From 2081af0064dc59705fc7e9c73cb4d116916553dc Mon Sep 17 00:00:00 2001
From: jhenrique09 <jhenrique09.mcz@hotmail.com>
Date: Mon, 22 Jan 2018 20:53:55 -0200
Subject: [PATCH] sanders: sepolicy: Fix more denials

---
 rootdir/etc/init.mmi.boot.sh                   |  1 -
 sepolicy/bootanim.te                           |  7 +++++++
 sepolicy/cnd.te                                |  1 +
 sepolicy/hal_drm_default.te                    |  2 ++
 sepolicy/hal_gnss_qti.te                       | 15 +++++++++++++++
 sepolicy/init.te                               |  1 -
 sepolicy/netmgrd.te                            |  1 +
 sepolicy/platform_app.te                       | 17 +++++++++--------
 sepolicy/priv_app.te                           |  2 ++
 sepolicy/property_contexts                     | 10 +++++-----
 sepolicy/qti_init_shell.te                     |  1 +
 sepolicy/{untrused_app.te => untrusted_app.te} |  0
 12 files changed, 43 insertions(+), 15 deletions(-)
 create mode 100644 sepolicy/bootanim.te
 create mode 100644 sepolicy/cnd.te
 create mode 100644 sepolicy/hal_drm_default.te
 rename sepolicy/{untrused_app.te => untrusted_app.te} (100%)

diff --git a/rootdir/etc/init.mmi.boot.sh b/rootdir/etc/init.mmi.boot.sh
index 16d7c75..1b4686e 100644
--- a/rootdir/etc/init.mmi.boot.sh
+++ b/rootdir/etc/init.mmi.boot.sh
@@ -25,7 +25,6 @@ rev="p${hw%??}$minor1$minor2"
 rev2=`echo $rev | tr '[:upper:]' '[:lower:]'`
 
 setprop ro.boot.hardware.revision $rev2
-setprop ro.hw.revision $rev2
 unset hw cinfo m1 m2 minor1 minor2
 
 # Let kernel know our image version/variant/crm_version
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
new file mode 100644
index 0000000..838b4fa
--- /dev/null
+++ b/sepolicy/bootanim.te
@@ -0,0 +1,7 @@
+allow bootanim hwservicemanager:binder call;
+
+# TODO(b/62954877). On Android Wear, bootanim reads the time
+# during boot to display. It currently gets that time from a file
+# in /data/system. This should be moved. In the meantime, suppress
+# this denial on wahoo since this functionality is not used.
+dontaudit bootanim system_data_file:dir read;
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
new file mode 100644
index 0000000..80165e6
--- /dev/null
+++ b/sepolicy/cnd.te
@@ -0,0 +1 @@
+allow cnd system_wpa_socket:sock_file { unlink };
diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te
new file mode 100644
index 0000000..b244688
--- /dev/null
+++ b/sepolicy/hal_drm_default.te
@@ -0,0 +1,2 @@
+allow hal_drm_default firmware_file:lnk_file read;
+allow hal_drm_default debug_prop:file read;
diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te
index 3179a42..f7f46dc 100644
--- a/sepolicy/hal_gnss_qti.te
+++ b/sepolicy/hal_gnss_qti.te
@@ -1,4 +1,19 @@
 binder_call(hal_gnss_qti, servicemanager);
 get_prop(hal_gnss_qti, diag_prop);
 allow hal_gnss_qti per_mgr_service_old:service_manager find;
+allow hal_gnss_qti debug_prop:file read;
+allow hal_gnss_qti property_socket:sock_file write;
 
+# Most HALs are not allowed to use network sockets. Qcom library
+# libqdi is used across multiple processes which are clients of
+# netmgrd including the GNSS HAL. libqdi first attempts to get the network
+# interface using an IOCTL on a UDP INET socket, which isn't allowed here.
+# If that fails, it falls back to using libc's if_nameindex() which requires
+# a netlink route socket, which HALs may use. Due to the initial
+# attempt to use a UDP socket, we still see a selinux denial,
+# but it is safe to ignore.
+# TODO (b/37730994) Remove udp_socket requirement from
+# libqdi and have all its clients use netlink route
+# sockets.
+# Taken from device/google/wahoo
+dontaudit hal_gnss_qti self:udp_socket create;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 8531e47..f692318 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -39,7 +39,6 @@ allow init self:capability sys_nice;
 
 allow init bt_firmware_file:filesystem { associate };
 allow init firmware_file:filesystem { associate };
-allow init firmware_file:dir mounton;
 
 allow init sensors_device:chr_file { rw_file_perms create };
 
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 2cf4bab..4e60a20 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -5,3 +5,4 @@ allow netmgrd self:capability dac_override;
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd netd_socket:sock_file write;
 allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
+r_dir_file(netmgrd, net_data_file)
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index a608963..ef471a2 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1,8 +1,9 @@
-binder_call(platform_app, hal_sensors_default);
-
-allow platform_app isdbt_device:chr_file rw_file_perms;
-allow platform_app rootfs:dir getattr;
-
-allow platform_app init:unix_stream_socket { read write };
-allow platform_app hal_sensors_default:unix_stream_socket { read write };
-
+get_prop(platform_app, camera_prop);
+binder_call(platform_app, hal_sensors_default);
+
+allow platform_app rootfs:dir getattr;
+
+allow platform_app init:unix_stream_socket { read write };
+allow platform_app hal_sensors_default:unix_stream_socket { read write };
+
+allow platform_app qemu_hw_mainkeys_prop:file {getattr open read};
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index 1785c67..6fd0852 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1,2 +1,4 @@
 allow priv_app device:dir r_dir_perms;
 allow priv_app persist_file:filesystem getattr;
+allow priv_app proc_interrupts:file { open read getattr };
+allow priv_app proc_modules:file { open read getattr };
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index b3bd9a5..b42fd3d 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1,5 +1,5 @@
-hw.aov.disable_hotword  u:object_r:adspd_prop:s0
-hw.aov.hotword_dsp_path u:object_r:adspd_prop:s0
-hw.motosh.booted        u:object_r:motosh_prop:s0
-ro.hw.revision          u:object_r:hw_rev_prop:s0
-hw.touch.status         u:object_r:touch_prop:s0
+hw.aov.disable_hotword             u:object_r:adspd_prop:s0
+hw.aov.hotword_dsp_path            u:object_r:adspd_prop:s0
+hw.motosh.booted                   u:object_r:motosh_prop:s0
+ro.boot.hardware.revision          u:object_r:hw_rev_prop:s0
+hw.touch.status                    u:object_r:touch_prop:s0
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index 330d499..b2d8bbe 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -1,3 +1,4 @@
+set_prop(qti_init_shell, hw_rev_prop);
 allow qti_init_shell apk_data_file:dir { write add_name create };
 allow qti_init_shell apk_data_file:file { create write setattr };
 allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
diff --git a/sepolicy/untrused_app.te b/sepolicy/untrusted_app.te
similarity index 100%
rename from sepolicy/untrused_app.te
rename to sepolicy/untrusted_app.te