeservice_app)
allow time_daemon sysfs:file { open read };

1
sepolicy/ueventd.te Normal file
View file

@ -0,0 +1 @@
allow ueventd emmcblk_device:blk_file { getattr setattr };

View file

@ -17,6 +17,7 @@ allow vendor_init persist_file:lnk_file read;
allow vendor_init self:capability sys_rawio;
allow vendor_init system_data_file:dir { add_name create setattr write };
allow vendor_init tombstone_data_file:dir getattr;
allow vendor_init emmcblk_device:blk_file getattr;
set_prop(vendor_init, camera_prop)
set_prop(vendor_init, config_prop)

View file

@ -1 +1,2 @@
allow vendor_per_mgr self:capability net_raw;
allow vendor_per_mgr sysfs:file { open read };

View file

@ -1,5 +1,12 @@
allow vold hal_bootctl_hwservice:hwservice_manager find;
allow vold rootfs:dir setattr;
allow vold rootfs:dir { setattr add_name create write };
allow vold sysfs_mmc_host:file write;
# /efs
allow vold efs_file:dir r_dir_perms;
# /dev/block/mmcblk0p[0-9]
allow vold emmcblk_device:dir create_dir_perms;
allow vold emmcblk_device:blk_file create_file_perms;

View file

@ -1 +1,3 @@
r_dir_file(wcnss_service, vendor_convergence_data_file)
allow wcnss_service sysfs:file { open read };