sanders: sepolicy update
This commit is contained in:
Vachounet
@@ -2,6 +2,12 @@ type adspd, domain;
|
||||
type adspd_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(adspd)
|
||||
|
||||
binder_use(adspd)
|
||||
binder_service(adspd)
|
||||
binder_call(adspd, system_server)
|
||||
|
||||
allow adspd vendor_shell_exec:file entrypoint;
|
||||
|
||||
allow adspd audio_device:chr_file { ioctl open read write };
|
||||
allow adspd audio_device:dir search;
|
||||
allow adspd input_device:chr_file { ioctl open read };
|
||||
|
||||
@@ -47,8 +47,6 @@ allow cameraserver system_file:file execute;
|
||||
|
||||
allow cameraserver debugfs:dir { read open };
|
||||
|
||||
|
||||
|
||||
allow cameraserver nfc_data_file:file { open write };
|
||||
allow cameraserver socket_device:sock_file write;
|
||||
|
||||
|
||||
@@ -6,10 +6,10 @@
|
||||
/dev/hidraw[0-9]* u:object_r:amps_raw_device:s0
|
||||
|
||||
# Binaries
|
||||
#/system/vendor/bin/adspd u:object_r:adspd_exec:s0
|
||||
/system/vendor/bin/adspd u:object_r:adspd_exec:s0
|
||||
/system/bin/charge_only_mode u:object_r:charge_only_exec:s0
|
||||
#/system/vendor/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0
|
||||
#/system/vendor/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0
|
||||
/system/vendor/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0
|
||||
/system/vendor/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0
|
||||
|
||||
# CMActions
|
||||
/sys/homebutton(/.*)? u:object_r:sysfs_homebutton:s0
|
||||
@@ -115,11 +115,10 @@
|
||||
/data/vendor/time(/.*)? u:object_r:time_data_file:s0
|
||||
|
||||
/system/vendor/bin/perfd u:object_r:perfd_exec:s0
|
||||
/system/vendor/bin/hw/android\.hardware\.power@1\.1-service\.qti u:object_r:hal_power_default_exec:s0
|
||||
/system/vendor/bin/hw/android\.hardware\.power@1\.1-service-qti u:object_r:hal_power_default_exec:s0
|
||||
/system/vendor/radio(/.*)? u:object_r:radio_data_file:s0
|
||||
/system/vendor/bin/sensorservice_32 u:object_r:hal_sensors_default_exec:s0
|
||||
|
||||
/system/vendor/bin/qmi_motext_hook u:object_r:radio_data_file:s0
|
||||
/system/vendor/bin/qmi_motext_hook u:object_r:rild_exec:s0
|
||||
|
||||
/sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0
|
||||
|
||||
|
||||
1
sepolicy/fsck.te
Normal file
1
sepolicy/fsck.te
Normal file
@@ -0,0 +1 @@
|
||||
# allow fsck block_device:blk_file { read write };
|
||||
14
sepolicy/hal_fingerprint_default.te
Normal file
14
sepolicy/hal_fingerprint_default.te
Normal file
@@ -0,0 +1,14 @@
|
||||
allow hal_fingerprint_default sysfs_fpc:file rw_file_perms;
|
||||
allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms;
|
||||
allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
|
||||
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
|
||||
allow hal_fingerprint_default firmware_file:dir search;
|
||||
allow hal_fingerprint_default firmware_file:file r_file_perms;
|
||||
allow hal_fingerprint_default fpc_data_file:sock_file { create unlink rw_file_perms };
|
||||
allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
|
||||
allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
|
||||
allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
|
||||
allow hal_fingerprint_default sysfs_leds:file r_file_perms;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
|
||||
allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
|
||||
allow hal_fingerprint_default fpc_socket:sock_file unlink;
|
||||
1
sepolicy/hal_power_default.te
Normal file
1
sepolicy/hal_power_default.te
Normal file
@@ -0,0 +1 @@
|
||||
allow hal_power_default sysfs:file write;
|
||||
20
sepolicy/hal_sensors_default.te
Normal file
20
sepolicy/hal_sensors_default.te
Normal file
@@ -0,0 +1,20 @@
|
||||
binder_call(hal_sensors_default, hwservicemanager)
|
||||
binder_call(hal_sensors_default, servicemanager)
|
||||
|
||||
binder_call(hal_sensors_default, mm-qcamerad)
|
||||
binder_call(hal_sensors_default, system_server)
|
||||
|
||||
binder_call(hal_sensors_default, system_app)
|
||||
binder_call(hal_sensors_default, priv_app)
|
||||
binder_call(hal_sensors_default, platform_app)
|
||||
|
||||
allow hal_sensors_default self:capability { dac_override };
|
||||
allow hal_sensors_default sensors_device:chr_file { ioctl open read };
|
||||
allow hal_sensors_default sysfs:file { open read write };
|
||||
allow hal_sensors_default system_data_file:file { getattr open read };
|
||||
|
||||
allow hal_sensors_default proc_net:file { getattr open read };
|
||||
allow hal_sensors_default sysfs_capsense:dir search;
|
||||
allow hal_sensors_default sysfs_capsense:file { open write };
|
||||
|
||||
|
||||
@@ -35,12 +35,6 @@ allow init self:netlink_socket { read write getattr connect };
|
||||
allow init debugfs:file write;
|
||||
allow init persist_file:filesystem { getattr mount relabelfrom relabelto };
|
||||
|
||||
# binder_call(batterystats_service, servicemanager);
|
||||
# allow init batterystats_service:service_manager find;
|
||||
|
||||
# binder_call(hal_sensors_hwservice, servicemanager);
|
||||
# allow init hal_sensors_hwservice:service_manager find;
|
||||
|
||||
allow init self:capability sys_nice;
|
||||
|
||||
allow init bt_firmware_file:filesystem { associate };
|
||||
@@ -56,3 +50,7 @@ allow init self:capability2 { block_suspend };
|
||||
allow init hal_sensors_hwservice:hwservice_manager find;
|
||||
|
||||
allow init { domain -lmkd -crash_dump }:process noatsecure;
|
||||
|
||||
allow init hal_perf_hwservice:hwservice_manager find;
|
||||
allow init hidl_base_hwservice:hwservice_manager add;
|
||||
|
||||
|
||||
@@ -2,9 +2,14 @@ type init_wifi, domain;
|
||||
type init_wifi_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(init_wifi)
|
||||
|
||||
binder_use(init_wifi)
|
||||
binder_service(init_wifi)
|
||||
binder_call(init_wifi, system_server)
|
||||
|
||||
# shell scripts need to execute /system/bin/sh
|
||||
allow init_wifi shell_exec:file rx_file_perms;
|
||||
allow init_wifi toolbox_exec:file rx_file_perms;
|
||||
allow init_wifi vendor_shell_exec:file rx_file_perms;
|
||||
allow init_wifi vendor_toolbox_exec:file rx_file_perms;
|
||||
allow init_wifi vendor_shell_exec:file entrypoint;
|
||||
|
||||
allow init_wifi sysfs_wcnsscore:file rw_file_perms;
|
||||
allow init_wifi sysfs_wcnsscore:dir rw_dir_perms;
|
||||
|
||||
@@ -2,6 +2,7 @@ binder_call(mm-qcamerad, servicemanager);
|
||||
binder_use(mm-qcamerad);
|
||||
binder_call(mm-qcamerad, binderservicedomain);
|
||||
binder_call(mm-qcamerad, appdomain);
|
||||
binder_call(mm-qcamerad, hal_sensors_default);
|
||||
|
||||
allow servicemanager mm-qcamerad:dir { search };
|
||||
allow servicemanager mm-qcamerad:file { read open };
|
||||
@@ -19,3 +20,5 @@ allow mm-qcamerad system_data_file:dir read;
|
||||
|
||||
allow mm-qcamerad init:unix_stream_socket { read write };
|
||||
allow mm-qcamerad sysfs_graphics:file { open read };
|
||||
|
||||
allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
|
||||
|
||||
@@ -2,9 +2,14 @@ type mmi_boot, domain;
|
||||
type mmi_boot_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(mmi_boot)
|
||||
|
||||
binder_use(mmi_boot)
|
||||
binder_service(mmi_boot)
|
||||
binder_call(mmi_boot, system_server)
|
||||
|
||||
# shell scripts need to execute /system/bin/sh
|
||||
allow mmi_boot shell_exec:file rx_file_perms;
|
||||
allow mmi_boot toolbox_exec:file rx_file_perms;
|
||||
allow mmi_boot vendor_shell_exec:file rx_file_perms;
|
||||
allow mmi_boot vendor_toolbox_exec:file rx_file_perms;
|
||||
allow mmi_boot vendor_shell_exec:file entrypoint;
|
||||
|
||||
allow mmi_boot radio_data_file:dir { add_name search write };
|
||||
allow mmi_boot radio_data_file:file { create setattr };
|
||||
|
||||
@@ -1,9 +1,8 @@
|
||||
typeattribute platform_app mlstrustedsubject;
|
||||
|
||||
# binder_call(platform_app, init);
|
||||
binder_call(platform_app, hal_sensors_default);
|
||||
|
||||
allow platform_app isdbt_device:chr_file rw_file_perms;
|
||||
allow platform_app rootfs:dir getattr;
|
||||
|
||||
allow platform_app init:unix_stream_socket { read write };
|
||||
allow platform_app hal_sensors_default:unix_stream_socket { read write };
|
||||
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
allow qti_init_shell apk_data_file:dir { write add_name create };
|
||||
allow qti_init_shell apk_data_file:file { create write setattr };
|
||||
allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
|
||||
|
||||
allow qti_init_shell kmsg_device:chr_file write;
|
||||
allow qti_init_shell sysfs_wcnsscore:file write;
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
binder_call(rild, servicemanager);
|
||||
binder_call(rild, audioserver_service);
|
||||
binder_call(rild, per_mgr_service_old);
|
||||
binder_call(rild, system_server);
|
||||
allow rild per_mgr_service_old:service_manager find;
|
||||
set_prop(rild, diag_prop);
|
||||
allow rild nv_data_file:dir rw_dir_perms;
|
||||
@@ -12,3 +12,5 @@ allow rild fsg_file:file { getattr open read };
|
||||
allow rild cutback_data_file:dir { add_name remove_name write };
|
||||
allow rild cutback_data_file:sock_file { create unlink write };
|
||||
|
||||
allow rild rild_exec:file execute_no_trans;
|
||||
allow rild cutback_data_file:dir search;
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
allow rmt_storage fsg_file:dir search;
|
||||
allow rmt_storage fsg_file:file { read open };
|
||||
allow rmt_storage self:capability dac_override;
|
||||
|
||||
allow rmt_storage fsg_file:dir search;
|
||||
|
||||
@@ -5,8 +5,12 @@ init_daemon_domain(sensor_hub)
|
||||
binder_use(sensor_hub)
|
||||
binder_service(sensor_hub)
|
||||
|
||||
allow sensor_hub vendor_shell_exec:file entrypoint;
|
||||
|
||||
allow sensor_hub sensors_device:chr_file rw_file_perms;
|
||||
set_prop(sensor_hub, motosh_prop)
|
||||
|
||||
allow sensor_hub firmware_file:file { getattr open read };
|
||||
allow sensor_hub vendor_file:file rx_file_perms;
|
||||
|
||||
allow sensor_hub firmware_file:dir search;
|
||||
|
||||
@@ -35,3 +35,11 @@ allow servicemanager hal_gnss_qti:dir search;
|
||||
allow servicemanager hal_gnss_qti:file { open read };
|
||||
allow servicemanager hal_gnss_qti:process getattr;
|
||||
|
||||
allow servicemanager hal_sensors_default:dir search;
|
||||
allow servicemanager hal_sensors_default:file { open read };
|
||||
allow servicemanager hal_sensors_default:process getattr;
|
||||
|
||||
allow servicemanager sensors:dir search;
|
||||
allow servicemanager sensors:file { open read };
|
||||
allow servicemanager sensors:process getattr;
|
||||
|
||||
|
||||
@@ -3,3 +3,5 @@ allow surfaceflinger perfd_data_file:sock_file write;
|
||||
allow surfaceflinger perfd_data_file:dir search;
|
||||
allow surfaceflinger perfd:unix_stream_socket connectto;
|
||||
|
||||
binder_call(surfaceflinger, hwservicemanager)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user