sanders: sepolicy update

Change-Id: Ibc045495b988437244304f37d451c9537a53a4f3

sepolicy/adspd.te

@@ -1,5 +1,5 @@
 type adspd, domain;
-type adspd_exec, exec_type, file_type;
+type adspd_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(adspd)
 
 allow adspd audio_device:chr_file { ioctl open read write };

sepolicy/cameraserver.te

@@ -1,2 +1,58 @@
-# Shouldn't do this here
-allow cameraserver self:netlink_kobject_uevent_socket { read bind create setopt };
+binder_call(cameraserver, servicemanager);
+
+allow cameraserver nfc_data_file:dir search;
+allow cameraserver nfc_data_file:fifo_file write;
+allow cameraserver nfc_data_file:fifo_file open;
+
+allow cameraserver sensorservice_service:service_manager { find };
+allow cameraserver system_file:dir { read open };
+
+allow cameraserver sdcardfs:dir { read write open getattr add_name remove_name rw_file_perms rmdir search };
+allow cameraserver sdcardfs:file { create open read write unlink getattr };
+allow cameraserver storage_file:dir search;
+
+allow cameraserver persist_file:file { read write open create getattr create_file_perms rw_file_perms };
+allow cameraserver persist_file:dir { read write open create_file_perms rw_file_perms search add_name create };
+allow cameraserver fuse:file { read write open create getattr create_file_perms rw_file_perms };
+allow cameraserver fuse:dir { read write open create_file_perms rw_file_perms search add_name create };
+allow cameraserver tmpfs:file { read write open create getattr create_file_perms rw_file_perms };
+allow cameraserver tmpfs:dir { read write open create_file_perms rw_file_perms search add_name create };
+allow cameraserver storage_file:dir r_dir_perms;
+allow cameraserver storage_file:lnk_file r_file_perms;
+allow cameraserver mnt_user_file:dir r_dir_perms;
+allow cameraserver mnt_user_file:lnk_file r_file_perms;
+allow cameraserver media_rw_data_file:dir { open read search write add_name };
+allow cameraserver media_rw_data_file:file { create read write open };
+
+allow cameraserver sysfs:file { open write };
+
+allow cameraserver cameraserver:process { execmem };
+
+####
+allow cameraserver debug_prop:file { r_file_perms };
+allow cameraserver debug_prop:property_service set;
+
+#######
+#allow cameraserver persist_file:file rw_file_perms;
+#allow cameraserver persist_file:file setattr;
+allow cameraserver shell_exec:file { read open execute };
+allow cameraserver self:socket create;
+allow cameraserver camera_prop:property_service set;
+allow cameraserver init:unix_stream_socket connectto;
+allow cameraserver sensors_persist_file:file { open read };
+allow cameraserver property_socket:sock_file write;
+#allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } };
+allow cameraserver shell_exec:file { execute getattr };
+allow cameraserver system_file:file execute;
+
+allow cameraserver debugfs:dir { read open };
+
+
+
+allow cameraserver nfc_data_file:file { open write };
+allow cameraserver socket_device:sock_file write;
+
+allow cameraserver hal_perf_default:binder call;
+
+allow cameraserver sysfs_battery_supply:dir search;
+allow cameraserver sysfs_battery_supply:file { getattr open read };

sepolicy/esepmdaemon.te

@@ -0,0 +1,2 @@
+binder_call(esepmdaemon, servicemanager);
+

sepolicy/file.te

@@ -42,4 +42,17 @@ type sysfs_cnss, fs_type, sysfs_type;
 type sysfs_fpc, fs_type, sysfs_type;
 
 type fpc_socket, file_type;
+type fpc_data_file, file_type;
+
 type sysfs_wcnsscore, fs_type, sysfs_type;
+
+type nv_data_file, file_type;
+type sysfs_rmt_storage, fs_type, sysfs_type;
+type debugfs_rmt_storage, debugfs_type, fs_type;
+type debugfs_rpm, debugfs_type, fs_type;
+type debugfs_wlan, debugfs_type, fs_type;
+type perfd_data_file, file_type, data_file_type;
+type proc_kernel_sched, fs_type;
+type sysfs_power_management, sysfs_type, fs_type;
+type proc_touchpanel, fs_type;
+

sepolicy/file_contexts

@@ -6,12 +6,10 @@
 /dev/hidraw[0-9]*                                        u:object_r:amps_raw_device:s0
 
 # Binaries
-/system/bin/adspd                                        u:object_r:adspd_exec:s0
+#/system/vendor/bin/adspd                                        u:object_r:adspd_exec:s0
 /system/bin/charge_only_mode                             u:object_r:charge_only_exec:s0
-/system/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
-/system/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
-/system/bin/motosh                                       u:object_r:sensor_hub_exec:s0
-/system/bin/akmd09912                                    u:object_r:akmd_exec:s0
+#/system/vendor/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
+#/system/vendor/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
 
 # CMActions
 /sys/homebutton(/.*)?                                    u:object_r:sysfs_homebutton:s0
@@ -110,3 +108,19 @@
 
 # WCNSS
 /sys/module/wcnsscore/parameters(/.*)?                   u:object_r:sysfs_wcnsscore:s0
+
+/data/misc/perfd(/.*)?                                          u:object_r:perfd_data_file:s0
+/data/system/perfd(/.*)?                                        u:object_r:perfd_data_file:s0
+/data/oemnvitems(/.*)?                                          u:object_r:nv_data_file:s0
+/data/vendor/time(/.*)?                                         u:object_r:time_data_file:s0
+
+/system/vendor/bin/perfd           u:object_r:perfd_exec:s0
+/system/vendor/bin/hw/android\.hardware\.power@1\.1-service\.qti          u:object_r:hal_power_default_exec:s0
+/system/vendor/radio(/.*)? u:object_r:radio_data_file:s0
+/system/vendor/bin/sensorservice_32          u:object_r:hal_sensors_default_exec:s0
+
+/system/vendor/bin/qmi_motext_hook u:object_r:radio_data_file:s0
+
+/sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0
+
+/data/vendor/nfc(/.*)? u:object_r:nfc_data_file:s0

sepolicy/init.te

@@ -1,5 +1,18 @@
+# binder_call(init, mm-qcamerad);
+#binder_call(init, hwservicemanager);
+# binder_call(init, servicemanager);
+
+allow init hwservicemanager:binder call;
+allow init mm-qcamerad:binder transfer;
+allow init platform_app:binder transfer;
+
+allow init sysfs_devices_system_cpu:dir write;
+allow init sysfs_lowmemorykiller:dir write;
+allow init system_app:binder transfer;
+allow init system_data_file:file lock;
+
 allow init audio_device:chr_file { write ioctl };
-allow init input_device:chr_file ioctl;
+allow init input_device:chr_file rw_file_perms;
 allow init sensors_device:chr_file { write ioctl };
 allow init tee_device:chr_file { write ioctl };
 
@@ -21,3 +34,25 @@ allow init self:netlink_socket { read write getattr connect };
 
 allow init debugfs:file write;
 allow init persist_file:filesystem { getattr mount relabelfrom relabelto };
+
+# binder_call(batterystats_service, servicemanager);
+# allow init batterystats_service:service_manager find;
+
+# binder_call(hal_sensors_hwservice, servicemanager);
+# allow init hal_sensors_hwservice:service_manager find;
+
+allow init self:capability sys_nice;
+
+allow init bt_firmware_file:filesystem { associate };
+allow init firmware_file:filesystem { associate };
+allow init firmware_file:dir mounton;
+
+allow init sensors_device:chr_file { rw_file_perms create };
+
+allow init self:netlink_route_socket { bind create getopt nlmsg_read read setopt write };
+
+allow init self:capability2 { block_suspend };
+
+allow init hal_sensors_hwservice:hwservice_manager find;
+
+allow init { domain -lmkd -crash_dump }:process noatsecure;

sepolicy/init_wifi.te

@@ -1,5 +1,5 @@
 type init_wifi, domain;
-type init_wifi_exec, exec_type, file_type;
+type init_wifi_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(init_wifi)
 
 # shell scripts need to execute /system/bin/sh

sepolicy/mm-qcamerad.te

@@ -1,4 +1,21 @@
+binder_call(mm-qcamerad, servicemanager);
+binder_use(mm-qcamerad);
+binder_call(mm-qcamerad, binderservicedomain);
+binder_call(mm-qcamerad, appdomain);
+
+allow servicemanager mm-qcamerad:dir { search };
+allow servicemanager mm-qcamerad:file { read open };
+allow servicemanager mm-qcamerad:process { getattr };
+
+allow mm-qcamerad camera_data_file:sock_file { create unlink write };
+allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
+allow mm-qcamerad sensorservice_service:service_manager find;
+allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
+allow mm-qcamerad permission_service:service_manager find;
 allow mm-qcamerad debug_prop:property_service set;
 allow mm-qcamerad persist_file:dir search;
 allow mm-qcamerad persist_file:file { read getattr open };
 allow mm-qcamerad system_data_file:dir read;
+
+allow mm-qcamerad init:unix_stream_socket { read write };
+allow mm-qcamerad sysfs_graphics:file { open read };

sepolicy/mmi_boot.te

@@ -1,5 +1,5 @@
 type mmi_boot, domain;
-type mmi_boot_exec, exec_type, file_type;
+type mmi_boot_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(mmi_boot)
 
 # shell scripts need to execute /system/bin/sh

sepolicy/platform_app.te

@@ -0,0 +1,9 @@
+typeattribute platform_app mlstrustedsubject;
+
+# binder_call(platform_app, init);
+
+allow platform_app isdbt_device:chr_file rw_file_perms;
+allow platform_app rootfs:dir getattr;
+
+allow platform_app init:unix_stream_socket { read write };
+

sepolicy/rfs_access.te

@@ -1 +1,3 @@
 allow rfs_access self:capability net_raw;
+allow rfs_access persist_file:file { getattr open read rename setattr unlink write };
+

sepolicy/rfs_file.te

@@ -0,0 +1 @@
+allow rfs_file persist_file:filesystem associate;

sepolicy/rild.te

@@ -1,11 +1,14 @@
-allow rild cutback_data_file:dir rw_dir_perms;
-allow rild cutback_data_file:sock_file create_file_perms;
-allow rild fsg_file:file r_file_perms;
-allow rild fsg_file:dir r_dir_perms;
-allow rild fsg_file:lnk_file read;
-allow rild persist_file:dir search;
-allow rild persist_file:file rw_file_perms;
-allow rild sensorservice_service:service_manager find;
-allow rild system_server:binder { transfer call };
-allow rild system_server:unix_stream_socket { read getopt write };
+binder_call(rild, servicemanager);
+binder_call(rild, audioserver_service);
+binder_call(rild, per_mgr_service_old);
+allow rild per_mgr_service_old:service_manager find;
+set_prop(rild, diag_prop);
+allow rild nv_data_file:dir rw_dir_perms;
+allow rild nv_data_file:file create_file_perms;
+allow rild radio_data_file:dir rw_dir_perms;
+allow rild radio_data_file:file create_file_perms;
+allow rild fsg_file:file { getattr open read };
+
+allow rild cutback_data_file:dir { add_name remove_name write };
+allow rild cutback_data_file:sock_file { create unlink write };
 

sepolicy/sensor_hub.te

@@ -1,6 +1,12 @@
 type sensor_hub, domain;
-type sensor_hub_exec, exec_type, file_type;
+type sensor_hub_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(sensor_hub)
 
+binder_use(sensor_hub)
+binder_service(sensor_hub)
+
 allow sensor_hub sensors_device:chr_file rw_file_perms;
 set_prop(sensor_hub, motosh_prop)
+
+allow sensor_hub firmware_file:file { getattr open read };
+allow sensor_hub vendor_file:file rx_file_perms;

sepolicy/servicemanager.te

@@ -0,0 +1,37 @@
+allow servicemanager init:dir search;
+allow servicemanager init:file { open read };
+allow servicemanager init:process getattr;
+allow servicemanager qseeproxy:dir search;
+allow servicemanager qseeproxy:file { open read };
+allow servicemanager rild:dir search;
+allow servicemanager rild:file { open read };
+allow servicemanager rild:process getattr;
+
+allow servicemanager hal_fingerprint_default:dir search;
+allow servicemanager hal_fingerprint_default:file read;
+allow servicemanager qseeproxy:process getattr;
+
+
+allow servicemanager hal_camera_default:dir search;
+allow servicemanager hal_camera_default:file { open read };
+allow servicemanager hal_camera_default:process getattr;
+
+allow servicemanager hal_fingerprint_default:file open;
+allow servicemanager hal_fingerprint_default:process getattr;
+
+allow servicemanager wcnss_service:dir search;
+allow servicemanager wcnss_service:file { open read };
+
+allow servicemanager esepmdaemon:dir search;
+allow servicemanager esepmdaemon:file { open read };
+allow servicemanager esepmdaemon:process getattr;
+
+allow servicemanager per_mgr:dir search;
+allow servicemanager per_mgr:file { open read };
+allow servicemanager per_mgr:process getattr;
+allow servicemanager wcnss_service:process getattr;
+
+allow servicemanager hal_gnss_qti:dir search;
+allow servicemanager hal_gnss_qti:file { open read };
+allow servicemanager hal_gnss_qti:process getattr;
+

sepolicy/surfaceflinger.te

@@ -0,0 +1,5 @@
+get_prop(surfaceflinger, diag_prop);
+allow surfaceflinger perfd_data_file:sock_file write;
+allow surfaceflinger perfd_data_file:dir search;
+allow surfaceflinger perfd:unix_stream_socket connectto;
+

sepolicy/system_app.te

@@ -1,4 +1,19 @@
-allow system_app sysfs_homebutton:dir r_dir_perms;
-allow system_app sysfs_homebutton:file rw_file_perms;
-allow system_app fingerprintd:binder call;
+allow system_app proc_touchpanel:dir search;
+allow system_app sysfs_vibrator:file rw_file_perms;
+allow system_app sysfs_vibrator:dir search;
+allow system_app sysfs_graphics:file rw_file_perms;
+allow system_app sysfs_graphics:dir search;
+allow system_app proc_touchpanel:file rw_file_perms;
+allow system_app sysfs_fpc:file rw_file_perms;
+allow system_app fuse_device:filesystem getattr;
+allow system_app time_daemon:unix_stream_socket connectto;
+
+allow system_app init:unix_stream_socket { read write };
+allow system_app sysfs_homebutton:file write;
+allow system_app sysfs_screen_off_gestures:file write;
+
+get_prop(system_app, diag_prop);
+get_prop(system_app, qemu_hw_mainkeys_prop);
+binder_call(system_app, qtitetherservice_service);
+binder_call(system_app, wificond);
 

sepolicy/system_server.te

@@ -5,4 +5,10 @@ allow system_server persist_file:file create_file_perms;
 allow system_server rild:binder transfer;
 allow system_server sysfs_capsense:dir search;
 allow system_server sysfs_capsense:file rw_file_perms;
+allow system_server init:unix_stream_socket { read };
+# allow system_server dalvikcache_data_file:file { execute };
 
+allow system_server qti_debugfs:file { getattr open read };
+allow system_server init:unix_stream_socket write;
+
+get_prop(system_server, alarm_boot_prop)

sepolicy/toolbox.te

@@ -0,0 +1,15 @@
+set_prop(toolbox, diag_prop);
+set_prop(toolbox, hw_rev_prop);
+set_prop(toolbox, touch_prop);
+get_prop(toolbox rmnet_mux_prop);
+allow toolbox init:fifo_file { write getattr };
+
+allow toolbox self:capability { chown dac_override };
+
+allow toolbox proc:file rw_file_perms;
+allow toolbox radio_data_file:file rw_file_perms;
+allow toolbox firmware_file:file getattr;
+allow toolbox init:fifo_file ioctl;
+allow toolbox sysfs:dir rw_dir_perms;
+allow toolbox sysfs:file rw_file_perms;
+allow toolbox init:fifo_file read;

sepolicy/untrusted_app_25.te

@@ -0,0 +1,6 @@
+#allow untrusted_app_25 hal_memtrack_hwservice:hwservice_manager find;
+#allow untrusted_app_25 proc:file read;
+#allow untrusted_app_25 qti_debugfs:file read;
+
+allow untrusted_app_25 init:unix_stream_socket { read write };
+

sepolicy/vold.te

@@ -0,0 +1 @@
+allow vold persist_file:dir { ioctl open read };

sepolicy/wcnss_service.te

@@ -1 +1,8 @@
-allow wcnss_service self:capability { setgid setuid };
+binder_call(wcnss_service, servicemanager);
+set_prop(wcnss_service, wifi_prop);
+get_prop(wcnss_service, diag_prop);
+allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open };
+allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open };
+allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls;
+
+allow wcnss_service per_mgr_service_old:service_manager find;