sepolicy: qti: Fix many denials

avc: denied { sys_admin } for capability=21 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:fsverity_init:s0 tcontext=u:r:fsverity_init:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_modprobe:s0 tcontext=u:r:vendor_modprobe:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_boringssl_self_test:s0 tcontext=u:r:vendor_boringssl_self_test:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_msm_irqbalanced:s0 tcontext=u:r:vendor_msm_irqbalanced:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:art_boot:s0 tcontext=u:r:art_boot:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:otapreopt_slot:s0 tcontext=u:r:otapreopt_slot:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:remount:s0 tcontext=u:r:remount:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:update_verifier:s0 tcontext=u:r:update_verifier:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_rfs_access:s0 tcontext=u:r:vendor_rfs_access:s0 tclass=capability avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_hal_usb_qti:s0 tcontext=u:r:vendor_hal_usb_qti:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_irsc_util:s0 tcontext=u:r:vendor_irsc_util:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_hal_perf_default:s0 tcontext=u:r:vendor_hal_perf_default:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_rmt_storage:s0 tcontext=u:r:vendor_rmt_storage:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:profcollectd:s0 tcontext=u:r:profcollectd:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:adbd:s0 tcontext=u:r:adbd:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_netmgrd:s0 tcontext=u:r:vendor_netmgrd:s0 tclass=capability permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:vendor_dpmd:s0 tcontext=u:r:vendor_dpmd:s0 tclass=capability permissive=0
2023-10-27 19:07:45 +05:30
parent 4ea2fd9b13
commit 2983479930
20 changed files with 22 additions and 0 deletions
--- a/sepolicy/qti/private/art_boot.te
+++ b/sepolicy/qti/private/art_boot.te
@@ -0,0 +1 @@
+allow art_boot self:capability sys_admin;
--- a/sepolicy/qti/private/fsverity_init.te
+++ b/sepolicy/qti/private/fsverity_init.te
@@ -0,0 +1 @@
+allow fsverity_init self:capability sys_admin;
--- a/sepolicy/qti/private/otapreopt_slot.te
+++ b/sepolicy/qti/private/otapreopt_slot.te
@@ -0,0 +1 @@
+allow otapreopt_slot self:capability sys_admin;
--- a/sepolicy/qti/private/profcollectd.te
+++ b/sepolicy/qti/private/profcollectd.te
@@ -0,0 +1 @@
+allow profcollectd self:capability sys_admin;
--- a/sepolicy/qti/private/remount.te
+++ b/sepolicy/qti/private/remount.te
@@ -0,0 +1 @@
+allow remount self:capability sys_admin;
--- a/sepolicy/qti/private/update_verifier.te
+++ b/sepolicy/qti/private/update_verifier.te
@@ -0,0 +1 @@
+allow update_verifier self:capability sys_admin;
--- a/sepolicy/qti/private/vendor_boringssl_self_test.te
+++ b/sepolicy/qti/private/vendor_boringssl_self_test.te
@@ -0,0 +1 @@
+allow vendor_boringssl_self_test self:capability sys_admin;
--- a/sepolicy/qti/public/adbd.te
+++ b/sepolicy/qti/public/adbd.te
@@ -0,0 +1 @@
+allow adbd self:capability sys_admin;
--- a/sepolicy/qti/public/netutils_wrapper.te
+++ b/sepolicy/qti/public/netutils_wrapper.te
@@ -0,0 +1 @@
+dontaudit netutils_wrapper self:capability sys_admin;
--- a/sepolicy/qti/public/vendor_dpmd.te
+++ b/sepolicy/qti/public/vendor_dpmd.te
@@ -0,0 +1 @@
+allow vendor_dpmd self:capability sys_admin;
--- a/sepolicy/qti/public/vold_prepare_subdirs.te
+++ b/sepolicy/qti/public/vold_prepare_subdirs.te
@@ -0,0 +1 @@
+allow vold_prepare_subdirs self:capability sys_admin;
--- a/sepolicy/qti/vendor/hal_bootctl_default.te
+++ b/sepolicy/qti/vendor/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default self:capability sys_admin;
--- a/sepolicy/qti/vendor/vendor_hal_perf_default.te
+++ b/sepolicy/qti/vendor/vendor_hal_perf_default.te
@@ -1 +1,3 @@
+allow vendor_hal_perf_default self:capability sys_admin;
+
 r_dir_file(vendor_hal_perf_default, vendor_sysfs_usb_supply)
--- a/sepolicy/qti/vendor/vendor_hal_usb_qti.te
+++ b/sepolicy/qti/vendor/vendor_hal_usb_qti.te
@@ -0,0 +1 @@
+allow vendor_hal_usb_qti self:capability sys_admin;
--- a/sepolicy/qti/vendor/vendor_irsc_util.te
+++ b/sepolicy/qti/vendor/vendor_irsc_util.te
@@ -0,0 +1 @@
+allow vendor_irsc_util self:capability sys_admin;
--- a/sepolicy/qti/vendor/vendor_modprobe.te
+++ b/sepolicy/qti/vendor/vendor_modprobe.te
@@ -0,0 +1 @@
+allow vendor_modprobe self:capability sys_admin;
--- a/sepolicy/qti/vendor/vendor_msm_irqbalanced.te
+++ b/sepolicy/qti/vendor/vendor_msm_irqbalanced.te
@@ -0,0 +1 @@
+allow vendor_msm_irqbalanced self:capability sys_admin;
--- a/sepolicy/qti/vendor/vendor_netmgrd.te
+++ b/sepolicy/qti/vendor/vendor_netmgrd.te
@@ -0,0 +1 @@
+allow vendor_netmgrd self:capability sys_admin;
--- a/sepolicy/qti/vendor/vendor_rfs_access.te
+++ b/sepolicy/qti/vendor/vendor_rfs_access.te
@@ -0,0 +1 @@
+allow vendor_rfs_access self:capability sys_admin;
--- a/sepolicy/qti/vendor/vendor_rmt_storage.te
+++ b/sepolicy/qti/vendor/vendor_rmt_storage.te
@@ -2,6 +2,8 @@ allow vendor_rmt_storage vendor_reserve_partition:blk_file rw_file_perms;

 allow vendor_rmt_storage sysfs:file read;

+allow vendor_rmt_storage self:capability sys_admin;
+
 get_prop(vendor_rmt_storage, vendor_radio_prop)

 rw_dir_file(vendor_rmt_storage, vendor_proc_engineer)
				`@@ -0,0 +1 @@`
				`allow fsverity_init self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`allow otapreopt_slot self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`allow profcollectd self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`allow update_verifier self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`allow vendor_boringssl_self_test self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`dontaudit netutils_wrapper self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`allow vendor_dpmd self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`allow vold_prepare_subdirs self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`allow hal_bootctl_default self:capability sys_admin;`
				`@@ -0,0 +1 @@`
				`allow vendor_hal_usb_qti self:capability sys_admin;`