sanders: update sepolicy
* fix build with treble
This commit is contained in:
Vachounet
@@ -9,10 +9,10 @@
|
||||
# /dev/block/bootdevice/by-name/system /system ext4 ro,barrier=1,discard wait
|
||||
/dev/block/bootdevice/by-name/userdata /data f2fs rw,discard,nosuid,nodev,noatime,nodiratime,nobarrier,inline_xattr,inline_data wait,check,formattable,encryptable=/dev/block/bootdevice/by-name/metadata
|
||||
/dev/block/bootdevice/by-name/cache /cache ext4 rw,noatime,nosuid,nodev,barrier=1,data=ordered wait,check,formattable
|
||||
/dev/block/bootdevice/by-name/modem /firmware ext4 ro,nosuid,nodev,barrier=0 wait
|
||||
/dev/block/bootdevice/by-name/fsg /fsg ext4 ro,nosuid,nodev wait
|
||||
/dev/block/bootdevice/by-name/modem /firmware ext4 ro,nosuid,nodev,barrier=0,context=u:object_r:firmware_file:s0 wait
|
||||
/dev/block/bootdevice/by-name/fsg /fsg ext4 ro,nosuid,nodev,context=u:object_r:fsg_file:s0 wait
|
||||
/dev/block/bootdevice/by-name/dsp /dsp ext4 ro,nosuid,nodev,barrier=1 wait
|
||||
/dev/block/bootdevice/by-name/persist /persist ext4 nosuid,nodev,barrier=1,noatime,noauto_da_alloc wait
|
||||
/dev/block/bootdevice/by-name/persist /persist ext4 nosuid,nodev,barrier=1,noatime,noauto_da_alloc,context=u:object_r:persist_file:s0 wait
|
||||
/dev/block/bootdevice/by-name/boot /boot emmc defaults recoveryonly
|
||||
/dev/block/bootdevice/by-name/recovery /recovery emmc defaults recoveryonly
|
||||
/dev/block/bootdevice/by-name/misc /misc emmc defaults defaults
|
||||
|
||||
19
sepolicy/vendor/adspd.te
vendored
19
sepolicy/vendor/adspd.te
vendored
@@ -1,19 +0,0 @@
|
||||
type adspd, domain;
|
||||
type adspd_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(adspd)
|
||||
|
||||
binder_use(adspd)
|
||||
binder_service(adspd)
|
||||
binder_call(adspd, system_server)
|
||||
|
||||
allow adspd vendor_shell_exec:file entrypoint;
|
||||
|
||||
allow adspd audio_device:chr_file { ioctl open read write };
|
||||
allow adspd audio_device:dir search;
|
||||
allow adspd input_device:chr_file { ioctl open read };
|
||||
allow adspd input_device:dir search;
|
||||
allow adspd sysfs_adsp:file write;
|
||||
# The below one is WRONG
|
||||
allow adspd sysfs:file write;
|
||||
|
||||
set_prop(adspd, adspd_prop)
|
||||
41
sepolicy/vendor/charge_only.te
vendored
41
sepolicy/vendor/charge_only.te
vendored
@@ -1,17 +1,46 @@
|
||||
type charge_only, domain;
|
||||
type charge_only_exec, exec_type, file_type;
|
||||
type charge_only_exec, exec_type, file_type, vendor_file_type;
|
||||
init_daemon_domain(charge_only)
|
||||
|
||||
allow charge_only chargeonly_data_file:dir rw_dir_perms;
|
||||
allow charge_only chargeonly_data_file:file rw_file_perms;
|
||||
allow charge_only graphics_device:chr_file rw_file_perms;
|
||||
allow charge_only graphics_device:dir search;
|
||||
allow charge_only input_device:chr_file r_file_perms;
|
||||
allow charge_only input_device:dir search;
|
||||
|
||||
# Write to /dev/kmsg
|
||||
allow charge_only kmsg_device:chr_file rw_file_perms;
|
||||
|
||||
# Read access to pseudo filesystems.
|
||||
r_dir_file(charge_only, sysfs_type)
|
||||
r_dir_file(charge_only, rootfs)
|
||||
r_dir_file(charge_only, cgroup)
|
||||
|
||||
allow charge_only self:capability { dac_override net_admin sys_tty_config sys_boot };
|
||||
allow charge_only self:netlink_kobject_uevent_socket { bind read setopt create };
|
||||
allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
|
||||
wakelock_use(charge_only)
|
||||
|
||||
# Write to /sys/power/state
|
||||
# TODO: Split into a separate type?
|
||||
allow charge_only sysfs:dir { read open };
|
||||
allow charge_only sysfs:file { read open write };
|
||||
|
||||
allow charge_only sysfs_wake_lock:file rw_file_perms;
|
||||
allow charge_only system_data_file:dir { write add_name };
|
||||
|
||||
allow charge_only sysfs_batteryinfo:file r_file_perms;
|
||||
|
||||
# Read /sys/fs/pstore/console-ramoops
|
||||
# Don't worry about overly broad permissions for now, as there's
|
||||
# only one file in /sys/fs/pstore
|
||||
allow charge_only pstorefs:dir r_dir_perms;
|
||||
allow charge_only pstorefs:file r_file_perms;
|
||||
|
||||
allow charge_only graphics_device:dir r_dir_perms;
|
||||
allow charge_only graphics_device:chr_file rw_file_perms;
|
||||
allow charge_only input_device:dir r_dir_perms;
|
||||
allow charge_only input_device:chr_file r_file_perms;
|
||||
allow charge_only tty_device:chr_file rw_file_perms;
|
||||
allow charge_only proc_sysrq:file rw_file_perms;
|
||||
|
||||
# charger needs to tell init to continue the boot
|
||||
# process when running in charger mode.
|
||||
set_prop(charge_only, system_prop)
|
||||
|
||||
2
sepolicy/vendor/cnd.te
vendored
2
sepolicy/vendor/cnd.te
vendored
@@ -1,2 +1,2 @@
|
||||
allow cnd system_wpa_socket:sock_file { unlink };
|
||||
# allow cnd system_wpa_socket:sock_file { unlink };
|
||||
allow cnd diag_device:chr_file { read write };
|
||||
|
||||
2
sepolicy/vendor/esepmdaemon.te
vendored
2
sepolicy/vendor/esepmdaemon.te
vendored
@@ -1,2 +1,2 @@
|
||||
binder_call(esepmdaemon, servicemanager);
|
||||
# binder_call(esepmdaemon, servicemanager);
|
||||
|
||||
|
||||
4
sepolicy/vendor/file.te
vendored
4
sepolicy/vendor/file.te
vendored
@@ -41,12 +41,12 @@ type sysfs_batt, fs_type, sysfs_type;
|
||||
type sysfs_cnss, fs_type, sysfs_type;
|
||||
type sysfs_fpc, fs_type, sysfs_type;
|
||||
|
||||
type fpc_socket, file_type;
|
||||
type fpc_socket, file_type, data_file_type;
|
||||
type fpc_data_file, file_type;
|
||||
|
||||
type sysfs_wcnsscore, fs_type, sysfs_type;
|
||||
|
||||
type nv_data_file, file_type;
|
||||
type nv_data_file, file_type, data_file_type;
|
||||
type sysfs_rmt_storage, fs_type, sysfs_type;
|
||||
type debugfs_rmt_storage, debugfs_type, fs_type;
|
||||
type debugfs_wlan, debugfs_type, fs_type;
|
||||
|
||||
9
sepolicy/vendor/file_contexts
vendored
9
sepolicy/vendor/file_contexts
vendored
@@ -6,11 +6,10 @@
|
||||
/dev/hidraw[0-9]* u:object_r:amps_raw_device:s0
|
||||
|
||||
# Binaries
|
||||
/system/vendor/bin/adspd u:object_r:adspd_exec:s0
|
||||
/system/bin/charge_only_mode u:object_r:charge_only_exec:s0
|
||||
/system/vendor/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0
|
||||
/system/vendor/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0
|
||||
/system/vendor/bin/init\.qti\.fm\.sh u:object_r:qti_init_shell_exec:s0
|
||||
/vendor/bin/charge_only_mode u:object_r:charge_only_exec:s0
|
||||
/vendor/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0
|
||||
/vendor/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0
|
||||
/vendor/bin/init\.qti\.fm\.sh u:object_r:qti_init_shell_exec:s0
|
||||
|
||||
# CMActions
|
||||
/sys/homebutton(/.*)? u:object_r:sysfs_homebutton:s0
|
||||
|
||||
2
sepolicy/vendor/hal_fingerprint_default.te
vendored
2
sepolicy/vendor/hal_fingerprint_default.te
vendored
@@ -9,6 +9,6 @@ allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
|
||||
allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
|
||||
allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
|
||||
allow hal_fingerprint_default sysfs_leds:file r_file_perms;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
|
||||
# allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
|
||||
allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
|
||||
allow hal_fingerprint_default fpc_socket:sock_file unlink;
|
||||
|
||||
4
sepolicy/vendor/hal_gnss_qti.te
vendored
4
sepolicy/vendor/hal_gnss_qti.te
vendored
@@ -1,6 +1,6 @@
|
||||
binder_call(hal_gnss_qti, servicemanager);
|
||||
# binder_call(hal_gnss_qti, servicemanager);
|
||||
get_prop(hal_gnss_qti, diag_prop);
|
||||
allow hal_gnss_qti per_mgr_service_old:service_manager find;
|
||||
# allow hal_gnss_qti per_mgr_service_old:service_manager find;
|
||||
allow hal_gnss_qti debug_prop:file read;
|
||||
allow hal_gnss_qti property_socket:sock_file write;
|
||||
|
||||
|
||||
2
sepolicy/vendor/hal_sensors_default.te
vendored
2
sepolicy/vendor/hal_sensors_default.te
vendored
@@ -1,5 +1,5 @@
|
||||
binder_call(hal_sensors_default, hwservicemanager)
|
||||
binder_call(hal_sensors_default, servicemanager)
|
||||
# binder_call(hal_sensors_default, servicemanager)
|
||||
|
||||
binder_call(hal_sensors_default, mm-qcamerad)
|
||||
binder_call(hal_sensors_default, system_server)
|
||||
|
||||
2
sepolicy/vendor/init_wifi.te
vendored
2
sepolicy/vendor/init_wifi.te
vendored
@@ -1,4 +1,4 @@
|
||||
type init_wifi, domain;
|
||||
type init_wifi, domain, binder_in_vendor_violators;
|
||||
type init_wifi_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(init_wifi)
|
||||
|
||||
|
||||
19
sepolicy/vendor/mm-qcamerad.te
vendored
19
sepolicy/vendor/mm-qcamerad.te
vendored
@@ -1,26 +1,25 @@
|
||||
binder_call(mm-qcamerad, servicemanager);
|
||||
binder_use(mm-qcamerad);
|
||||
binder_call(mm-qcamerad, binderservicedomain);
|
||||
binder_call(mm-qcamerad, appdomain);
|
||||
binder_call(mm-qcamerad, hal_sensors_default);
|
||||
# binder_call(mm-qcamerad, servicemanager);
|
||||
# binder_use(mm-qcamerad);
|
||||
# binder_call(mm-qcamerad, binderservicedomain);
|
||||
# binder_call(mm-qcamerad, appdomain);
|
||||
# binder_call(mm-qcamerad, hal_sensors_default);
|
||||
set_prop(mm-qcamerad, camera_prop);
|
||||
|
||||
allow servicemanager mm-qcamerad:dir { search };
|
||||
allow servicemanager mm-qcamerad:file { read open };
|
||||
allow servicemanager mm-qcamerad:process { getattr };
|
||||
|
||||
allow mm-qcamerad camera_data_file:sock_file { create unlink write };
|
||||
allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
|
||||
allow mm-qcamerad sensorservice_service:service_manager find;
|
||||
# allow mm-qcamerad camera_data_file:sock_file { create unlink write };
|
||||
# allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
|
||||
#allow mm-qcamerad sensorservice_service:service_manager find;
|
||||
allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
|
||||
allow mm-qcamerad permission_service:service_manager find;
|
||||
# allow mm-qcamerad permission_service:service_manager find;
|
||||
allow mm-qcamerad debug_prop:property_service set;
|
||||
allow mm-qcamerad persist_file:dir search;
|
||||
allow mm-qcamerad persist_file:file { read getattr open };
|
||||
allow mm-qcamerad system_data_file:dir read;
|
||||
|
||||
allow mm-qcamerad init:unix_stream_socket { read write };
|
||||
allow mm-qcamerad sysfs_graphics:file { open read };
|
||||
|
||||
allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
|
||||
|
||||
|
||||
2
sepolicy/vendor/mmi_boot.te
vendored
2
sepolicy/vendor/mmi_boot.te
vendored
@@ -1,4 +1,4 @@
|
||||
type mmi_boot, domain;
|
||||
type mmi_boot, domain, binder_in_vendor_violators;
|
||||
type mmi_boot_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(mmi_boot)
|
||||
|
||||
|
||||
2
sepolicy/vendor/netmgrd.te
vendored
2
sepolicy/vendor/netmgrd.te
vendored
@@ -4,5 +4,5 @@ allow netmgrd netmgr_data_file:file rw_file_perms;
|
||||
allow netmgrd self:capability dac_override;
|
||||
allow netmgrd net_data_file:dir r_dir_perms;
|
||||
allow netmgrd netd_socket:sock_file write;
|
||||
allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
|
||||
# allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
|
||||
r_dir_file(netmgrd, net_data_file)
|
||||
|
||||
6
sepolicy/vendor/peripheral_manager.te
vendored
6
sepolicy/vendor/peripheral_manager.te
vendored
@@ -1,5 +1,5 @@
|
||||
binder_call(per_mgr, servicemanager);
|
||||
# binder_call(per_mgr, servicemanager);
|
||||
allow per_mgr self:capability net_raw;
|
||||
allow per_mgr per_mgr_service_old:service_manager { add find };
|
||||
allow per_mgr servicemanager:binder { call transfer };
|
||||
# allow per_mgr per_mgr_service_old:service_manager { add find };
|
||||
# allow per_mgr servicemanager:binder { call transfer };
|
||||
|
||||
|
||||
4
sepolicy/vendor/qseeproxy.te
vendored
4
sepolicy/vendor/qseeproxy.te
vendored
@@ -1,3 +1,3 @@
|
||||
binder_call(qseeproxy, servicemanager);
|
||||
# binder_call(qseeproxy, servicemanager);
|
||||
allow qseeproxy self:process getattr;
|
||||
allow qseeproxy qseeproxy_service_old:service_manager { add find };
|
||||
# allow qseeproxy qseeproxy_service_old:service_manager { add find };
|
||||
|
||||
4
sepolicy/vendor/rild.te
vendored
4
sepolicy/vendor/rild.te
vendored
@@ -1,7 +1,7 @@
|
||||
binder_call(rild, servicemanager);
|
||||
# binder_call(rild, servicemanager);
|
||||
binder_call(rild, audioserver_service);
|
||||
binder_call(rild, system_server);
|
||||
allow rild per_mgr_service_old:service_manager find;
|
||||
# allow rild per_mgr_service_old:service_manager find;
|
||||
set_prop(rild, diag_prop);
|
||||
allow rild nv_data_file:dir rw_dir_perms;
|
||||
allow rild nv_data_file:file create_file_perms;
|
||||
|
||||
2
sepolicy/vendor/surfaceflinger.te
vendored
2
sepolicy/vendor/surfaceflinger.te
vendored
@@ -1,7 +1,7 @@
|
||||
get_prop(surfaceflinger, diag_prop);
|
||||
allow surfaceflinger perfd_data_file:sock_file write;
|
||||
allow surfaceflinger perfd_data_file:dir search;
|
||||
allow surfaceflinger perfd:unix_stream_socket connectto;
|
||||
# allow surfaceflinger perfd:unix_stream_socket connectto;
|
||||
allow surfaceflinger diag_device:chr_file { read write };
|
||||
|
||||
binder_call(surfaceflinger, hwservicemanager)
|
||||
|
||||
2
sepolicy/vendor/system_app.te
vendored
2
sepolicy/vendor/system_app.te
vendored
@@ -6,7 +6,7 @@ allow system_app sysfs_graphics:dir search;
|
||||
allow system_app proc_touchpanel:file rw_file_perms;
|
||||
allow system_app sysfs_fpc:file rw_file_perms;
|
||||
allow system_app fuse_device:filesystem getattr;
|
||||
allow system_app time_daemon:unix_stream_socket connectto;
|
||||
# allow system_app time_daemon:unix_stream_socket connectto;
|
||||
|
||||
allow system_app init:unix_stream_socket { read write };
|
||||
allow system_app sysfs_homebutton:file write;
|
||||
|
||||
8
sepolicy/vendor/wcnss_service.te
vendored
8
sepolicy/vendor/wcnss_service.te
vendored
@@ -1,8 +1,8 @@
|
||||
binder_call(wcnss_service, servicemanager);
|
||||
# binder_call(wcnss_service, servicemanager);
|
||||
set_prop(wcnss_service, wifi_prop);
|
||||
get_prop(wcnss_service, diag_prop);
|
||||
allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open };
|
||||
allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open };
|
||||
# allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open };
|
||||
# allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open };
|
||||
allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
allow wcnss_service per_mgr_service_old:service_manager find;
|
||||
# allow wcnss_service per_mgr_service_old:service_manager find;
|
||||
|
||||
Reference in New Issue
Block a user