sanders: address camera denials
This commit is contained in:
Vachounet
@@ -1,2 +1,66 @@
|
||||
# Shouldn't do this here
|
||||
binder_call(cameraserver, servicemanager);
|
||||
|
||||
allow cameraserver nfc_data_file:dir search;
|
||||
allow cameraserver nfc_data_file:fifo_file write;
|
||||
allow cameraserver nfc_data_file:fifo_file open;
|
||||
|
||||
allow cameraserver sensorservice_service:service_manager { find };
|
||||
allow cameraserver system_file:dir { read open };
|
||||
|
||||
allow cameraserver sdcardfs:dir { read write open getattr add_name remove_name rw_file_perms rmdir search };
|
||||
allow cameraserver sdcardfs:file { create open read write unlink getattr };
|
||||
allow cameraserver storage_file:dir search;
|
||||
|
||||
allow cameraserver persist_file:file { read write open create getattr create_file_perms rw_file_perms };
|
||||
allow cameraserver persist_file:dir { read write open create_file_perms rw_file_perms search add_name create };
|
||||
allow cameraserver fuse:file { read write open create getattr create_file_perms rw_file_perms };
|
||||
allow cameraserver fuse:dir { read write open create_file_perms rw_file_perms search add_name create };
|
||||
allow cameraserver tmpfs:file { read write open create getattr create_file_perms rw_file_perms };
|
||||
allow cameraserver tmpfs:dir { read write open create_file_perms rw_file_perms search add_name create };
|
||||
allow cameraserver storage_file:dir r_dir_perms;
|
||||
allow cameraserver storage_file:lnk_file r_file_perms;
|
||||
allow cameraserver mnt_user_file:dir r_dir_perms;
|
||||
allow cameraserver mnt_user_file:lnk_file r_file_perms;
|
||||
allow cameraserver media_rw_data_file:dir { open read search write add_name };
|
||||
allow cameraserver media_rw_data_file:file { create read write open };
|
||||
|
||||
allow cameraserver sysfs:file { open write };
|
||||
|
||||
allow cameraserver cameraserver:process { execmem };
|
||||
|
||||
allow cameraserver self:netlink_kobject_uevent_socket { read bind create setopt };
|
||||
allow cameraserver default_android_service:service_manager find;
|
||||
allow cameraserver rootfs:lnk_file getattr;
|
||||
allow cameraserver init:unix_dgram_socket { sendto};
|
||||
|
||||
binder_call(cameraserver, hal_perf_default)
|
||||
binder_call(cameraserver, hal_configstore_default)
|
||||
|
||||
####
|
||||
allow cameraserver debug_prop:file { r_file_perms };
|
||||
allow cameraserver debug_prop:property_service set;
|
||||
|
||||
#######
|
||||
#allow cameraserver persist_file:file rw_file_perms;
|
||||
#allow cameraserver persist_file:file setattr;
|
||||
allow cameraserver shell_exec:file { read open execute };
|
||||
allow cameraserver self:socket create;
|
||||
allow cameraserver camera_prop:property_service set;
|
||||
allow cameraserver init:unix_stream_socket connectto;
|
||||
allow cameraserver sensors_persist_file:file { open read };
|
||||
allow cameraserver property_socket:sock_file write;
|
||||
#allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } };
|
||||
allow cameraserver shell_exec:file { execute getattr };
|
||||
allow cameraserver system_file:file execute;
|
||||
|
||||
allow cameraserver debugfs:dir { read open };
|
||||
|
||||
allow cameraserver nfc_data_file:file { open write };
|
||||
allow cameraserver socket_device:sock_file write;
|
||||
|
||||
allow cameraserver hal_perf_default:binder call;
|
||||
|
||||
allow cameraserver sysfs_battery_supply:dir search;
|
||||
allow cameraserver sysfs_battery_supply:file { getattr open read };
|
||||
|
||||
allow cameraserver camera_bgproc_service:service_manager { add find };
|
||||
|
||||
@@ -8,11 +8,15 @@
|
||||
# Binaries
|
||||
/system/bin/adspd u:object_r:adspd_exec:s0
|
||||
/system/bin/charge_only_mode u:object_r:charge_only_exec:s0
|
||||
/system/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0
|
||||
/system/bin/init\.mmi\.laser\.sh u:object_r:mmi_laser_exec:s0
|
||||
/system/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0
|
||||
/system/bin/motosh u:object_r:sensor_hub_exec:s0
|
||||
/system/bin/akmd09912 u:object_r:akmd_exec:s0
|
||||
/system/vendor/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0
|
||||
/system/vendor/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0
|
||||
/system/vendor/bin/init\.qti\.fm\.sh u:object_r:qti_init_shell_exec:s0
|
||||
/system/vendor/bin/hw/motorola\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
|
||||
/system/vendor/lib/motorola\.hardware\.camera\.device@1\.0.so u:object_r:hal_camera_default_exec:s0
|
||||
/system/vendor/lib/motorola\.hardware\.camera\.provider@2\.4.so u:object_r:hal_camera_default_exec:s0
|
||||
|
||||
#binder to fix camera daemon
|
||||
/dev/binder(/.*)? u:object_r:binder_device:s0
|
||||
|
||||
# CMActions
|
||||
/sys/homebutton(/.*)? u:object_r:sysfs_homebutton:s0
|
||||
|
||||
12
sepolicy/hal_camera_default.te
Normal file
12
sepolicy/hal_camera_default.te
Normal file
@@ -0,0 +1,12 @@
|
||||
allow hal_camera_default gpu_device:dir r_dir_perms;
|
||||
allow hal_camera_default gpu_device:file r_file_perms;
|
||||
allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
|
||||
allow hal_camera_default hal_configstore_default:binder call;
|
||||
allow hal_camera_default unlabeled:file {open getattr read };
|
||||
allow hal_camera_default camera_data_file:sock_file write;
|
||||
allow hal_camera_default persist_file:file { rw_file_perms setattr };
|
||||
allow hal_camera_default hal_graphics_allocator_hwservice:hwservice_manager { find };
|
||||
allow hal_camera_default system_server:unix_stream_socket { read write };
|
||||
|
||||
binder_call(hal_camera_default, hal_configstore_default)
|
||||
binder_call(hal_camera_default, hal_graphics_allocator_default)
|
||||
2
sepolicy/hwservice_contexts
Normal file
2
sepolicy/hwservice_contexts
Normal file
@@ -0,0 +1,2 @@
|
||||
motorola.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
|
||||
motorola.hardware.mods_camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
|
||||
@@ -1,4 +1,33 @@
|
||||
type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1";
|
||||
type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2";
|
||||
allow mm-qcamerad camera_socket:sock_file { create unlink write };
|
||||
|
||||
binder_call(mm-qcamerad, servicemanager);
|
||||
binder_use(mm-qcamerad);
|
||||
binder_call(mm-qcamerad, binderservicedomain);
|
||||
binder_call(mm-qcamerad, appdomain);
|
||||
binder_call(mm-qcamerad, hal_sensors_default);
|
||||
set_prop(mm-qcamerad, camera_prop);
|
||||
|
||||
allow servicemanager mm-qcamerad:dir { search };
|
||||
allow servicemanager mm-qcamerad:file { read open };
|
||||
allow servicemanager mm-qcamerad:process { getattr };
|
||||
|
||||
allow mm-qcamerad camera_data_file:sock_file { create unlink write };
|
||||
allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
|
||||
allow mm-qcamerad sensorservice_service:service_manager find;
|
||||
allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
|
||||
allow mm-qcamerad permission_service:service_manager find;
|
||||
allow mm-qcamerad debug_prop:property_service set;
|
||||
allow mm-qcamerad persist_file:dir search;
|
||||
allow mm-qcamerad persist_file:file { read getattr open };
|
||||
allow mm-qcamerad system_data_file:dir read;
|
||||
|
||||
allow mm-qcamerad init:unix_stream_socket { read write };
|
||||
allow mm-qcamerad sysfs_graphics:file r_file_perms;
|
||||
|
||||
allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
|
||||
|
||||
allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
|
||||
allow mm-qcamerad hal_configstore_default:binder call;
|
||||
|
||||
|
||||
45
sepolicy/servicemanager.te
Normal file
45
sepolicy/servicemanager.te
Normal file
@@ -0,0 +1,45 @@
|
||||
allow servicemanager init:dir search;
|
||||
allow servicemanager init:file { open read };
|
||||
allow servicemanager init:process getattr;
|
||||
allow servicemanager qseeproxy:dir search;
|
||||
allow servicemanager qseeproxy:file { open read };
|
||||
allow servicemanager rild:dir search;
|
||||
allow servicemanager rild:file { open read };
|
||||
allow servicemanager rild:process getattr;
|
||||
|
||||
allow servicemanager hal_fingerprint_default:dir search;
|
||||
allow servicemanager hal_fingerprint_default:file read;
|
||||
allow servicemanager qseeproxy:process getattr;
|
||||
|
||||
|
||||
allow servicemanager hal_camera_default:dir search;
|
||||
allow servicemanager hal_camera_default:file r_file_perms;
|
||||
allow servicemanager hal_camera_default:process getattr;
|
||||
|
||||
allow servicemanager hal_fingerprint_default:file open;
|
||||
allow servicemanager hal_fingerprint_default:process getattr;
|
||||
|
||||
allow servicemanager wcnss_service:dir search;
|
||||
allow servicemanager wcnss_service:file { open read };
|
||||
|
||||
allow servicemanager esepmdaemon:dir search;
|
||||
allow servicemanager esepmdaemon:file { open read };
|
||||
allow servicemanager esepmdaemon:process getattr;
|
||||
|
||||
allow servicemanager per_mgr:dir search;
|
||||
allow servicemanager per_mgr:file { open read };
|
||||
allow servicemanager per_mgr:process getattr;
|
||||
allow servicemanager wcnss_service:process getattr;
|
||||
|
||||
allow servicemanager hal_gnss_qti:dir search;
|
||||
allow servicemanager hal_gnss_qti:file { open read };
|
||||
allow servicemanager hal_gnss_qti:process getattr;
|
||||
|
||||
allow servicemanager hal_sensors_default:dir search;
|
||||
allow servicemanager hal_sensors_default:file { open read };
|
||||
allow servicemanager hal_sensors_default:process getattr;
|
||||
|
||||
allow servicemanager sensors:dir search;
|
||||
allow servicemanager sensors:file { open read };
|
||||
allow servicemanager sensors:process getattr;
|
||||
|
||||
Reference in New Issue
Block a user