sanders: update sepoly again

sepolicy/energyawareness.te

@@ -0,0 +1,2 @@
+allow energyawareness sysfs_uio:file r_file_perms;
+allow energyawareness sysfs_rmt_storage:file r_file_perms;

sepolicy/file.te

@@ -49,7 +49,6 @@ type sysfs_wcnsscore, fs_type, sysfs_type;
 type nv_data_file, file_type;
 type sysfs_rmt_storage, fs_type, sysfs_type;
 type debugfs_rmt_storage, debugfs_type, fs_type;
-type debugfs_rpm, debugfs_type, fs_type;
 type debugfs_wlan, debugfs_type, fs_type;
 type perfd_data_file, file_type, data_file_type;
 type proc_kernel_sched, fs_type;

sepolicy/firmware_file.te

@@ -0,0 +1,2 @@
+allow firmware_file rootfs:filesystem associate;
+

sepolicy/hal_gnss_qti.te

@@ -0,0 +1,4 @@
+binder_call(hal_gnss_qti, servicemanager);
+get_prop(hal_gnss_qti, diag_prop);
+allow hal_gnss_qti per_mgr_service_old:service_manager find;
+

sepolicy/hal_light_default.te

@@ -0,0 +1 @@
+allow hal_light_default sysfs:file { open read write };

sepolicy/hwservicemanager.te

@@ -0,0 +1,9 @@
+#allow hwservicemanager init:binder call;
+allow hwservicemanager init:dir search;
+allow hwservicemanager init:file { open read };
+allow hwservicemanager init:process getattr;
+
+binder_use(hwservicemanager);
+
+binder_call(hwservicemanager, hal_power_default);
+binder_call(hwservicemanager, hal_usb_default);

sepolicy/installd.te

@@ -0,0 +1,3 @@
+allow installd firmware_file:filesystem quotaget;
+allow installd fsg_file:filesystem quotaget;
+allow installd persist_file:filesystem quotaget;

sepolicy/mediaextractor.te

@@ -0,0 +1,4 @@
+allow mediaextractor fuse:file r_file_perms;
+allow mediaextractor system_server:fifo_file { write append };
+allow mediaextractor sdcardfs:file r_file_perms;
+allow mediaextractor vfat:file r_file_perms;

sepolicy/netmgrd.te

@@ -2,3 +2,6 @@ allow netmgrd netmgr_data_file:dir { add_name search write };
 allow netmgrd netmgr_data_file:file create;
 allow netmgrd netmgr_data_file:file rw_file_perms;
 allow netmgrd self:capability dac_override;
+allow netmgrd net_data_file:dir r_dir_perms;
+allow netmgrd netd_socket:sock_file write;
+allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };

sepolicy/perfd.te

@@ -0,0 +1,42 @@
+type perfd, domain;
+type perfd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(perfd)
+
+allow perfd cgroup:file r_file_perms;
+
+allow perfd cameraserver:process signull;
+
+# files in /data/misc/perfd and /data/system/perfd
+allow perfd perfd_data_file:dir create_dir_perms;
+allow perfd perfd_data_file:{ file sock_file } create_file_perms;
+
+allow perfd proc_kernel_sched:file r_file_perms;
+
+# read access /sys
+r_dir_file(perfd, sysfs_type)
+# normally write is not granted to the default "sysfs" label.
+# In this case, perfd needs access to files in /sys that are
+# commonly created and destroyed. When the kernel creates them,
+# they are created with the default label "sysfs". For robustness,
+# allow perfd to write to "sysfs" to ensure it can optimally
+# tune the power/cpu settings.
+allow perfd sysfs:file write;
+allow perfd sysfs_msm_perf:file write;
+allow perfd sysfs_ssr:file write;
+allow perfd sysfs_devices_system_cpu:file write;
+allow perfd sysfs_power_management:file write;
+allow perfd sysfs_devfreq:file write;
+allow perfd sysfs_lib:file write;
+
+allow perfd proc_kernel_sched:file w_file_perms;
+allow perfd gpu_device:chr_file rw_file_perms;
+
+# perfd uses kill(pid, 0) to determine if a process exists.
+# Determining if a process exists does not require the kill capability
+# since a permission denied indicates the process exists.
+dontaudit perfd self:capability kill;
+
+allow perfd surfaceflinger:process signull;
+allow perfd hal_graphics_composer_default:process signull;
+
+get_prop(perfd, freq_prop);

sepolicy/peripheral_manager.te

@@ -0,0 +1,5 @@
+binder_call(per_mgr, servicemanager);
+allow per_mgr self:capability net_raw;
+allow per_mgr per_mgr_service_old:service_manager { add find };
+allow per_mgr servicemanager:binder { call transfer };
+

sepolicy/property.te

@@ -2,3 +2,6 @@ type adspd_prop, property_type;
 type motosh_prop, property_type;
 type hw_rev_prop, property_type;
 type touch_prop, property_type;
+type diag_prop, property_type;
+type thermal_prop, property_type;
+type qti_telephony_prop, property_type;

sepolicy/property_contexts

@@ -1,5 +1,5 @@
 hw.aov.disable_hotword  u:object_r:adspd_prop:s0
 hw.aov.hotword_dsp_path u:object_r:adspd_prop:s0
 hw.motosh.booted        u:object_r:motosh_prop:s0
-ro.boot.hardware.revision u:object_r:hw_rev_prop:s0
+ro.hw.revision          u:object_r:hw_rev_prop:s0
 hw.touch.status         u:object_r:touch_prop:s0

sepolicy/qseeproxy.te

@@ -0,0 +1,3 @@
+binder_call(qseeproxy, servicemanager);
+allow qseeproxy self:process getattr;
+allow qseeproxy qseeproxy_service_old:service_manager { add find };

sepolicy/qtelephony.te

@@ -0,0 +1 @@
+allow qtelephony radio_service:service_manager find;

sepolicy/qti.te

@@ -0,0 +1 @@
+get_prop(qti, diag_prop)

sepolicy/radio.te

@@ -1 +1,2 @@
 allow radio system_app_data_file:dir getattr;
+allow radio qmuxd_socket:sock_file write;

sepolicy/rild.te

@@ -8,6 +8,8 @@ allow rild nv_data_file:file create_file_perms;
 allow rild radio_data_file:dir rw_dir_perms;
 allow rild radio_data_file:file create_file_perms;
 allow rild fsg_file:file { getattr open read };
+allow rild fsg_file:dir { search open read };
+allow rild fsg_file:lnk_file read;
 
 allow rild cutback_data_file:dir rw_dir_perms;
 allow rild cutback_data_file:sock_file create_file_perms;

sepolicy/rmt_storage.te

@@ -1,5 +1,12 @@
-allow rmt_storage fsg_file:dir search;
-allow rmt_storage fsg_file:file { read open };
+allow rmt_storage sysfs_rmt_storage:file rw_file_perms;
+allow rmt_storage sysfs_rmt_storage:dir { search open };
+allow rmt_storage sysfs_uio:file r_file_perms;
+allow rmt_storage sysfs_uio:dir { read open search };
+allow rmt_storage sysfs_uio:lnk_file { read };
+allow rmt_storage debugfs_rmt_storage:dir search;
+allow rmt_storage debugfs_rmt_storage:file w_file_perms;
+
+allow rmt_storage fsg_file:file { open read };
 allow rmt_storage self:capability dac_override;
 
 allow rmt_storage fsg_file:dir search;

sepolicy/service.te

@@ -0,0 +1,2 @@
+type qseeproxy_service_old,           service_manager_type;
+type per_mgr_service_old,           service_manager_type;

sepolicy/service_contexts

@@ -0,0 +1,3 @@
+com.qualcomm.qti.qseeproxy                     u:object_r:qseeproxy_service_old:s0
+vendor.qcom.PeripheralManager                     u:object_r:per_mgr_service_old:s0
+

sepolicy/system_server.te

@@ -1,3 +1,5 @@
+binder_call(system_server, rild);
+
 allow system_server sysfs_homebutton:file rw_file_perms;
 allow system_server sysfs_homebutton:dir r_dir_perms;
 allow system_server persist_file:dir create_dir_perms;

sepolicy/thermal-engine.te

@@ -0,0 +1,9 @@
+get_prop(thermal-engine, diag_prop)
+allow thermal-engine socket_device:sock_file { create setattr };
+allow thermal-engine sysfs_rmt_storage:dir search;
+allow thermal-engine sysfs_rmt_storage:file r_file_perms;
+allow thermal-engine sysfs_uio:file r_file_perms;
+allow thermal-engine sysfs_uio:dir { read open search };
+allow thermal-engine sysfs_uio:lnk_file { read };
+allow thermal-engine sysfs_vadc_dev:lnk_file { read open };
+allow thermal-engine sysfs_vadc_dev:dir rw_dir_perms;

sepolicy/time_daemon.te

@@ -1 +1,3 @@
-allow time_daemon persist_file:file rw_file_perms;
+get_prop(time_daemon, diag_prop);
+
+allow time_daemon persist_file:file { open read write };

sepolicy/untrused_app.te

@@ -0,0 +1,4 @@
+get_prop(untrusted_app, camera_prop);
+get_prop(untrusted_app_25, camera_prop);
+allow untrusted_app sysfs_zram:dir { search read };
+allow untrusted_app sysfs_zram:file { open read getattr };

sepolicy/wcnss_filter.te

@@ -0,0 +1 @@
+get_prop(wcnss_filter, diag_prop);