From e0139fe66c0ff29d7255f6c4146cf0fbb6747c77 Mon Sep 17 00:00:00 2001 From: sai4041412 Date: Fri, 13 Sep 2019 08:27:37 +0000 Subject: [PATCH] Sanders : Android Q move to dirty sepolicy[TEMP] Signed-off-by: ronaxdevil --- BoardConfig.mk | 2 +- sepolicy/vendor/cameraserver.te | 10 +++--- sepolicy/vendor/cnd.te | 4 +-- sepolicy/vendor/energyawareness.te | 4 +-- sepolicy/vendor/file_contexts | 22 ++++++------- sepolicy/vendor/fingerprintd.te | 4 +-- sepolicy/vendor/firmware_file.te | 2 +- sepolicy/vendor/hal_drm_default.te | 4 +-- sepolicy/vendor/hal_fingerprint_default.te | 8 ++--- sepolicy/vendor/hal_gnss_qti.te | 8 ++--- sepolicy/vendor/hal_sensors_default.te | 2 +- sepolicy/vendor/ims.te | 8 ++--- sepolicy/vendor/init.te | 20 ++++++------ sepolicy/vendor/installd.te | 7 +++-- sepolicy/vendor/mediacodec.te | 2 +- sepolicy/vendor/mediadrmserver.te | 4 +-- sepolicy/vendor/mm-qcamerad.te | 24 +++++++-------- sepolicy/vendor/mmi_boot.te | 2 +- sepolicy/vendor/netmgrd.te | 8 ++--- sepolicy/vendor/per_mgr.te | 2 +- sepolicy/vendor/perfd.te | 14 ++++----- sepolicy/vendor/persist_file.te | 2 +- sepolicy/vendor/platform_app.te | 2 +- sepolicy/vendor/priv_app.te | 4 +-- sepolicy/vendor/qseeproxy.te | 2 +- sepolicy/vendor/qtelephony.te | 2 +- sepolicy/vendor/qti.te | 4 +-- sepolicy/vendor/qti_init_shell.te | 10 +++--- sepolicy/vendor/radio.te | 2 +- sepolicy/vendor/rfs_access.te | 6 ++-- sepolicy/vendor/rfs_file.te | 2 +- sepolicy/vendor/rmt_storage.te | 36 +++++++++++----------- sepolicy/vendor/servicemanager.te | 36 +++++++++++----------- sepolicy/vendor/surfaceflinger.te | 4 +-- sepolicy/vendor/system_app.te | 8 ++--- sepolicy/vendor/system_server.te | 2 +- sepolicy/vendor/tee.te | 2 +- sepolicy/vendor/thermal-engine.te | 16 +++++----- sepolicy/vendor/time_daemon.te | 4 +-- sepolicy/vendor/toolbox.te | 2 +- sepolicy/vendor/ueventd.te | 2 +- sepolicy/vendor/untrusted_app.te | 8 ++--- sepolicy/vendor/vold.te | 2 +- sepolicy/vendor/wcnss_filter.te | 2 +- sepolicy/vendor/wcnss_service.te | 6 ++-- 45 files changed, 164 insertions(+), 163 deletions(-) diff --git a/BoardConfig.mk b/BoardConfig.mk index fb09f88..43ac162 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -243,7 +243,7 @@ TARGET_PROVIDES_QTI_TELEPHONY_JAR := true # SELinux #include device/qcom/sepolicy/sepolicy.mk -#BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor +BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor #Soong PRODUCT_SOONG_NAMESPACES += $(LOCAL_PATH) diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te index 7a956eb..00d9c63 100644 --- a/sepolicy/vendor/cameraserver.te +++ b/sepolicy/vendor/cameraserver.te @@ -33,7 +33,7 @@ allow cameraserver debug_prop:property_service set; #allow cameraserver persist_file:file setattr; allow cameraserver shell_exec:file { read open execute }; allow cameraserver self:socket create; -allow cameraserver camera_prop:property_service set; +#allow cameraserver camera_prop:property_service set; allow cameraserver init:unix_stream_socket connectto; allow cameraserver property_socket:sock_file write; #allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } }; @@ -45,9 +45,9 @@ allow cameraserver debugfs:dir { read open }; allow cameraserver nfc_data_file:file { open write }; allow cameraserver socket_device:sock_file write; -allow cameraserver hal_perf_default:binder call; +#allow cameraserver hal_perf_default:binder call; -allow cameraserver sysfs_battery_supply:dir search; -allow cameraserver sysfs_battery_supply:file { getattr open read }; +#allow cameraserver sysfs_battery_supply:dir search; +#allow cameraserver sysfs_battery_supply:file { getattr open read }; -allow cameraserver camera_bgproc_service:service_manager { add find }; \ No newline at end of file +allow cameraserver camera_bgproc_service:service_manager { add find }; diff --git a/sepolicy/vendor/cnd.te b/sepolicy/vendor/cnd.te index 4ea18a1..c2553eb 100644 --- a/sepolicy/vendor/cnd.te +++ b/sepolicy/vendor/cnd.te @@ -1,2 +1,2 @@ -allow cnd diag_device:chr_file { read write }; -allow cnd self:capability { net_raw }; +#allow cnd diag_device:chr_file { read write }; +#allow cnd self:capability { net_raw }; diff --git a/sepolicy/vendor/energyawareness.te b/sepolicy/vendor/energyawareness.te index e2ccd54..f9f7b52 100644 --- a/sepolicy/vendor/energyawareness.te +++ b/sepolicy/vendor/energyawareness.te @@ -1,2 +1,2 @@ -allow energyawareness sysfs_uio:file r_file_perms; -allow energyawareness sysfs_rmt_storage:file r_file_perms; +#allow energyawareness sysfs_uio:file r_file_perms; +#allow energyawareness sysfs_rmt_storage:file r_file_perms; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 6ecc24e..b71ade4 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,12 +1,12 @@ -/dev/block/platform/soc/7824900.sdhci/mmcblk0p19 u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/7824900.sdhci/mmcblk0p27 u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/7824900.sdhci/mmcblk0p28 u:object_r:modem_efs_partition_device:s0 +#/dev/block/platform/soc/7824900.sdhci/mmcblk0p19 u:object_r:modem_efs_partition_device:s0 +#/dev/block/platform/soc/7824900.sdhci/mmcblk0p27 u:object_r:modem_efs_partition_device:s0 +#/dev/block/platform/soc/7824900.sdhci/mmcblk0p28 u:object_r:modem_efs_partition_device:s0 # FSG /fsg u:object_r:fsg_file:s0 # ADSP -/sys/kernel/aov(/.*)? u:object_r:sysfs_adsp:s0 +#/sys/kernel/aov(/.*)? u:object_r:sysfs_adsp:s0 /data/adspd(/.*)? u:object_r:adspd_data_file:s0 # AMPS @@ -16,7 +16,7 @@ /vendor/bin/charge_only_mode u:object_r:charge_only_exec:s0 /vendor/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0 /vendor/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0 -/vendor/bin/init\.qti\.fm\.sh u:object_r:qti_init_shell_exec:s0 +#/vendor/bin/init\.qti\.fm\.sh u:object_r:qti_init_shell_exec:s0 # CMActions /sys/homebutton(/.*)? u:object_r:sysfs_homebutton:s0 @@ -35,7 +35,7 @@ /persist/mdm(/.*)? u:object_r:persist_modem_file:s0 /persist/prop(/.*)? u:object_r:persist_omadm_file:s0 -/persist/prov(/.*)? u:object_r:persist_drm_file:s0 +#/persist/prov(/.*)? u:object_r:persist_drm_file:s0 /persist/omadm(/.*)? u:object_r:persist_omadm_file:s0 /persist/omadm_database(/.*)? u:object_r:persist_omadm_file:s0 /persist/omadm_cust_database(/.*)? u:object_r:persist_omadm_file:s0 @@ -62,9 +62,9 @@ /sys/module/qpnp_bms(/.*)? u:object_r:sysfs_batt:s0 /sys/module/cnss_pci(/.*)? u:object_r:sysfs_cnss:s0 -/sys/devices/iio_sysfs_trigger(/.*)? u:object_r:sysfs_sensors:s0 -/sys/devices/virtual/stm401/stm401_ms(/.*)? u:object_r:sysfs_sensors:s0 -/sys/devices/virtual/stm401/stm401_as(/.*)? u:object_r:sysfs_sensors:s0 +#/sys/devices/iio_sysfs_trigger(/.*)? u:object_r:sysfs_sensors:s0 +#/sys/devices/virtual/stm401/stm401_ms(/.*)? u:object_r:sysfs_sensors:s0 +#/sys/devices/virtual/stm401/stm401_as(/.*)? u:object_r:sysfs_sensors:s0 /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger(/.*)? u:object_r:sysfs_batt:s0 @@ -94,7 +94,7 @@ /dev/block/bootdevice/by-name/hw u:object_r:hw_block_device:s0 /dev/block/bootdevice/by-name/metadata u:object_r:metadata_block_device:s0 /dev/block/mmcblk0p35 u:object_r:metadata_block_device:s0 -/dev/block/bootdevice/by-name/persist u:object_r:persist_block_device:s0 +#/dev/block/bootdevice/by-name/persist u:object_r:persist_block_device:s0 /dev/block/bootdevice/by-name/utagsBackup u:object_r:utags_block_device:s0 /dev/block/bootdevice/by-name/utags u:object_r:utags_block_device:s0 @@ -102,7 +102,7 @@ /data/misc/netmgr(/.*)? u:object_r:netmgr_data_file:s0 # Sensors -/dev/mmi_sys_temp u:object_r:thermal_device:s0 +#/dev/mmi_sys_temp u:object_r:thermal_device:s0 /dev/motosh u:object_r:sensors_device:s0 /dev/motosh_as u:object_r:sensors_device:s0 /dev/motosh_ms u:object_r:sensors_device:s0 diff --git a/sepolicy/vendor/fingerprintd.te b/sepolicy/vendor/fingerprintd.te index 0bd43f4..2790117 100644 --- a/sepolicy/vendor/fingerprintd.te +++ b/sepolicy/vendor/fingerprintd.te @@ -1,5 +1,5 @@ -allow fingerprintd firmware_file:dir search; -allow fingerprintd firmware_file:file { getattr open read }; +#allow fingerprintd firmware_file:dir search; +#allow fingerprintd firmware_file:file { getattr open read }; allow fingerprintd fingerprintd_data_file:dir { add_name getattr remove_name write }; allow fingerprintd fingerprintd_data_file:file { append create getattr open setattr unlink }; allow fingerprintd fingerprintd_data_file:sock_file { create unlink }; diff --git a/sepolicy/vendor/firmware_file.te b/sepolicy/vendor/firmware_file.te index 87b8ba7..1beb479 100644 --- a/sepolicy/vendor/firmware_file.te +++ b/sepolicy/vendor/firmware_file.te @@ -1,2 +1,2 @@ -allow firmware_file rootfs:filesystem associate; +#allow firmware_file rootfs:filesystem associate; diff --git a/sepolicy/vendor/hal_drm_default.te b/sepolicy/vendor/hal_drm_default.te index b244688..6ef8588 100644 --- a/sepolicy/vendor/hal_drm_default.te +++ b/sepolicy/vendor/hal_drm_default.te @@ -1,2 +1,2 @@ -allow hal_drm_default firmware_file:lnk_file read; -allow hal_drm_default debug_prop:file read; +#allow hal_drm_default firmware_file:lnk_file read; +#allow hal_drm_default debug_prop:file read; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te index a0c6b5b..b21e053 100644 --- a/sepolicy/vendor/hal_fingerprint_default.te +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -2,10 +2,10 @@ allow hal_fingerprint_default sysfs_fpc:file rw_file_perms; allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms; allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms; allow hal_fingerprint_default tee_device:chr_file rw_file_perms; -allow hal_fingerprint_default firmware_file:dir search; -allow hal_fingerprint_default firmware_file:file r_file_perms; -allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms; -allow hal_fingerprint_default sysfs_graphics:file r_file_perms; +#allow hal_fingerprint_default firmware_file:dir search; +#allow hal_fingerprint_default firmware_file:file r_file_perms; +#allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms; +#allow hal_fingerprint_default sysfs_graphics:file r_file_perms; allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; allow hal_fingerprint_default sysfs_leds:file r_file_perms; allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_gnss_qti.te b/sepolicy/vendor/hal_gnss_qti.te index a819020..55af1e8 100644 --- a/sepolicy/vendor/hal_gnss_qti.te +++ b/sepolicy/vendor/hal_gnss_qti.te @@ -1,6 +1,6 @@ -get_prop(hal_gnss_qti, diag_prop); -allow hal_gnss_qti debug_prop:file read; -allow hal_gnss_qti property_socket:sock_file write; +#get_prop(hal_gnss_qti, diag_prop); +#allow hal_gnss_qti debug_prop:file read; +#allow hal_gnss_qti property_socket:sock_file write; # Most HALs are not allowed to use network sockets. Qcom library # libqdi is used across multiple processes which are clients of @@ -14,4 +14,4 @@ allow hal_gnss_qti property_socket:sock_file write; # libqdi and have all its clients use netlink route # sockets. # Taken from device/google/wahoo -dontaudit hal_gnss_qti self:udp_socket create; +#dontaudit hal_gnss_qti self:udp_socket create; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te index 830257c..c549df0 100644 --- a/sepolicy/vendor/hal_sensors_default.te +++ b/sepolicy/vendor/hal_sensors_default.te @@ -1,7 +1,7 @@ binder_call(hal_sensors_default, hwservicemanager) # binder_call(hal_sensors_default, servicemanager) -binder_call(hal_sensors_default, mm-qcamerad) +#binder_call(hal_sensors_default, mm-qcamerad) binder_call(hal_sensors_default, system_server) binder_call(hal_sensors_default, system_app) diff --git a/sepolicy/vendor/ims.te b/sepolicy/vendor/ims.te index bce353c..200fcfa 100644 --- a/sepolicy/vendor/ims.te +++ b/sepolicy/vendor/ims.te @@ -1,4 +1,4 @@ -allow ims debug_prop:property_service set; -get_prop(ims, debug_prop); -allow ims self:capability net_raw; -allow ims diag_device:chr_file { read write }; \ No newline at end of file +#allow ims debug_prop:property_service set; +#get_prop(ims, debug_prop); +#allow ims self:capability net_raw; +#allow ims diag_device:chr_file { read write }; diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index 8fd1ea9..17f5e1e 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -2,9 +2,9 @@ #binder_call(init, hwservicemanager); # binder_call(init, servicemanager); -allow init hwservicemanager:binder call; -allow init mm-qcamerad:binder transfer; -allow init platform_app:binder transfer; +#allow init hwservicemanager:binder call; +#allow init mm-qcamerad:binder transfer; +#allow init platform_app:binder transfer; allow init system_app:binder transfer; allow init system_data_file:file lock; @@ -20,10 +20,10 @@ allow init system_server:binder { transfer call }; allow init property_socket:sock_file write; allow init socket_device:sock_file { create setattr unlink }; -allow init system_data_file:file { rename append }; -allow init firmware_file:dir mounton; +#allow init system_data_file:file { rename append }; +#allow init firmware_file:dir mounton; -allow init fm_radio_device:chr_file write; +#allow init fm_radio_device:chr_file write; # ptt_socket_app allow init dnsproxyd_socket:sock_file write; @@ -31,12 +31,12 @@ allow init netd:unix_stream_socket connectto; allow init self:netlink_socket { read write getattr connect }; allow init debugfs:file write; -allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount }; +#allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount }; allow init self:capability sys_nice; -allow init bt_firmware_file:filesystem { associate }; -allow init firmware_file:filesystem { associate }; +#allow init bt_firmware_file:filesystem { associate }; +#allow init firmware_file:filesystem { associate }; allow init sensors_device:chr_file { rw_file_perms create }; @@ -48,6 +48,6 @@ allow init hal_sensors_hwservice:hwservice_manager find; allow init { domain -lmkd -crash_dump }:process noatsecure; -allow init hal_perf_hwservice:hwservice_manager find; +#allow init hal_perf_hwservice:hwservice_manager find; allow init hidl_base_hwservice:hwservice_manager add; diff --git a/sepolicy/vendor/installd.te b/sepolicy/vendor/installd.te index be3aee6..2bcef88 100644 --- a/sepolicy/vendor/installd.te +++ b/sepolicy/vendor/installd.te @@ -1,3 +1,4 @@ -allow installd firmware_file:filesystem quotaget; -allow installd fsg_file:filesystem quotaget; -allow installd persist_file:filesystem quotaget; +#allow installd firmware_file:filesystem quotaget; +#allow installd fsg_file:filesystem quotaget; +#allow installd persist_file:filesystem quotaget; + diff --git a/sepolicy/vendor/mediacodec.te b/sepolicy/vendor/mediacodec.te index 799c2ea..5e3da85 100644 --- a/sepolicy/vendor/mediacodec.te +++ b/sepolicy/vendor/mediacodec.te @@ -1 +1 @@ -allow mediacodec firmware_file:file { open read }; +#allow mediacodec firmware_file:file { open read }; diff --git a/sepolicy/vendor/mediadrmserver.te b/sepolicy/vendor/mediadrmserver.te index 296f1ee..4854e6f 100644 --- a/sepolicy/vendor/mediadrmserver.te +++ b/sepolicy/vendor/mediadrmserver.te @@ -1,2 +1,2 @@ -allow mediadrmserver firmware_file:dir search; -allow mediadrmserver firmware_file:file r_file_perms; +#allow mediadrmserver firmware_file:dir search; +#allow mediadrmserver firmware_file:file r_file_perms; diff --git a/sepolicy/vendor/mm-qcamerad.te b/sepolicy/vendor/mm-qcamerad.te index 37f8a52..07866fe 100644 --- a/sepolicy/vendor/mm-qcamerad.te +++ b/sepolicy/vendor/mm-qcamerad.te @@ -1,27 +1,27 @@ -type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1"; -type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2"; +#type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1"; +#type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2"; # binder_call(mm-qcamerad, servicemanager); # binder_use(mm-qcamerad); # binder_call(mm-qcamerad, binderservicedomain); # binder_call(mm-qcamerad, appdomain); # binder_call(mm-qcamerad, hal_sensors_default); -set_prop(mm-qcamerad, camera_prop); +#set_prop(mm-qcamerad, camera_prop); -allow servicemanager mm-qcamerad:dir { search }; -allow servicemanager mm-qcamerad:file { read open }; -allow servicemanager mm-qcamerad:process { getattr }; +#allow servicemanager mm-qcamerad:dir { search }; +#allow servicemanager mm-qcamerad:file { read open }; +#allow servicemanager mm-qcamerad:process { getattr }; # allow mm-qcamerad camera_data_file:sock_file { create unlink write }; # allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms; #allow mm-qcamerad sensorservice_service:service_manager find; -allow mm-qcamerad vendor_camera_data_file:file rw_file_perms; +#allow mm-qcamerad vendor_camera_data_file:file rw_file_perms; # allow mm-qcamerad permission_service:service_manager find; -allow mm-qcamerad debug_prop:property_service set; +#allow mm-qcamerad debug_prop:property_service set; -allow mm-qcamerad init:unix_stream_socket { read write }; +#allow mm-qcamerad init:unix_stream_socket { read write }; -allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write }; +#allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write }; -allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; -allow mm-qcamerad hal_configstore_default:binder call; +#allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; +#allow mm-qcamerad hal_configstore_default:binder call; diff --git a/sepolicy/vendor/mmi_boot.te b/sepolicy/vendor/mmi_boot.te index c7391a5..667ca9c 100644 --- a/sepolicy/vendor/mmi_boot.te +++ b/sepolicy/vendor/mmi_boot.te @@ -11,6 +11,6 @@ allow mmi_boot vendor_shell_exec:file rx_file_perms; allow mmi_boot vendor_toolbox_exec:file rx_file_perms; allow mmi_boot vendor_shell_exec:file entrypoint; -allow mmi_boot sysfs_socinfo:file write; +#allow mmi_boot sysfs_socinfo:file write; set_prop(mmi_boot, hw_rev_prop); diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te index 8f11825..91ee202 100644 --- a/sepolicy/vendor/netmgrd.te +++ b/sepolicy/vendor/netmgrd.te @@ -1,5 +1,5 @@ -allow netmgrd toolbox_exec:file { getattr read open }; +#allow netmgrd toolbox_exec:file { getattr read open }; -allow netmgrd init:unix_stream_socket connectto; -allow netmgrd property_socket:sock_file write; -allow netmgrd system_file:file lock; +#allow netmgrd init:unix_stream_socket connectto; +#allow netmgrd property_socket:sock_file write; +#allow netmgrd system_file:file lock; diff --git a/sepolicy/vendor/per_mgr.te b/sepolicy/vendor/per_mgr.te index 2ce01f4..14d3df8 100644 --- a/sepolicy/vendor/per_mgr.te +++ b/sepolicy/vendor/per_mgr.te @@ -1 +1 @@ -allow vendor_per_mgr self:capability net_raw; +#allow vendor_per_mgr self:capability net_raw; diff --git a/sepolicy/vendor/perfd.te b/sepolicy/vendor/perfd.te index a26766b..925e01e 100644 --- a/sepolicy/vendor/perfd.te +++ b/sepolicy/vendor/perfd.te @@ -16,13 +16,13 @@ r_dir_file(perfd, sysfs_type) # they are created with the default label "sysfs". For robustness, # allow perfd to write to "sysfs" to ensure it can optimally # tune the power/cpu settings. -allow perfd sysfs:file write; -allow perfd sysfs_msm_perf:file write; -allow perfd sysfs_ssr:file write; +#allow perfd sysfs:file write; +#allow perfd sysfs_msm_perf:file write; +#allow perfd sysfs_ssr:file write; allow perfd sysfs_devices_system_cpu:file write; -allow perfd sysfs_power_management:file write; -allow perfd sysfs_devfreq:file write; -allow perfd sysfs_lib:file write; +#allow perfd sysfs_power_management:file write; +#allow perfd sysfs_devfreq:file write; +#allow perfd sysfs_lib:file write; allow perfd proc_kernel_sched:file w_file_perms; allow perfd gpu_device:chr_file rw_file_perms; @@ -35,4 +35,4 @@ dontaudit perfd self:capability kill; allow perfd surfaceflinger:process signull; allow perfd hal_graphics_composer_default:process signull; -get_prop(perfd, freq_prop); +#get_prop(perfd, freq_prop); diff --git a/sepolicy/vendor/persist_file.te b/sepolicy/vendor/persist_file.te index a55225e..df49968 100644 --- a/sepolicy/vendor/persist_file.te +++ b/sepolicy/vendor/persist_file.te @@ -1 +1 @@ -allow persist_file self:filesystem associate; +#allow persist_file self:filesystem associate; diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te index 0352c4f..215dcb1 100644 --- a/sepolicy/vendor/platform_app.te +++ b/sepolicy/vendor/platform_app.te @@ -1,4 +1,4 @@ -get_prop(platform_app, camera_prop); +#get_prop(platform_app, camera_prop); binder_call(platform_app, hal_sensors_default); allow platform_app rootfs:dir getattr; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te index 0048d28..07623cd 100644 --- a/sepolicy/vendor/priv_app.te +++ b/sepolicy/vendor/priv_app.te @@ -1,6 +1,6 @@ allow priv_app device:dir r_dir_perms; -allow priv_app persist_file:filesystem getattr; -allow priv_app proc_interrupts:file { open read getattr }; +#allow priv_app persist_file:filesystem getattr; +#allow priv_app proc_interrupts:file { open read getattr }; allow priv_app proc_modules:file { open read getattr }; get_prop(priv_app, adspd_prop); allow priv_app sysfs:dir open; diff --git a/sepolicy/vendor/qseeproxy.te b/sepolicy/vendor/qseeproxy.te index 1352f7e..280977c 100644 --- a/sepolicy/vendor/qseeproxy.te +++ b/sepolicy/vendor/qseeproxy.te @@ -1,3 +1,3 @@ # binder_call(qseeproxy, servicemanager); -allow qseeproxy self:process getattr; +#allow qseeproxy self:process getattr; # allow qseeproxy qseeproxy_service_old:service_manager { add find }; diff --git a/sepolicy/vendor/qtelephony.te b/sepolicy/vendor/qtelephony.te index 7e0cb06..2dcc4dd 100644 --- a/sepolicy/vendor/qtelephony.te +++ b/sepolicy/vendor/qtelephony.te @@ -1 +1 @@ -allow qtelephony radio_service:service_manager find; +#allow qtelephony radio_service:service_manager find; diff --git a/sepolicy/vendor/qti.te b/sepolicy/vendor/qti.te index 55e48e2..48867db 100644 --- a/sepolicy/vendor/qti.te +++ b/sepolicy/vendor/qti.te @@ -1,2 +1,2 @@ -get_prop(qti, diag_prop) -allow qti diag_device:chr_file { read write }; +#get_prop(qti, diag_prop) +#allow qti diag_device:chr_file { read write }; diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te index 6e426ef..99bee39 100644 --- a/sepolicy/vendor/qti_init_shell.te +++ b/sepolicy/vendor/qti_init_shell.te @@ -1,7 +1,7 @@ -set_prop(qti_init_shell, hw_rev_prop); -allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl }; +#set_prop(qti_init_shell, hw_rev_prop); +#allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl }; -allow qti_init_shell kmsg_device:chr_file write; -allow qti_init_shell sysfs_wcnsscore:file write; +#allow qti_init_shell kmsg_device:chr_file write; +#allow qti_init_shell sysfs_wcnsscore:file write; -allow qti_init_shell kmsg_device:chr_file open; +#allow qti_init_shell kmsg_device:chr_file open; diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te index 1687352..2616199 100644 --- a/sepolicy/vendor/radio.te +++ b/sepolicy/vendor/radio.te @@ -1,3 +1,3 @@ allow radio system_app_data_file:dir getattr; -allow radio qmuxd_socket:sock_file write; +#allow radio qmuxd_socket:sock_file write; allow radio vendor_file:file { getattr open read }; diff --git a/sepolicy/vendor/rfs_access.te b/sepolicy/vendor/rfs_access.te index c0dca3e..dde766c 100644 --- a/sepolicy/vendor/rfs_access.te +++ b/sepolicy/vendor/rfs_access.te @@ -1,4 +1,4 @@ -allow rfs_access self:capability net_raw; -allow rfs_access persist_file:file { getattr open read rename setattr unlink write }; -allow rfs_access vendor_tombstone_data_file:dir search; +#allow rfs_access self:capability net_raw; +#allow rfs_access persist_file:file { getattr open read rename setattr unlink write }; +#allow rfs_access vendor_tombstone_data_file:dir search; diff --git a/sepolicy/vendor/rfs_file.te b/sepolicy/vendor/rfs_file.te index fdcfab6..e57e78f 100644 --- a/sepolicy/vendor/rfs_file.te +++ b/sepolicy/vendor/rfs_file.te @@ -1 +1 @@ -allow rfs_file persist_file:filesystem associate; +#allow rfs_file persist_file:filesystem associate; diff --git a/sepolicy/vendor/rmt_storage.te b/sepolicy/vendor/rmt_storage.te index 3103297..1abfcd0 100644 --- a/sepolicy/vendor/rmt_storage.te +++ b/sepolicy/vendor/rmt_storage.te @@ -1,24 +1,24 @@ -allow rmt_storage { - modem_efs_partition_device -}:blk_file rw_file_perms; +#allow rmt_storage { +# modem_efs_partition_device +#}:blk_file rw_file_perms; -r_dir_file(rmt_storage fsg_file) -r_dir_file(rmt_storage, persist_file) +#r_dir_file(rmt_storage fsg_file) +#r_dir_file(rmt_storage, persist_file) -allow rmt_storage sysfs_rmt_storage:file rw_file_perms; -allow rmt_storage sysfs_rmt_storage:dir { search open }; -allow rmt_storage sysfs_uio:file r_file_perms; -allow rmt_storage sysfs_uio:dir { read open search }; -allow rmt_storage sysfs_uio:lnk_file { read }; +#allow rmt_storage sysfs_rmt_storage:file rw_file_perms; +#allow rmt_storage sysfs_rmt_storage:dir { search open }; +#allow rmt_storage sysfs_uio:file r_file_perms; +#allow rmt_storage sysfs_uio:dir { read open search }; +#allow rmt_storage sysfs_uio:lnk_file { read }; -allow rmt_storage debugfs_rmt_storage:dir r_dir_perms; -allow rmt_storage debugfs_rmt_storage:file rw_file_perms; +#allow rmt_storage debugfs_rmt_storage:dir r_dir_perms; +#allow rmt_storage debugfs_rmt_storage:file rw_file_perms; -allow rmt_storage fsg_file:file { open read }; -allow rmt_storage fsg_file:dir search; -allow rmt_storage fsg_file:lnk_file read; +#allow rmt_storage fsg_file:file { open read }; +#allow rmt_storage fsg_file:dir search; +#allow rmt_storage fsg_file:lnk_file read; -allow rmt_storage persist_file:dir r_dir_perms; +#allow rmt_storage persist_file:dir r_dir_perms; -allow rmt_storage vendor_radio_prop:file { getattr open read }; -allow rmt_storage vendor_file:dir search; +#allow rmt_storage vendor_radio_prop:file { getattr open read }; +#allow rmt_storage vendor_file:dir search; diff --git a/sepolicy/vendor/servicemanager.te b/sepolicy/vendor/servicemanager.te index ecfd9bd..ad0af27 100644 --- a/sepolicy/vendor/servicemanager.te +++ b/sepolicy/vendor/servicemanager.te @@ -1,15 +1,15 @@ allow servicemanager init:dir search; allow servicemanager init:file { open read }; allow servicemanager init:process getattr; -allow servicemanager qseeproxy:dir search; -allow servicemanager qseeproxy:file { open read }; +#allow servicemanager qseeproxy:dir search; +#allow servicemanager qseeproxy:file { open read }; allow servicemanager rild:dir search; allow servicemanager rild:file { open read }; allow servicemanager rild:process getattr; allow servicemanager hal_fingerprint_default:dir search; allow servicemanager hal_fingerprint_default:file read; -allow servicemanager qseeproxy:process getattr; +#allow servicemanager qseeproxy:process getattr; allow servicemanager hal_camera_default:dir search; @@ -19,27 +19,27 @@ allow servicemanager hal_camera_default:process getattr; allow servicemanager hal_fingerprint_default:file open; allow servicemanager hal_fingerprint_default:process getattr; -allow servicemanager wcnss_service:dir search; -allow servicemanager wcnss_service:file { open read }; +#allow servicemanager wcnss_service:dir search; +#allow servicemanager wcnss_service:file { open read }; -allow servicemanager esepmdaemon:dir search; -allow servicemanager esepmdaemon:file { open read }; -allow servicemanager esepmdaemon:process getattr; +#allow servicemanager esepmdaemon:dir search; +#allow servicemanager esepmdaemon:file { open read }; +#allow servicemanager esepmdaemon:process getattr; -allow servicemanager vendor_per_mgr:dir search; -allow servicemanager vendor_per_mgr:file { open read }; -allow servicemanager vendor_per_mgr:process getattr; -allow servicemanager wcnss_service:process getattr; +#allow servicemanager vendor_per_mgr:dir search; +#allow servicemanager vendor_per_mgr:file { open read }; +#allow servicemanager vendor_per_mgr:process getattr; +#allow servicemanager wcnss_service:process getattr; -allow servicemanager hal_gnss_qti:dir search; -allow servicemanager hal_gnss_qti:file { open read }; -allow servicemanager hal_gnss_qti:process getattr; +#allow servicemanager hal_gnss_qti:dir search; +#allow servicemanager hal_gnss_qti:file { open read }; +#allow servicemanager hal_gnss_qti:process getattr; allow servicemanager hal_sensors_default:dir search; allow servicemanager hal_sensors_default:file { open read }; allow servicemanager hal_sensors_default:process getattr; -allow servicemanager sensors:dir search; -allow servicemanager sensors:file { open read }; -allow servicemanager sensors:process getattr; +#allow servicemanager sensors:dir search; +#allow servicemanager sensors:file { open read }; +#allow servicemanager sensors:process getattr; diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te index 18fd98a..683f467 100644 --- a/sepolicy/vendor/surfaceflinger.te +++ b/sepolicy/vendor/surfaceflinger.te @@ -1,6 +1,6 @@ get_prop(surfaceflinger, diag_prop); -allow surfaceflinger perfd_data_file:sock_file write; -allow surfaceflinger diag_device:chr_file { read write }; +#allow surfaceflinger perfd_data_file:sock_file write; +#allow surfaceflinger diag_device:chr_file { read write }; binder_call(surfaceflinger, hwservicemanager) diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te index 1707845..2d15003 100644 --- a/sepolicy/vendor/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -1,8 +1,8 @@ allow system_app proc_touchpanel:dir search; allow system_app sysfs_vibrator:file rw_file_perms; -allow system_app sysfs_vibrator:dir search; -allow system_app sysfs_graphics:file rw_file_perms; -allow system_app sysfs_graphics:dir search; +#allow system_app sysfs_vibrator:dir search; +#allow system_app sysfs_graphics:file rw_file_perms; +#allow system_app sysfs_graphics:dir search; allow system_app proc_touchpanel:file rw_file_perms; allow system_app sysfs_fpc:file rw_file_perms; allow system_app fuse_device:filesystem getattr; @@ -12,7 +12,7 @@ allow system_app init:unix_stream_socket { read write }; allow system_app sysfs_homebutton:file write; get_prop(system_app, diag_prop); -binder_call(system_app, qtitetherservice_service); +#binder_call(system_app, qtitetherservice_service); binder_call(system_app, wificond); get_prop(system_app, spectrum_prop); diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index ad030e9..541574e 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -7,7 +7,7 @@ allow system_server sysfs_capsense:dir search; allow system_server sysfs_capsense:file rw_file_perms; allow system_server init:unix_stream_socket { read }; -allow system_server qti_debugfs:file { getattr open read }; +#allow system_server qti_debugfs:file { getattr open read }; allow system_server init:unix_stream_socket write; allow system_server sensors_device:chr_file { ioctl open read }; diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te index 10b1790..08c22a1 100644 --- a/sepolicy/vendor/tee.te +++ b/sepolicy/vendor/tee.te @@ -1 +1 @@ -allow tee persist_file:file r_file_perms; +#allow tee persist_file:file r_file_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te index ca164ca..68fbd5b 100644 --- a/sepolicy/vendor/thermal-engine.te +++ b/sepolicy/vendor/thermal-engine.te @@ -1,8 +1,8 @@ -get_prop(thermal-engine, diag_prop) -allow thermal-engine socket_device:sock_file { create setattr }; -allow thermal-engine sysfs_rmt_storage:dir search; -allow thermal-engine sysfs_rmt_storage:file r_file_perms; -allow thermal-engine sysfs_uio:file r_file_perms; -allow thermal-engine sysfs_uio:dir { read open search }; -allow thermal-engine sysfs_uio:lnk_file { read }; -allow thermal-engine sysfs_vadc_dev:lnk_file { read open }; +#get_prop(thermal-engine, diag_prop) +#allow thermal-engine socket_device:sock_file { create setattr }; +#allow thermal-engine sysfs_rmt_storage:dir search; +#allow thermal-engine sysfs_rmt_storage:file r_file_perms; +#allow thermal-engine sysfs_uio:file r_file_perms; +#allow thermal-engine sysfs_uio:dir { read open search }; +#allow thermal-engine sysfs_uio:lnk_file { read }; +#allow thermal-engine sysfs_vadc_dev:lnk_file { read open }; diff --git a/sepolicy/vendor/time_daemon.te b/sepolicy/vendor/time_daemon.te index ddcda87..701d4d8 100644 --- a/sepolicy/vendor/time_daemon.te +++ b/sepolicy/vendor/time_daemon.te @@ -1,3 +1,3 @@ -get_prop(time_daemon, diag_prop); +#get_prop(time_daemon, diag_prop); -allow time_daemon persist_file:file { open read write }; +#allow time_daemon persist_file:file { open read write }; diff --git a/sepolicy/vendor/toolbox.te b/sepolicy/vendor/toolbox.te index 2371116..3369795 100644 --- a/sepolicy/vendor/toolbox.te +++ b/sepolicy/vendor/toolbox.te @@ -4,4 +4,4 @@ set_prop(toolbox, touch_prop); allow toolbox init:fifo_file { write getattr read ioctl }; allow toolbox radio_data_file:file rw_file_perms; -allow toolbox firmware_file:file getattr; \ No newline at end of file +#allow toolbox firmware_file:file getattr; diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te index fd4653d..9286066 100644 --- a/sepolicy/vendor/ueventd.te +++ b/sepolicy/vendor/ueventd.te @@ -2,4 +2,4 @@ allow ueventd sysfs_mmi_fp:file w_file_perms; allow ueventd synaptics_rmi_device:chr_file { rw_file_perms relabelfrom relabelto}; allow ueventd sysfs_fpc:file rw_file_perms; -allow ueventd sysfs_sensors:file rw_file_perms; +#allow ueventd sysfs_sensors:file rw_file_perms; diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te index 73ca783..b07565e 100644 --- a/sepolicy/vendor/untrusted_app.te +++ b/sepolicy/vendor/untrusted_app.te @@ -1,7 +1,7 @@ -get_prop(untrusted_app, camera_prop); -get_prop(untrusted_app_25, camera_prop); +#get_prop(untrusted_app, camera_prop); +#get_prop(untrusted_app_25, camera_prop); allow untrusted_app sysfs_zram:dir { search read }; allow untrusted_app sysfs_zram:file { open read getattr }; -allow untrusted_app firmware_file:dir read; -allow untrusted_app fsg_file:dir read; +#allow untrusted_app firmware_file:dir read; +#allow untrusted_app fsg_file:dir read; diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te index 64a8f6f..2ac7cdb 100644 --- a/sepolicy/vendor/vold.te +++ b/sepolicy/vendor/vold.te @@ -1,2 +1,2 @@ -allow vold persist_file:dir { ioctl open read }; +#allow vold persist_file:dir { ioctl open read }; allow vold metadata_block_device:blk_file { rw_file_perms }; diff --git a/sepolicy/vendor/wcnss_filter.te b/sepolicy/vendor/wcnss_filter.te index aad7936..7ee98f9 100644 --- a/sepolicy/vendor/wcnss_filter.te +++ b/sepolicy/vendor/wcnss_filter.te @@ -1 +1 @@ -get_prop(wcnss_filter, diag_prop); +#get_prop(wcnss_filter, diag_prop); diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te index b24b60b..420b83f 100644 --- a/sepolicy/vendor/wcnss_service.te +++ b/sepolicy/vendor/wcnss_service.te @@ -1,8 +1,8 @@ # binder_call(wcnss_service, servicemanager); -set_prop(wcnss_service, wifi_prop); -get_prop(wcnss_service, diag_prop); +#set_prop(wcnss_service, wifi_prop); +#get_prop(wcnss_service, diag_prop); # allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open }; # allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open }; -allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls; +#allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls; # allow wcnss_service per_mgr_service_old:service_manager find;