update sepolicy

This commit is contained in:
Valera1978 2018-07-19 13:50:09 +03:00
parent ea7a1a25ba
commit c0c8c50cef
18 changed files with 48 additions and 1 deletions

View file

@ -2,3 +2,7 @@ allow cameraserver unlabeled:file { getattr open read };
allow cameraserver system_prop:property_service set;
allow cameraserver socket_device:sock_file write;
allow cameraserver sysfs_camera:dir search;
allow cameraserver hal_perf_default:binder call;
allow cameraserver hal_perf_hwservice:hwservice_manager find;
allow cameraserver sysfs:file write;
allow cameraserver sysfs_camera:file { getattr open read };

View file

@ -27,3 +27,5 @@
# sysfs
/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0
/sys/devices/virtual/sec/sec_key/hall_irq_ctrl u:object_r:sysfs_sec:s0
/system/bin/wifiloader u:object_r:wifiloader_exec:s0

View file

@ -0,0 +1 @@
allow hal_drm_widevine firmware_file:lnk_file read;

View file

@ -1 +1,2 @@
allow hal_keymaster_default firmware_file:dir search;
allow hal_keymaster_default firmware_file:file read;

View file

@ -0,0 +1,2 @@
allow hal_perf_default init:unix_stream_socket connectto;
allow hal_perf_default property_socket:sock_file write;

View file

@ -1 +1,2 @@
allow hvdcp sysfs:file read;
allow hvdcp sysfs:file { open read };
allow hvdcp sysfs:dir write;

View file

@ -1 +1,3 @@
allow hwservicemanager unlabeled:file { getattr open read };
allow hwservicemanager init:dir search;
allow hwservicemanager init:file read;

View file

@ -9,3 +9,13 @@ allow init functionfs:dir mounton;
allow init self:netlink_socket { bind create read };
allow init self:tcp_socket create;
allow init socket_device:sock_file { create setattr };
allow init system_data_file:file rename;
allow init tee_device:chr_file ioctl;
allow init vfsspi_device:chr_file { ioctl getattr write };
allow init ion_device:chr_file ioctl;
allow init tee_device:chr_file write;
allow init hidl_base_hwservice:hwservice_manager add;
allow init hwservicemanager:binder { call transfer };

1
sepolicy/keystore.te Normal file
View file

@ -0,0 +1 @@
allow keystore firmware_file:dir search;

View file

@ -0,0 +1 @@
allow mediaextractor vfat:file { getattr read };

View file

@ -6,3 +6,4 @@ allow mm-qcamerad camera_data_file:sock_file { create unlink };
allow mm-qcamerad camera_socket:dir read;
allow mm-qcamerad system_prop:property_service set;
allow mm-qcamerad sysfs_camera:dir search;
allow mm-qcamerad sysfs_camera:file { getattr open read write };

View file

@ -16,3 +16,4 @@ allow rild proc_net:file w_file_perms;
allow rild sysfs_sec:file rw_file_perms;
allow rild tombstone_data_file:dir search;
allow rild vendor_file:file ioctl;

View file

@ -1,3 +1,4 @@
r_dir_file(system_server, app_efs_file)
allow system_server sysfs_mdnie:file rw_file_perms;
allow system_server default_android_service:service_manager find;
allow system_server unlabeled:file unlink;

View file

@ -6,3 +6,5 @@ file_type_auto_trans(tee, apk_data_file, tee_data_file);
allow tee property_socket:sock_file write;
allow tee init:unix_stream_socket connectto;
allow tee gatekeeper_data_file:file { open read };
allow tee efs_file:file { open read };

View file

@ -10,3 +10,4 @@ allow toolbox sensors_prop:property_service set;
allow toolbox radio_data_file:dir { add_name create getattr open read setattr write };
allow toolbox self:capability dac_override;
allow toolbox sensors_persist_file:dir getattr;
allow toolbox proc:file { open read };

View file

@ -1,3 +1,6 @@
allow untrusted_app_25 proc_stat:file { open read };
allow untrusted_app_25 wcnss_prop:file open;
allow untrusted_app_25 wififtmd_prop:file { getattr open };
allow untrusted_app_25 mnt_media_rw_file:dir getattr;
allow untrusted_app_25 rootfs:dir read;
allow untrusted_app_25 sysfs:file read;

View file

@ -1,3 +1,4 @@
allow vold adsprpcd_file:dir r_dir_perms;
allow vold efs_file:dir { ioctl open read };
allow vold persist_file:dir { open read ioctl };
allow vold self:capability sys_resource;

12
sepolicy/wifiloader.te Normal file
View file

@ -0,0 +1,12 @@
#### wifiloader
#
type wifiloader, domain;
type wifiloader_exec, exec_type, file_type;
init_daemon_domain(wifiloader)
allow wifiloader proc:file r_file_perms;
# load .ko modules
allow kernel self:capability sys_module;
allow wifiloader self:capability sys_module;