From 2094c0db30ba225843caef5bdfd897c9c61f7dbe Mon Sep 17 00:00:00 2001
From: Vachounet <vachounet@live.fr>
Date: Sun, 21 Jan 2018 06:59:57 +0100
Subject: [PATCH] sanders: sepolicy update

---
 sepolicy/adspd.te                   |  6 ++++++
 sepolicy/cameraserver.te            |  2 --
 sepolicy/file_contexts              | 11 +++++------
 sepolicy/fsck.te                    |  1 +
 sepolicy/hal_fingerprint_default.te | 14 ++++++++++++++
 sepolicy/hal_power_default.te       |  1 +
 sepolicy/hal_sensors_default.te     | 20 ++++++++++++++++++++
 sepolicy/init.te                    | 10 ++++------
 sepolicy/init_wifi.te               |  9 +++++++--
 sepolicy/mm-qcamerad.te             |  3 +++
 sepolicy/mmi_boot.te                |  9 +++++++--
 sepolicy/platform_app.te            |  5 ++---
 sepolicy/qti_init_shell.te          |  3 +++
 sepolicy/rild.te                    |  4 +++-
 sepolicy/rmt_storage.te             |  2 ++
 sepolicy/sensor_hub.te              |  4 ++++
 sepolicy/servicemanager.te          |  8 ++++++++
 sepolicy/surfaceflinger.te          |  2 ++
 18 files changed, 92 insertions(+), 22 deletions(-)
 create mode 100644 sepolicy/fsck.te
 create mode 100644 sepolicy/hal_fingerprint_default.te
 create mode 100644 sepolicy/hal_power_default.te
 create mode 100644 sepolicy/hal_sensors_default.te

diff --git a/sepolicy/adspd.te b/sepolicy/adspd.te
index a59357b..bea519c 100644
--- a/sepolicy/adspd.te
+++ b/sepolicy/adspd.te
@@ -2,6 +2,12 @@ type adspd, domain;
 type adspd_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(adspd)
 
+binder_use(adspd)
+binder_service(adspd)
+binder_call(adspd, system_server)
+
+allow adspd vendor_shell_exec:file entrypoint;
+
 allow adspd audio_device:chr_file { ioctl open read write };
 allow adspd audio_device:dir search;
 allow adspd input_device:chr_file { ioctl open read };
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
index e202b31..1d68dd5 100644
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@@ -47,8 +47,6 @@ allow cameraserver system_file:file execute;
 
 allow cameraserver debugfs:dir { read open };
 
-
-
 allow cameraserver nfc_data_file:file { open write };
 allow cameraserver socket_device:sock_file write;
 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 33ea6f1..b8108d0 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -6,10 +6,10 @@
 /dev/hidraw[0-9]*                                        u:object_r:amps_raw_device:s0
 
 # Binaries
-#/system/vendor/bin/adspd                                        u:object_r:adspd_exec:s0
+/system/vendor/bin/adspd                                        u:object_r:adspd_exec:s0
 /system/bin/charge_only_mode                             u:object_r:charge_only_exec:s0
-#/system/vendor/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
-#/system/vendor/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
+/system/vendor/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
+/system/vendor/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
 
 # CMActions
 /sys/homebutton(/.*)?                                    u:object_r:sysfs_homebutton:s0
@@ -115,11 +115,10 @@
 /data/vendor/time(/.*)?                                         u:object_r:time_data_file:s0
 
 /system/vendor/bin/perfd           u:object_r:perfd_exec:s0
-/system/vendor/bin/hw/android\.hardware\.power@1\.1-service\.qti          u:object_r:hal_power_default_exec:s0
+/system/vendor/bin/hw/android\.hardware\.power@1\.1-service-qti          u:object_r:hal_power_default_exec:s0
 /system/vendor/radio(/.*)? u:object_r:radio_data_file:s0
-/system/vendor/bin/sensorservice_32          u:object_r:hal_sensors_default_exec:s0
 
-/system/vendor/bin/qmi_motext_hook u:object_r:radio_data_file:s0
+/system/vendor/bin/qmi_motext_hook u:object_r:rild_exec:s0
 
 /sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0
 
diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te
new file mode 100644
index 0000000..48352f1
--- /dev/null
+++ b/sepolicy/fsck.te
@@ -0,0 +1 @@
+# allow fsck block_device:blk_file { read write };
diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
new file mode 100644
index 0000000..379b4b1
--- /dev/null
+++ b/sepolicy/hal_fingerprint_default.te
@@ -0,0 +1,14 @@
+allow hal_fingerprint_default sysfs_fpc:file rw_file_perms;
+allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms;
+allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default firmware_file:dir search;
+allow hal_fingerprint_default firmware_file:file r_file_perms;
+allow hal_fingerprint_default fpc_data_file:sock_file { create unlink rw_file_perms };
+allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
+allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_leds:file r_file_perms;
+allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+allow hal_fingerprint_default fpc_socket:sock_file unlink;
diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
new file mode 100644
index 0000000..57c3941
--- /dev/null
+++ b/sepolicy/hal_power_default.te
@@ -0,0 +1 @@
+allow hal_power_default sysfs:file write;
diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
new file mode 100644
index 0000000..fba3de5
--- /dev/null
+++ b/sepolicy/hal_sensors_default.te
@@ -0,0 +1,20 @@
+binder_call(hal_sensors_default, hwservicemanager)
+binder_call(hal_sensors_default, servicemanager)
+
+binder_call(hal_sensors_default, mm-qcamerad)
+binder_call(hal_sensors_default, system_server)
+
+binder_call(hal_sensors_default, system_app)
+binder_call(hal_sensors_default, priv_app)
+binder_call(hal_sensors_default, platform_app)
+
+allow hal_sensors_default self:capability { dac_override };
+allow hal_sensors_default sensors_device:chr_file { ioctl open read };
+allow hal_sensors_default sysfs:file { open read write };
+allow hal_sensors_default system_data_file:file { getattr open read };
+
+allow hal_sensors_default proc_net:file { getattr open read };
+allow hal_sensors_default sysfs_capsense:dir search;
+allow hal_sensors_default sysfs_capsense:file { open write };
+
+
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 2c2ff33..8531e47 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -35,12 +35,6 @@ allow init self:netlink_socket { read write getattr connect };
 allow init debugfs:file write;
 allow init persist_file:filesystem { getattr mount relabelfrom relabelto };
 
-# binder_call(batterystats_service, servicemanager);
-# allow init batterystats_service:service_manager find;
-
-# binder_call(hal_sensors_hwservice, servicemanager);
-# allow init hal_sensors_hwservice:service_manager find;
-
 allow init self:capability sys_nice;
 
 allow init bt_firmware_file:filesystem { associate };
@@ -56,3 +50,7 @@ allow init self:capability2 { block_suspend };
 allow init hal_sensors_hwservice:hwservice_manager find;
 
 allow init { domain -lmkd -crash_dump }:process noatsecure;
+
+allow init hal_perf_hwservice:hwservice_manager find;
+allow init hidl_base_hwservice:hwservice_manager add;
+
diff --git a/sepolicy/init_wifi.te b/sepolicy/init_wifi.te
index 211f86e..794acb9 100644
--- a/sepolicy/init_wifi.te
+++ b/sepolicy/init_wifi.te
@@ -2,9 +2,14 @@ type init_wifi, domain;
 type init_wifi_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(init_wifi)
 
+binder_use(init_wifi)
+binder_service(init_wifi)
+binder_call(init_wifi, system_server)
+
 # shell scripts need to execute /system/bin/sh
-allow init_wifi shell_exec:file rx_file_perms;
-allow init_wifi toolbox_exec:file rx_file_perms;
+allow init_wifi vendor_shell_exec:file rx_file_perms;
+allow init_wifi vendor_toolbox_exec:file rx_file_perms;
+allow init_wifi vendor_shell_exec:file entrypoint;
 
 allow init_wifi sysfs_wcnsscore:file rw_file_perms;
 allow init_wifi sysfs_wcnsscore:dir rw_dir_perms;
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index 91d9023..b9d4d0d 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -2,6 +2,7 @@ binder_call(mm-qcamerad, servicemanager);
 binder_use(mm-qcamerad);
 binder_call(mm-qcamerad, binderservicedomain);
 binder_call(mm-qcamerad, appdomain);
+binder_call(mm-qcamerad, hal_sensors_default);
 
 allow servicemanager mm-qcamerad:dir { search };
 allow servicemanager mm-qcamerad:file { read open };
@@ -19,3 +20,5 @@ allow mm-qcamerad system_data_file:dir read;
 
 allow mm-qcamerad init:unix_stream_socket { read write };
 allow mm-qcamerad sysfs_graphics:file { open read };
+
+allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
diff --git a/sepolicy/mmi_boot.te b/sepolicy/mmi_boot.te
index e3f56ac..420fdca 100644
--- a/sepolicy/mmi_boot.te
+++ b/sepolicy/mmi_boot.te
@@ -2,9 +2,14 @@ type mmi_boot, domain;
 type mmi_boot_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(mmi_boot)
 
+binder_use(mmi_boot)
+binder_service(mmi_boot)
+binder_call(mmi_boot, system_server)
+
 # shell scripts need to execute /system/bin/sh
-allow mmi_boot shell_exec:file rx_file_perms;
-allow mmi_boot toolbox_exec:file rx_file_perms;
+allow mmi_boot vendor_shell_exec:file rx_file_perms;
+allow mmi_boot vendor_toolbox_exec:file rx_file_perms;
+allow mmi_boot vendor_shell_exec:file entrypoint;
 
 allow mmi_boot radio_data_file:dir { add_name search write };
 allow mmi_boot radio_data_file:file { create setattr };
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index c20cff3..a608963 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1,9 +1,8 @@
-typeattribute platform_app mlstrustedsubject;
-
-# binder_call(platform_app, init);
+binder_call(platform_app, hal_sensors_default);
 
 allow platform_app isdbt_device:chr_file rw_file_perms;
 allow platform_app rootfs:dir getattr;
 
 allow platform_app init:unix_stream_socket { read write };
+allow platform_app hal_sensors_default:unix_stream_socket { read write };
 
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index 1edaa28..de98e7e 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -1,3 +1,6 @@
 allow qti_init_shell apk_data_file:dir { write add_name create };
 allow qti_init_shell apk_data_file:file { create write setattr };
 allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
+
+allow qti_init_shell kmsg_device:chr_file write;
+allow qti_init_shell sysfs_wcnsscore:file write;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index f998213..9aa1e43 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,6 +1,6 @@
 binder_call(rild, servicemanager);
 binder_call(rild, audioserver_service);
-binder_call(rild, per_mgr_service_old);
+binder_call(rild, system_server);
 allow rild per_mgr_service_old:service_manager find;
 set_prop(rild, diag_prop);
 allow rild nv_data_file:dir rw_dir_perms;
@@ -12,3 +12,5 @@ allow rild fsg_file:file { getattr open read };
 allow rild cutback_data_file:dir { add_name remove_name write };
 allow rild cutback_data_file:sock_file { create unlink write };
 
+allow rild rild_exec:file execute_no_trans;
+allow rild cutback_data_file:dir search;
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
index d4aa68b..11bff13 100644
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@@ -1,3 +1,5 @@
 allow rmt_storage fsg_file:dir search;
 allow rmt_storage fsg_file:file { read open };
 allow rmt_storage self:capability dac_override;
+
+allow rmt_storage fsg_file:dir search;
diff --git a/sepolicy/sensor_hub.te b/sepolicy/sensor_hub.te
index a0f0a5d..6d984cd 100644
--- a/sepolicy/sensor_hub.te
+++ b/sepolicy/sensor_hub.te
@@ -5,8 +5,12 @@ init_daemon_domain(sensor_hub)
 binder_use(sensor_hub)
 binder_service(sensor_hub)
 
+allow sensor_hub vendor_shell_exec:file entrypoint;
+
 allow sensor_hub sensors_device:chr_file rw_file_perms;
 set_prop(sensor_hub, motosh_prop)
 
 allow sensor_hub firmware_file:file { getattr open read };
 allow sensor_hub vendor_file:file rx_file_perms;
+
+allow sensor_hub firmware_file:dir search;
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
index e1ce98f..260daf1 100644
--- a/sepolicy/servicemanager.te
+++ b/sepolicy/servicemanager.te
@@ -35,3 +35,11 @@ allow servicemanager hal_gnss_qti:dir search;
 allow servicemanager hal_gnss_qti:file { open read };
 allow servicemanager hal_gnss_qti:process getattr;
 
+allow servicemanager hal_sensors_default:dir search;
+allow servicemanager hal_sensors_default:file { open read };
+allow servicemanager hal_sensors_default:process getattr;
+
+allow servicemanager sensors:dir search;
+allow servicemanager sensors:file { open read };
+allow servicemanager sensors:process getattr;
+
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 9d58727..9706b1e 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -3,3 +3,5 @@ allow surfaceflinger perfd_data_file:sock_file write;
 allow surfaceflinger perfd_data_file:dir search;
 allow surfaceflinger perfd:unix_stream_socket connectto;
 
+binder_call(surfaceflinger, hwservicemanager)
+