sanders: update sepolicy.

-Fix Neverallows. -Fix missing type. -Fix type attributes. Signed-off-by: Ashwin R C <ashwin2001achu@gmail.com> Signed-off-by: ronaxdevil <pratabidya.007@gmail.com>
2019-06-07 06:13:41 -04:00
parent 7cf114949c
commit f540803573
27 changed files with 51 additions and 99 deletions
--- a/sepolicy/vendor/cameraserver.te
+++ b/sepolicy/vendor/cameraserver.te
@@ -11,8 +11,6 @@ allow cameraserver sdcardfs:dir { read write open getattr add_name remove_name r
 allow cameraserver sdcardfs:file { create open read write unlink getattr };
 allow cameraserver storage_file:dir search;
 allow cameraserver persist_file:file { read write open create getattr create_file_perms rw_file_perms };
 allow cameraserver persist_file:dir { read write open create_file_perms rw_file_perms search add_name create };
 allow cameraserver fuse:file { read write open create getattr create_file_perms rw_file_perms };
 allow cameraserver fuse:dir { read write open create_file_perms rw_file_perms search add_name create };
 allow cameraserver tmpfs:file { read write open create getattr create_file_perms rw_file_perms };
@@ -24,8 +22,6 @@ allow cameraserver mnt_user_file:lnk_file r_file_perms;
 allow cameraserver media_rw_data_file:dir { open read search write add_name };
 allow cameraserver media_rw_data_file:file { create read write open };
 allow cameraserver sysfs:file { open write };
 allow cameraserver cameraserver:process { execmem };
 ####
@@ -39,7 +35,6 @@ allow cameraserver shell_exec:file { read open execute };
 allow cameraserver self:socket create;
 allow cameraserver camera_prop:property_service set;
 allow cameraserver init:unix_stream_socket connectto;
 allow cameraserver sensors_persist_file:file { open read };
 allow cameraserver property_socket:sock_file write;
 #allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } };
 allow cameraserver shell_exec:file { execute getattr };
--- a/sepolicy/vendor/charge_only.te
+++ b/sepolicy/vendor/charge_only.te
@@ -2,9 +2,6 @@ type charge_only, domain;
 type charge_only_exec, exec_type, file_type, vendor_file_type;
 init_daemon_domain(charge_only)
 allow charge_only chargeonly_data_file:dir rw_dir_perms;
 allow charge_only chargeonly_data_file:file rw_file_perms;
 # Write to /dev/kmsg
 allow charge_only kmsg_device:chr_file rw_file_perms;
@@ -13,7 +10,7 @@ r_dir_file(charge_only, sysfs_type)
 r_dir_file(charge_only, rootfs)
 r_dir_file(charge_only, cgroup)
-allow charge_only self:capability { dac_override net_admin sys_tty_config sys_boot };
+allow charge_only self:capability { net_admin sys_tty_config sys_boot };
 allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 wakelock_use(charge_only)
@@ -24,7 +21,6 @@ allow charge_only sysfs:dir { read open };
 allow charge_only sysfs:file { read open write };
 allow charge_only sysfs_wake_lock:file rw_file_perms;
 allow charge_only system_data_file:dir { write add_name };
 allow charge_only sysfs_batteryinfo:file r_file_perms;
--- a/sepolicy/vendor/cnd.te
+++ b/sepolicy/vendor/cnd.te
@@ -1,2 +1,2 @@
 # allow cnd system_wpa_socket:sock_file { unlink };
 allow cnd diag_device:chr_file { read write };
 allow cnd self:capability { net_raw };
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -1,37 +1,38 @@
 # ADSP
-type adspd_data_file, file_type, data_file_type;
+type adspd_data_file, file_type, data_file_type, core_data_file_type;
 # charge_only_mode
-type chargeonly_data_file, file_type, data_file_type;
+type chargeonly_data_file, file_type, data_file_type, core_data_file_type;
 # FSG
 type fsg_file, fs_type, contextmount_type;
 # Modem
-type persist_modem_file, file_type, data_file_type;
+type persist_modem_file, file_type, data_file_type, core_data_file_type;
-type persist_omadm_file, file_type, data_file_type;
+type persist_omadm_file, file_type, data_file_type, core_data_file_type;
-type sds_data_file, file_type, data_file_type;
+type sds_data_file, file_type, data_file_type, core_data_file_type;
-type pds_public_file, file_type, data_file_type;
+type pds_public_file, file_type, data_file_type, core_data_file_type;
-type persist_camera_file, file_type, data_file_type;
+type persist_camera_file, file_type, data_file_type, core_data_file_type;
-type persist_antcap_file, file_type, data_file_type;
+type persist_antcap_file, file_type, data_file_type, core_data_file_type;
-type pds_telephony_file, file_type, data_file_type;
+type pds_telephony_file, file_type, data_file_type, core_data_file_type;
-type pds_omadm_file, file_type, data_file_type;
+type pds_omadm_file, file_type, data_file_type, core_data_file_type;
-type persist_audio_file, file_type, data_file_type;
+type persist_audio_file, file_type, data_file_type, core_data_file_type;
-type moodle_data_file, file_type, data_file_type;
+type moodle_data_file, file_type, data_file_type, core_data_file_type;
-type cutback_data_file, file_type, data_file_type;
+type cutback_data_file, file_type, data_file_type, core_data_file_type;
-type dbvc_data_file, file_type, data_file_type;
+type dbvc_data_file, file_type, data_file_type, core_data_file_type;
-type akmd_data_file, file_type, data_file_type;
+type akmd_data_file, file_type, data_file_type, core_data_file_type;
-type wapi_supplicant_data_file, file_type, data_file_type;
+type wapi_supplicant_data_file, file_type, data_file_type, core_data_file_type;
 # RIL
-type netmgr_data_file, file_type, data_file_type;
+type netmgr_data_file, file_type, data_file_type, core_data_file_type;
 # sysfs
 #type sysfs_adsp, fs_type, sysfs_type;
 type sysfs_homebutton, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_mmi_fp, fs_type, sysfs_type;
@@ -40,17 +41,19 @@ type sysfs_batt, fs_type, sysfs_type;
 type sysfs_cnss, fs_type, sysfs_type;
 type sysfs_fpc, fs_type, sysfs_type;
-type fpc_socket, file_type, data_file_type;
+type fpc_socket, file_type, data_file_type, core_data_file_type;
 type fpc_data_file, file_type;
 type sysfs_wcnsscore, fs_type, sysfs_type;
-type nv_data_file, file_type, data_file_type;
+type nv_data_file, file_type, data_file_type, core_data_file_type;
 type sysfs_rmt_storage, fs_type, sysfs_type;
 type debugfs_rmt_storage, debugfs_type, fs_type;
 type debugfs_wlan, debugfs_type, fs_type;
-type perfd_data_file, file_type, data_file_type;
+type perfd_data_file, file_type, data_file_type, core_data_file_type;
 type proc_kernel_sched, fs_type;
 type sysfs_power_management, sysfs_type, fs_type;
 type proc_touchpanel, fs_type;
 type camera_socket, file_type, data_file_type, core_data_file_type;
 type sysfs_screen_off_gestures, fs_type, sysfs_type, mlstrustedobject;
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -4,11 +4,8 @@ allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 allow hal_fingerprint_default firmware_file:dir search;
 allow hal_fingerprint_default firmware_file:file r_file_perms;
 allow hal_fingerprint_default fpc_data_file:sock_file { create unlink rw_file_perms };
 allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
 allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_leds:file r_file_perms;
 # allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
 allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
 allow hal_fingerprint_default fpc_socket:sock_file unlink;
--- a/sepolicy/vendor/hal_gnss_qti.te
+++ b/sepolicy/vendor/hal_gnss_qti.te
@@ -1,6 +1,4 @@
 # binder_call(hal_gnss_qti, servicemanager);
 get_prop(hal_gnss_qti, diag_prop);
 # allow hal_gnss_qti per_mgr_service_old:service_manager find;
 allow hal_gnss_qti debug_prop:file read;
 allow hal_gnss_qti property_socket:sock_file write;
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -8,10 +8,9 @@ binder_call(hal_sensors_default, system_app)
 binder_call(hal_sensors_default, priv_app)
 binder_call(hal_sensors_default, platform_app)
 allow hal_sensors_default self:capability { dac_override };
 allow hal_sensors_default sensors_device:chr_file { ioctl open read };
 allow hal_sensors_default sysfs:file { open read write };
-allow hal_sensors_default system_data_file:file { getattr open read };
+allow hal_sensors_default system_data_file:file { getattr read };
 allow hal_sensors_default proc_net:file { getattr open read };
 allow hal_sensors_default sysfs_capsense:dir search;
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -6,8 +6,6 @@ allow init hwservicemanager:binder call;
 allow init mm-qcamerad:binder transfer;
 allow init platform_app:binder transfer;
 allow init sysfs_devices_system_cpu:dir write;
 allow init sysfs_lowmemorykiller:dir write;
 allow init system_app:binder transfer;
 allow init system_data_file:file lock;
--- a/sepolicy/vendor/init_wifi.te
+++ b/sepolicy/vendor/init_wifi.te
@@ -12,4 +12,3 @@ allow init_wifi vendor_toolbox_exec:file rx_file_perms;
 allow init_wifi vendor_shell_exec:file entrypoint;
 allow init_wifi sysfs_wcnsscore:file rw_file_perms;
 allow init_wifi sysfs_wcnsscore:dir rw_dir_perms;
--- a/sepolicy/vendor/logd.te
+++ b/sepolicy/vendor/logd.te
@@ -1 +0,0 @@
 allow logd self:capability dac_override;
--- a/sepolicy/vendor/mediaserver.te
+++ b/sepolicy/vendor/mediaserver.te
@@ -1,2 +0,0 @@
 allow mediaserver persist_file:dir search;
 allow mediaserver persist_file:file { read getattr open };
--- a/sepolicy/vendor/mm-qcamerad.te
+++ b/sepolicy/vendor/mm-qcamerad.te
@@ -1,3 +1,6 @@
 type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1";
 type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2";
 # binder_call(mm-qcamerad, servicemanager);
 # binder_use(mm-qcamerad);
 # binder_call(mm-qcamerad, binderservicedomain);
@@ -15,9 +18,6 @@ allow servicemanager mm-qcamerad:process { getattr };
 allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
 # allow mm-qcamerad permission_service:service_manager find;
 allow mm-qcamerad debug_prop:property_service set;
 allow mm-qcamerad persist_file:dir search;
 allow mm-qcamerad persist_file:file { read getattr open };
 allow mm-qcamerad system_data_file:dir read;
 allow mm-qcamerad init:unix_stream_socket { read write };
--- a/sepolicy/vendor/mmi_boot.te
+++ b/sepolicy/vendor/mmi_boot.te
@@ -11,11 +11,6 @@ allow mmi_boot vendor_shell_exec:file rx_file_perms;
 allow mmi_boot vendor_toolbox_exec:file rx_file_perms;
 allow mmi_boot vendor_shell_exec:file entrypoint;
 allow mmi_boot radio_data_file:dir { add_name search write };
 allow mmi_boot radio_data_file:file { create setattr };
 allow mmi_boot radio_data_file:file rw_file_perms;
 allow mmi_boot self:capability chown;
 allow mmi_boot self:capability dac_override;
 allow mmi_boot sysfs_socinfo:file write;
 set_prop(mmi_boot, hw_rev_prop);
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@@ -1,8 +1,6 @@
 allow netmgrd netmgr_data_file:dir { add_name search write };
 allow netmgrd netmgr_data_file:file create;
 allow netmgrd netmgr_data_file:file rw_file_perms;
 allow netmgrd self:capability dac_override;
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd netd_socket:sock_file write;
-# allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
+allow netmgrd toolbox_exec:file { getattr read open };
-r_dir_file(netmgrd, net_data_file)
+
 allow netmgrd init:unix_stream_socket connectto;
 allow netmgrd property_socket:sock_file write;
 allow netmgrd system_file:file lock;
--- a/sepolicy/vendor/perfd.te
+++ b/sepolicy/vendor/perfd.te
@@ -6,10 +6,6 @@ allow perfd cgroup:file r_file_perms;
 allow perfd cameraserver:process signull;
 # files in /data/misc/perfd and /data/system/perfd
 allow perfd perfd_data_file:dir create_dir_perms;
 allow perfd perfd_data_file:{ file sock_file } create_file_perms;
 allow perfd proc_kernel_sched:file r_file_perms;
 # read access /sys
--- a/sepolicy/vendor/priv_app.te
+++ b/sepolicy/vendor/priv_app.te
@@ -3,3 +3,4 @@ allow priv_app persist_file:filesystem getattr;
 allow priv_app proc_interrupts:file { open read getattr };
 allow priv_app proc_modules:file { open read getattr };
 get_prop(priv_app, adspd_prop);
 allow priv_app sysfs:dir open;
--- a/sepolicy/vendor/qti_init_shell.te
+++ b/sepolicy/vendor/qti_init_shell.te
@@ -1,6 +1,4 @@
 set_prop(qti_init_shell, hw_rev_prop);
 allow qti_init_shell apk_data_file:dir { write add_name create };
 allow qti_init_shell apk_data_file:file { create write setattr };
 allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
 allow qti_init_shell kmsg_device:chr_file write;
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te
@@ -1,2 +1,3 @@
 allow radio system_app_data_file:dir getattr;
 allow radio qmuxd_socket:sock_file write;
 allow radio vendor_file:file { getattr open read };
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -1,19 +1,10 @@
 # binder_call(rild, servicemanager);
 binder_call(rild, audioserver_service);
 binder_call(rild, system_server);
 # allow rild per_mgr_service_old:service_manager find;
 set_prop(rild, diag_prop);
 allow rild nv_data_file:dir rw_dir_perms;
 allow rild nv_data_file:file create_file_perms;
 allow rild radio_data_file:dir rw_dir_perms;
 allow rild radio_data_file:file create_file_perms;
 allow rild fsg_file:file { getattr open read };
 allow rild fsg_file:dir { search open read };
 allow rild fsg_file:lnk_file read;
 allow rild cutback_data_file:dir rw_dir_perms;
 allow rild cutback_data_file:sock_file create_file_perms;
 allow rild rild_exec:file execute_no_trans;
 allow rild fwk_sensor_hwservice:hwservice_manager find;
--- a/sepolicy/vendor/rmt_storage.te
+++ b/sepolicy/vendor/rmt_storage.te
@@ -7,6 +7,4 @@ allow rmt_storage debugfs_rmt_storage:dir search;
 allow rmt_storage debugfs_rmt_storage:file w_file_perms;
 allow rmt_storage fsg_file:file { open read };
 allow rmt_storage self:capability dac_override;
 allow rmt_storage fsg_file:dir search;
--- a/sepolicy/vendor/surfaceflinger.te
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -1,7 +1,5 @@
 get_prop(surfaceflinger, diag_prop);
 allow surfaceflinger perfd_data_file:sock_file write;
 allow surfaceflinger perfd_data_file:dir search;
 # allow surfaceflinger perfd:unix_stream_socket connectto;
 allow surfaceflinger diag_device:chr_file { read write };
 binder_call(surfaceflinger, hwservicemanager)
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -6,7 +6,6 @@ allow system_app sysfs_graphics:dir search;
 allow system_app proc_touchpanel:file rw_file_perms;
 allow system_app sysfs_fpc:file rw_file_perms;
 allow system_app fuse_device:filesystem getattr;
 # allow system_app time_daemon:unix_stream_socket connectto;
 allow system_app init:unix_stream_socket { read write };
 allow system_app sysfs_homebutton:file write;
@@ -16,3 +15,8 @@ binder_call(system_app, qtitetherservice_service);
 binder_call(system_app, wificond);
 get_prop(system_app, spectrum_prop);
 allow system_app hidl_base_hwservice:hwservice_manager add;
 allow system_app sysfs_homebutton:dir search;
 allow system_app sysfs_homebutton:file { getattr open };
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -2,17 +2,17 @@ binder_call(system_server, rild);
 allow system_server sysfs_homebutton:file rw_file_perms;
 allow system_server sysfs_homebutton:dir r_dir_perms;
 allow system_server persist_file:dir create_dir_perms;
 allow system_server persist_file:file create_file_perms;
 allow system_server rild:binder transfer;
 allow system_server sysfs_capsense:dir search;
 allow system_server sysfs_capsense:file rw_file_perms;
 allow system_server init:unix_stream_socket { read };
 # allow system_server dalvikcache_data_file:file { execute };
 allow system_server qti_debugfs:file { getattr open read };
 allow system_server init:unix_stream_socket write;
 allow system_server sensors_device:chr_file { ioctl open read };
-allow system_server vendor_file:file { getattr open read execute };
+allow system_server vendor_file:file { getattr read };
 allow system_server sysfs:file getattr;
 allow system_server thermal_service:service_manager find;
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
@@ -6,4 +6,3 @@ allow thermal-engine sysfs_uio:file r_file_perms;
 allow thermal-engine sysfs_uio:dir { read open search };
 allow thermal-engine sysfs_uio:lnk_file { read };
 allow thermal-engine sysfs_vadc_dev:lnk_file { read open };
 allow thermal-engine sysfs_vadc_dev:dir rw_dir_perms;
--- a/sepolicy/vendor/toolbox.te
+++ b/sepolicy/vendor/toolbox.te
@@ -1,14 +1,7 @@
 set_prop(toolbox, diag_prop);
 set_prop(toolbox, hw_rev_prop);
 set_prop(toolbox, touch_prop);
-allow toolbox init:fifo_file { write getattr };
+allow toolbox init:fifo_file { write getattr read ioctl };
 allow toolbox self:capability { chown dac_override };
 allow toolbox proc:file rw_file_perms;
 allow toolbox radio_data_file:file rw_file_perms;
 allow toolbox firmware_file:file getattr;
 allow toolbox init:fifo_file ioctl;
 allow toolbox sysfs:dir rw_dir_perms;
 allow toolbox sysfs:file rw_file_perms;
 allow toolbox init:fifo_file read;
--- a/sepolicy/vendor/untrusted_app.te
+++ b/sepolicy/vendor/untrusted_app.te
@@ -3,10 +3,5 @@ get_prop(untrusted_app_25, camera_prop);
 allow untrusted_app sysfs_zram:dir { search read };
 allow untrusted_app sysfs_zram:file { open read getattr };
 get_prop(untrusted_app, net_dns_prop);
 allow untrusted_app firmware_file:dir read;
 allow untrusted_app fsg_file:dir read;
 allow untrusted_app net_dns_prop:file read;
 allow untrusted_app persist_file:dir getattr;
 allow untrusted_app persist_file:filesystem getattr;
--- a/sepolicy/vendor/untrusted_app_25.te
+++ b/sepolicy/vendor/untrusted_app_25.te
@@ -4,6 +4,9 @@
 allow untrusted_app_25 init:unix_stream_socket { read write };
 allow untrusted_app_25 proc_stat:file read;
 allow untrusted_app_25 self:udp_socket ioctl;
 allow untrusted_app_25 vold_exec:file read;
 allow untrusted_app_25 device:dir read;
 allow untrusted_app_25 rootfs:dir { open read };
 allow untrusted_app_25 unlabeled:dir getattr;
		`@@ -1,2 +0,0 @@`
			`allow mediaserver persist_file:dir search;`
			`allow mediaserver persist_file:file { read getattr open };`