gts3l-common: sepolicy: Add some missing policies and add genfs_contexts
Temporarility Signed-off-by: Deokgyu Yang <secugyu@gmail.com> Change-Id: I4611d613a38f64fb0156f329983d1d6248f0b37b
This commit is contained in:
parent
5307ee113a
commit
b9bf9bca14
24 changed files with 89 additions and 6 deletions
|
@ -22,4 +22,6 @@ allow charger efs_file:file create_file_perms;
|
|||
allow charger sec_efs_file:dir rw_dir_perms;
|
||||
allow charger sec_efs_file:file create_file_perms;
|
||||
|
||||
allow charger proc_reset_reason:file r_file_perms;
|
||||
|
||||
set_prop(charger, powerctl_prop)
|
|
@ -11,3 +11,4 @@ type paramblk_device, dev_type;
|
|||
type sec_efsblk_device, dev_type;
|
||||
type steady_block_device, dev_type;
|
||||
type tz_device, dev_type;
|
||||
type emmcblk_device, file_type;
|
||||
|
|
|
@ -40,6 +40,8 @@ type wifi_efs_file, file_type, mlstrustedobject;
|
|||
type proc_default_smp_affinity, fs_type, proc_type;
|
||||
type proc_simslot_count, fs_type, proc_type;
|
||||
type proc_swappiness, fs_type, proc_type;
|
||||
type proc_last_kmsg, fs_type, proc_type;
|
||||
type proc_reset_reason, fs_type, proc_type;
|
||||
|
||||
# rootfs
|
||||
type firmware-modem_file, file_type, contextmount_type, vendor_file_type;
|
||||
|
@ -57,3 +59,6 @@ type sysfs_tsp, fs_type, sysfs_type;
|
|||
type sysfs_wifi, fs_type, sysfs_type;
|
||||
type sysfs_touchkey, fs_type, sysfs_type;
|
||||
type dsp_file, fs_type, contextmount_type;
|
||||
|
||||
# debugfs
|
||||
type debugfs_rmt, debugfs_type, fs_type;
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# Block devices
|
||||
/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0
|
||||
/dev/block/platform/soc/624000\.sdhci/by-name/bota u:object_r:botablk_device:s0
|
||||
/dev/block/platform/soc/624000\.sdhci/by-name/config u:object_r:frp_block_device:s0
|
||||
/dev/block/platform/soc/624000\.sdhci/by-name/debug u:object_r:debug_block_device:s0
|
||||
|
|
27
sepolicy/genfs_contexts
Normal file
27
sepolicy/genfs_contexts
Normal file
|
@ -0,0 +1,27 @@
|
|||
genfscon debugfs /rmt_storage u:object_r:debugfs_rmt:s0
|
||||
|
||||
genfscon proc /irq/default_smp_affinity u:object_r:proc_default_smp_affinity:s0
|
||||
genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0
|
||||
genfscon proc /reset_reason u:object_r:proc_reset_reason:s0
|
||||
genfscon proc /schedstat u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_cfs_bandwidth_slice_us u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_cfs_boost u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_cstate_aware u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_migration_cost_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_min_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_nr_migrate u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_rr_timeslice_ms u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_shares_window_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_sync_hint_enable u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_time_avg_ms u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_use_walt_cpu_util u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_use_walt_task_util u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_walt_cpu_high_irqload u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_walt_init_task_load_pct u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0
|
||||
|
||||
genfscon sysfs /devices/soc/6a00000.ssusb/6a00000.dwc3/gadget/lun0/ u:object_r:sysfs_android_usb:s0
|
||||
genfscon sysfs /devices/soc/6a00000.ssusb/power_supply u:object_r:sysfs_batteryinfo:s0
|
||||
genfscon sysfs /devices/soc/soc:i2c@11/i2c-1/1-0071/power_supply u:object_r:sysfs_batteryinfo:s0
|
||||
genfscon sysfs /devices/soc/soc:i2c@13/i2c-0/0-0049/sm5705-charger/power_supply u:object_r:sysfs_batteryinfo:s0
|
||||
genfscon sysfs /devices/virtual/lcd/panel u:object_r:sysfs_lcd_writable:s0
|
|
@ -1,3 +1,9 @@
|
|||
binder_call(hal_fingerprint_default, qfp-daemon)
|
||||
binder_use(hal_fingerprint_default)
|
||||
|
||||
# Allow hal_fingerprint_default to open firmware images
|
||||
r_dir_file(hal_fingerprint_default, firmware_file)
|
||||
|
||||
allow hal_fingerprint_default fp_sensor_device:chr_file rw_file_perms;
|
||||
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
|
||||
|
||||
|
@ -20,4 +26,8 @@ allow hal_fingerprint_default biometrics_vendor_data_file:file create_file_perms
|
|||
allow hal_fingerprint_default vendor_data_file:dir create_dir_perms;
|
||||
allow hal_fingerprint_default vendor_data_file:file create_file_perms;
|
||||
|
||||
allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:dir write;
|
||||
|
||||
# Ignore all logging requests
|
||||
dontaudit hal_fingerprint_default storage_file:dir search;
|
||||
|
|
|
@ -14,4 +14,4 @@ allow hal_gnss_qti qmuxd:unix_stream_socket connectto;
|
|||
allow hal_gnss_qti qmuxd_socket:dir { add_name write };
|
||||
allow hal_gnss_qti qmuxd_socket:sock_file { create write };
|
||||
|
||||
allow hal_gnss_qti sysfs:file { getattr open write };
|
||||
allow hal_gnss_qti sysfs:file { getattr open write read };
|
||||
|
|
|
@ -2,7 +2,7 @@ allow hal_sensors_default input_device:dir r_dir_perms;
|
|||
allow hal_sensors_default input_device:chr_file rw_file_perms;
|
||||
|
||||
allow hal_sensors_default sysfs:dir { open read };
|
||||
allow hal_sensors_default sysfs:file { open getattr write };
|
||||
allow hal_sensors_default sysfs:file { open getattr write read };
|
||||
|
||||
allow hal_sensors_default sysfs_sensors:dir r_dir_perms;
|
||||
allow hal_sensors_default sysfs_sensors:file rw_file_perms;
|
||||
|
|
|
@ -24,11 +24,14 @@ allow init node:tcp_socket node_bind;
|
|||
|
||||
allow init proc:file setattr;
|
||||
|
||||
allow init proc_last_kmsg:file { r_file_perms setattr };
|
||||
|
||||
allow init self:netlink_socket { create read bind };
|
||||
allow init self:tcp_socket { bind create };
|
||||
|
||||
allow init sysfs:dir create;
|
||||
|
||||
allow init sysfs:file { open setattr write };
|
||||
allow init sysfs:file { open setattr write open };
|
||||
|
||||
allow init sysfs_touchkey:lnk_file read;
|
||||
|
||||
allow init emmcblk_device:blk_file { ioctl open read };
|
||||
|
|
|
@ -1 +1,3 @@
|
|||
allow location csc_prop:file { getattr open read };
|
||||
|
||||
allow location sysfs:file { open read };
|
||||
|
|
|
@ -7,6 +7,7 @@ allow mm-qcamerad camera_socket:sock_file { create unlink write };
|
|||
allow mm-qcamerad sysfs_camera_writable:dir search;
|
||||
allow mm-qcamerad sysfs_camera_writable:file { read write open getattr };
|
||||
allow mm-qcamerad sysfs_leds:dir search;
|
||||
allow mm-qcamerad sysfs:file { open read };
|
||||
|
||||
allow mm-qcamerad sec_camera_prop:file { read open getattr };
|
||||
allow mm-qcamerad sec_camera_prop:property_service set;
|
||||
|
|
1
sepolicy/netmgrd.te
Normal file
1
sepolicy/netmgrd.te
Normal file
|
@ -0,0 +1 @@
|
|||
allow netmgrd sysfs:file { open read };
|
|
@ -1 +1,3 @@
|
|||
allow qmuxd vendor_radio_prop:file { getattr open read };
|
||||
|
||||
allow qmuxd sysfs:file { open read };
|
||||
|
|
|
@ -13,6 +13,6 @@ allow rild default_prop:property_service set;
|
|||
allow rild imei_efs_file:file { open read setattr getattr write };
|
||||
|
||||
allow rild system_data_file:dir { write add_name };
|
||||
allow rild system_data_file:file { create open write };
|
||||
allow rild system_data_file:file { create open write setattr };
|
||||
|
||||
get_prop(rild, csc_prop)
|
||||
|
|
7
sepolicy/rmt_storage.te
Normal file
7
sepolicy/rmt_storage.te
Normal file
|
@ -0,0 +1,7 @@
|
|||
# debugfs access
|
||||
userdebug_or_eng(`
|
||||
allow rmt_storage debugfs_rmt:dir search;
|
||||
allow rmt_storage debugfs_rmt:file rw_file_perms;
|
||||
')
|
||||
|
||||
allow rmt_storage sysfs:file { open read };
|
|
@ -1,2 +1,4 @@
|
|||
allow sensors app_efs_file:dir { getattr open read search };
|
||||
allow sensors app_efs_file:file { getattr open read write };
|
||||
|
||||
allow sensors sysfs:file { open read };
|
||||
|
|
|
@ -2,3 +2,5 @@ allow system_server init:binder call;
|
|||
|
||||
allow system_server userspace_reboot_config_prop:file { getattr open read };
|
||||
allow system_server userspace_reboot_exported_prop:file { getattr open read };
|
||||
|
||||
allow system_server proc_last_kmsg:file r_file_perms;
|
||||
|
|
|
@ -41,5 +41,8 @@ allow tee vaultkeeper_efs_file:file rw_file_perms;
|
|||
allow tee vendor_data_file:dir create_dir_perms;
|
||||
allow tee vendor_data_file:file create_file_perms;
|
||||
|
||||
allow tee gatekeeper_data_file:dir read;
|
||||
allow tee gatekeeper_data_file:file getattr;
|
||||
|
||||
get_prop(tee, hwservicemanager_prop)
|
||||
set_prop(tee, vendor_qseecomd_prop)
|
||||
|
|
|
@ -1 +1,3 @@
|
|||
r_dir_file(time_daemon, timeservice_app)
|
||||
|
||||
allow time_daemon sysfs:file { open read };
|
||||
|
|
1
sepolicy/ueventd.te
Normal file
1
sepolicy/ueventd.te
Normal file
|
@ -0,0 +1 @@
|
|||
allow ueventd emmcblk_device:blk_file { getattr setattr };
|
|
@ -17,6 +17,7 @@ allow vendor_init persist_file:lnk_file read;
|
|||
allow vendor_init self:capability sys_rawio;
|
||||
allow vendor_init system_data_file:dir { add_name create setattr write };
|
||||
allow vendor_init tombstone_data_file:dir getattr;
|
||||
allow vendor_init emmcblk_device:blk_file getattr;
|
||||
|
||||
set_prop(vendor_init, camera_prop)
|
||||
set_prop(vendor_init, config_prop)
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
allow vendor_per_mgr self:capability net_raw;
|
||||
allow vendor_per_mgr sysfs:file { open read };
|
||||
|
|
|
@ -1,5 +1,12 @@
|
|||
allow vold hal_bootctl_hwservice:hwservice_manager find;
|
||||
|
||||
allow vold rootfs:dir setattr;
|
||||
allow vold rootfs:dir { setattr add_name create write };
|
||||
|
||||
allow vold sysfs_mmc_host:file write;
|
||||
|
||||
# /efs
|
||||
allow vold efs_file:dir r_dir_perms;
|
||||
|
||||
# /dev/block/mmcblk0p[0-9]
|
||||
allow vold emmcblk_device:dir create_dir_perms;
|
||||
allow vold emmcblk_device:blk_file create_file_perms;
|
||||
|
|
|
@ -1 +1,3 @@
|
|||
r_dir_file(wcnss_service, vendor_convergence_data_file)
|
||||
|
||||
allow wcnss_service sysfs:file { open read };
|
||||
|
|
Loading…
Reference in a new issue