From 102ff370421e26322e3c37ce18b71dab7208b6f9 Mon Sep 17 00:00:00 2001 From: Vachounet Date: Sun, 16 Apr 2017 13:47:08 +0200 Subject: [PATCH] potter: update sepolicy --- sepolicy/akmd.te | 3 ++ sepolicy/device.te | 9 +++++ sepolicy/file.te | 34 +++++++++++++++++ sepolicy/file_contexts | 75 +++++++++++++++++++++++++++++++++++++- sepolicy/fingerprintd.te | 3 ++ sepolicy/init.te | 2 +- sepolicy/priv_app.te | 1 + sepolicy/qti_init_shell.te | 1 + sepolicy/radio.te | 1 + sepolicy/rild.te | 10 +++++ sepolicy/system_app.te | 2 + sepolicy/system_server.te | 3 ++ sepolicy/tee.te | 1 + sepolicy/ueventd.te | 4 ++ sepolicy/wpa.te | 2 + sepolicy/zygote.te | 1 + 16 files changed, 149 insertions(+), 3 deletions(-) create mode 100644 sepolicy/akmd.te create mode 100644 sepolicy/qti_init_shell.te create mode 100644 sepolicy/radio.te create mode 100644 sepolicy/tee.te create mode 100644 sepolicy/wpa.te create mode 100644 sepolicy/zygote.te diff --git a/sepolicy/akmd.te b/sepolicy/akmd.te new file mode 100644 index 0000000..513d0c4 --- /dev/null +++ b/sepolicy/akmd.te @@ -0,0 +1,3 @@ +type akmd, domain, domain_deprecated; +type akmd_exec, exec_type, file_type; +init_daemon_domain(akmd) diff --git a/sepolicy/device.te b/sepolicy/device.te index cd97148..d51eb51 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1 +1,10 @@ +type adspd_device, dev_type; +type amps_raw_device, dev_type; +type compass_device, dev_type; +type haptics_device, dev_type; +type hob_device, dev_type; +type graphics_fb_device, dev_type; type laser_device, dev_type; +type synaptics_rmi_device, dev_type; +type shwi_device, dev_type; +type isdbt_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te index 39dce8c..a39b26c 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,6 +1,31 @@ +# ADSP +type adspd_data_file, file_type, data_file_type; + # FSG type fsg_file, fs_type, contextmount_type; +# Modem +type persist_modem_file, file_type, data_file_type; + +type persist_omadm_file, file_type, data_file_type; +type sds_data_file, file_type, data_file_type; +type pds_public_file, file_type, data_file_type; +type persist_camera_file, file_type, data_file_type; +type persist_antcap_file, file_type, data_file_type; +type pds_telephony_file, file_type, data_file_type; +type pds_batt_file, file_type, data_file_type; +type pds_omadm_file, file_type, data_file_type; +type persist_audio_file, file_type, data_file_type; + +type moodle_data_file, file_type, data_file_type; +type cutback_data_file, file_type, data_file_type; + +type dbvc_data_file, file_type, data_file_type; + +type akmd_data_file, file_type, data_file_type; + +type wapi_supplicant_data_file, file_type, data_file_type; + # RIL type netmgr_data_file, file_type, data_file_type; @@ -10,3 +35,12 @@ type sysfs_homebutton, fs_type, sysfs_type; type sysfs_mmi_fp, fs_type, sysfs_type; type sysfs_mmi_laser, fs_type, sysfs_type; type sysfs_mmi_touch, fs_type, sysfs_type; + +type sysfs_capsense, fs_type, sysfs_type; +type sysfs_batt, fs_type, sysfs_type; +type sysfs_cnss, fs_type, sysfs_type; +type sysfs_fpc, fs_type, sysfs_type; +type sysfs_sensors, fs_type, sysfs_type; + +type fpc_socket, file_type; + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 8cccea9..5c2b679 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,5 +1,9 @@ # ADSP /sys/kernel/aov(/.*)? u:object_r:sysfs_adsp:s0 +/data/adspd(/.*)? u:object_r:adspd_data_file:s0 + +# AMPS +/dev/hidraw[0-9]* u:object_r:amps_raw_device:s0 # Binaries /system/bin/adspd u:object_r:adspd_exec:s0 @@ -7,9 +11,10 @@ /system/bin/init\.mmi\.laser\.sh u:object_r:mmi_laser_exec:s0 /system/bin/init\.mmi\.touch\.sh u:object_r:mmi_touch_sh_exec:s0 /system/bin/motosh u:object_r:sensor_hub_exec:s0 +/system/bin/akmd09912 u:object_r:akmd_exec:s0 # Camera -/sys/kernel/range/offset u:object_r:sysfs_mmi_laser:s0 +/sys/kernel/range(/.*)? u:object_r:sysfs_mmi_laser:s0 # CMActions /sys/homebutton/enable u:object_r:sysfs_homebutton:s0 @@ -17,11 +22,69 @@ # Fingerprint /data/.fps(/.*)? u:object_r:fingerprintd_data_file:s0 /data/fpc u:object_r:fingerprintd_data_file:s0 -/sys/devices/soc/7af8000\.spi/spi_master/spi8/spi8\.0(/.*)? u:object_r:sysfs_mmi_fp:s0 +/data/fpc/socket u:object_r:fpc_socket:s0 + +/sys/devices/soc/7af8000.spi/spi_master/spi8/spi8.0(/.*)? u:object_r:sysfs_fpc:s0 # mmi_touch related /sys files /sys/devices/soc/78b7000\.i2c/i2c-3/3-0020(/.*)? u:object_r:sysfs_mmi_touch:s0 +# Modem +/persist/mdm(/.*)? u:object_r:persist_modem_file:s0 + +/persist/prop(/.*)? u:object_r:persist_omadm_file:s0 +/persist/prov(/.*)? u:object_r:persist_drm_file:s0 +/persist/omadm(/.*)? u:object_r:persist_omadm_file:s0 +/persist/omadm_database(/.*)? u:object_r:persist_omadm_file:s0 +/persist/omadm_cust_database(/.*)? u:object_r:persist_omadm_file:s0 +/persist/public(/.*)? u:object_r:pds_public_file:s0 +/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/persist/captouch_(.*)? u:object_r:persist_antcap_file:s0 +/persist/telephony(/.*)? u:object_r:pds_telephony_file:s0 +/persist/public/telephony(/.*)? u:object_r:pds_telephony_file:s0 +/persist/batt_health(/.*)? u:object_r:pds_batt_file:s0 +/persist/public/omadm(/.*)? u:object_r:pds_omadm_file:s0 +/persist/factory/audio(/.*)? u:object_r:persist_audio_file:s0 + +/data/wapi_certificate(/.*)? u:object_r:wapi_supplicant_data_file:s0 + +/data/misc/akmd(/.*)? u:object_r:akmd_data_file:s0 + +/data/local/dbvc(/.*)? u:object_r:dbvc_data_file:s0 +/data/local/moodle(/.*)? u:object_r:moodle_data_file:s0 +/data/misc/cutback(/.*)? u:object_r:cutback_data_file:s0 + +/data/misc/sds(/.*)? u:object_r:sds_data_file:s0 + +/sys/class/capsense(/.*)? u:object_r:sysfs_capsense:s0 +/sys/module/qpnp_bms(/.*)? u:object_r:sysfs_batt:s0 +/sys/module/cnss_pci(/.*)? u:object_r:sysfs_cnss:s0 + +/sys/devices/iio_sysfs_trigger(/.*)? u:object_r:sysfs_sensors:s0 +/sys/devices/virtual/stm401/stm401_ms(/.*)? u:object_r:sysfs_sensors:s0 +/sys/devices/virtual/stm401/stm401_as(/.*)? u:object_r:sysfs_sensors:s0 + +/sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger(/.*)? u:object_r:sysfs_batt:s0 + +/dev/rmi0 u:object_r:synaptics_rmi_device:s0 +/dev/sec u:object_r:shwi_device:s0 +/dev/kgsl u:object_r:gpu_device:s0 +/dev/isdbt u:object_r:isdbt_device:s0 +/dev/ttyHS3 u:object_r:adspd_device:s0 +/dev/akm8963 u:object_r:compass_device:s0 +/dev/drv2605 u:object_r:haptics_device:s0 +/dev/akm09912 u:object_r:compass_device:s0 +/dev/motcamera0 u:object_r:camera_device:s0 +/dev/akm8963_dev u:object_r:compass_device:s0 +/dev/stml0xx_akm u:object_r:compass_device:s0 +/dev/akm09912_dev u:object_r:compass_device:s0 +/dev/mot_hob_ram u:object_r:hob_device:s0 + + +/dev/bcm2079x-i2c u:object_r:nfc_device:s0 + +/dev/fb_quickdraw u:object_r:graphics_fb_device:s0 + # Partitions /dev/block/bootdevice/by-name/cache u:object_r:cache_block_device:s0 /dev/block/bootdevice/by-name/frp u:object_r:frp_block_device:s0 @@ -37,3 +100,11 @@ /dev/motosh u:object_r:sensors_device:s0 /dev/motosh_as u:object_r:sensors_device:s0 /dev/motosh_ms u:object_r:sensors_device:s0 +/dev/stm401.* u:object_r:sensors_device:s0 +/dev/lis3dh u:object_r:sensors_device:s0 +/dev/stml0xx u:object_r:sensors_device:s0 +/dev/l3g4200d u:object_r:sensors_device:s0 +/dev/stml0xx_ms u:object_r:sensors_device:s0 +/dev/stml0xx_as u:object_r:sensors_device:s0 +/data/misc/sensor(/.*)? u:object_r:sensors_data_file:s0 + diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te index 626519a..0bd43f4 100644 --- a/sepolicy/fingerprintd.te +++ b/sepolicy/fingerprintd.te @@ -6,4 +6,7 @@ allow fingerprintd fingerprintd_data_file:sock_file { create unlink }; allow fingerprintd sysfs_mmi_fp:dir { open read search }; allow fingerprintd sysfs_mmi_fp:file rw_file_perms; allow fingerprintd system_data_file:sock_file unlink; +allow fingerprintd sysfs_fpc:dir r_dir_perms; +allow fingerprintd sysfs_fpc:file rw_file_perms; allow fingerprintd tee_device:chr_file { ioctl open read write }; +allow fingerprintd uhid_device:chr_file rw_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te index 5e24563..0c66280 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -4,7 +4,7 @@ allow init sensors_device:chr_file { write ioctl }; allow init tee_device:chr_file { write ioctl }; allow init servicemanager:binder { transfer call }; -allow init system_server:binder call; +allow init system_server:binder { transfer call }; allow init property_socket:sock_file write; allow init socket_device:sock_file { create setattr unlink }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te index ad63ca4..1785c67 100644 --- a/sepolicy/priv_app.te +++ b/sepolicy/priv_app.te @@ -1 +1,2 @@ allow priv_app device:dir r_dir_perms; +allow priv_app persist_file:filesystem getattr; diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te new file mode 100644 index 0000000..2e32bee --- /dev/null +++ b/sepolicy/qti_init_shell.te @@ -0,0 +1 @@ +allow qti_init_shell bluetooth_loader_exec:file { open read }; diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..9ba85de --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1 @@ +allow radio system_app_data_file:dir getattr; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index 511ab64..a74bc4d 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,2 +1,12 @@ +allow rild fsg_file:file r_file_perms; allow rild persist_file:dir search; allow rild persist_file:file rw_file_perms; + +allow rild cutback_data_file:dir rw_dir_perms; +allow rild cutback_data_file:sock_file rw_file_perms; +allow rild sensorservice_service:service_manager find; +allow rild system_server:binder { transfer call }; +allow rild system_server:unix_stream_socket { read getopt write }; +allow rild wpa:unix_dgram_socket sendto; +allow rild wpa_socket:sock_file { read write }; + diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index ef05374..5147ed0 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1 +1,3 @@ allow system_app sysfs_homebutton:file rw_file_perms; +allow system_app fingerprintd:binder call; + diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 3253d80..d043d62 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,2 +1,5 @@ allow system_server persist_file:dir rw_dir_perms; allow system_server persist_file:file rw_file_perms; +allow system_server rild:binder transfer; +allow system_server sysfs_capsense:dir search; + diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..10b1790 --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1 @@ +allow tee persist_file:file r_file_perms; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index 57eb7cb..ed1d71a 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -2,3 +2,7 @@ allow ueventd device:chr_file { relabelfrom relabelto }; allow ueventd sysfs_mmi_fp:file w_file_perms; allow ueventd sysfs_mmi_touch:file w_file_perms; allow ueventd sysfs_mmi_touch:dir search; + +allow ueventd synaptics_rmi_device:chr_file rw_file_perms; +allow ueventd sysfs_fpc:file rw_file_perms; +allow ueventd sysfs_sensors:file rw_file_perms; diff --git a/sepolicy/wpa.te b/sepolicy/wpa.te new file mode 100644 index 0000000..cb68bd2 --- /dev/null +++ b/sepolicy/wpa.te @@ -0,0 +1,2 @@ +allow wpa cutback_data_file:sock_file write; +allow wpa rild:unix_dgram_socket sendto; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..e7d14e1 --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1 @@ +allow zygote self:capability sys_nice;