universal7870: selinux: massive policies update

Signed-off-by: steadfasterX <steadfasterX@gmail.com>

universal7870: selinux: massive policies update
Signed-off-by: steadfasterX <steadfasterX@gmail.com>
c3ba8ea6 · steadfasterX · c4004667 · c3ba8ea6 · c3ba8ea6 · c3ba8ea6
Verified Commit c3ba8ea6 authored Dec 28, 2020 by steadfasterX 😁
--- a/sepolicy/cpboot-daemon.te
+++ b/sepolicy/cpboot-daemon.te
@@ -49,3 +49,12 @@ allow cpboot-daemon proc_dt_firmware:file { open read };
 set_prop(cpboot-daemon, cpboot-daemon_prop)
 set_prop(cpboot-daemon, radio_prop)
 set_prop(cpboot-daemon, system_prop)
+
+allow cpboot-daemon log_vendor_data_file:dir search;
+allow cpboot-daemon mediaserver_exec:file { getattr read };
+allow cpboot-daemon mnt_vendor_file:dir search;
+allow cpboot-daemon sysfs:file { open read };
+allow cpboot-daemon vendor_default_prop:property_service set;
+
+# required as cbd internally uses /vendor/bin/sh
+allow cpboot-daemon vendor_shell_exec:file execute_no_trans;
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -63,5 +63,6 @@ type mediadrm_vendor_data_file, file_type, data_file_type;
 type radio_vendor_data_file, file_type, data_file_type;
 type sswap_vendor_data_file, file_type, data_file_type;
 type wifi_vendor_data_file, file_type, data_file_type;
+
 # sfX debug
 type boot_log_file, file_type, data_file_type, core_data_file_type;
--- a/sepolicy/fsck.te
+++ b/sepolicy/fsck.te
 # /dev/block/mmcblk0p[0-9]*
-allow fsck emmcblk_device:blk_file rw_file_perms;
+allow fsck emmcblk_device:blk_file { rw_file_perms ioctl };
 allowxperm fsck emmcblk_device:blk_file ioctl { BLKDISCARDZEROES BLKROGET };
--- a/sepolicy/hal_bluetooth_default.te
+++ b/sepolicy/hal_bluetooth_default.te
@@ -4,3 +4,5 @@ allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms;
 # /efs
 allow hal_bluetooth_default efs_file:dir search;
 r_dir_file(hal_bluetooth_default, bluetooth_efs_file)
+
+allow hal_bluetooth_default sysfs:file write;
--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@@ -4,3 +4,5 @@ allow hal_camera_default sysfs_camera:file rw_file_perms;
 allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;

 vndbinder_use(hal_camera_default)
+
+allow hal_camera_default sysfs:file { getattr open read write };
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
 allow hal_fingerprint_default sysfs_input:dir search;
 allow hal_fingerprint_default sysfs_input:file rw_file_perms;
+
+allow hal_fingerprint_default fingerprintd_data_file:dir write;
+allow hal_fingerprint_default vendor_data_file:dir { add_name open read remove_name rmdir write };
+allow hal_fingerprint_default vendor_data_file:file { getattr open read rename unlink };
+
+allow hal_fingerprint_default biometrics_vendor_data_file:dir { add_name create open read remove_name rmdir search write };
+allow hal_fingerprint_default biometrics_vendor_data_file:file { create getattr open read rename unlink write };
+
--- a/sepolicy/hal_gnss_default.te
+++ b/sepolicy/hal_gnss_default.te
@@ -10,3 +10,7 @@ allow hal_gnss_default gps_vendor_data_file:fifo_file create_file_perms;

 # /mnt/vendor
 allow hal_gnss_default mnt_vendor_file:dir search;
+
+#allow hal_gnss_default default_android_hwservice:hwservice_manager { add find };
+allow hal_gnss_default fwk_sensor_hwservice:hwservice_manager find;
+allow hal_gnss_default init:unix_stream_socket connectto;
--- a/sepolicy/hal_graphics_composer_default.te
+++ b/sepolicy/hal_graphics_composer_default.te
+allow hal_graphics_composer_default secmem_device:chr_file { open read write };
+allow hal_graphics_composer_default video_device:chr_file { ioctl open read write };
+allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl read open write };
+#allow hal_graphics_composer_default default_android_vndservice:service_manager { add find };
+allow hal_graphics_composer_default vndservicemanager:binder { call transfer };
--- a/sepolicy/hal_health_default.te
+++ b/sepolicy/hal_health_default.te
 r_dir_file(hal_health_default, sysfs_usb_supply)
 allow hal_health_default sysfs_usb_supply:file rw_file_perms;
+allow hal_health_default sysfs:file { getattr open read };
--- a/sepolicy/hal_lineage_touch_default.te
+++ b/sepolicy/hal_lineage_touch_default.te
 allow hal_lineage_touch_default sysfs_input:dir search;
 allow hal_lineage_touch_default sysfs_input:file rw_file_perms;
+allow hal_lineage_touch_default sysfs:file { getattr open write };
--- a/sepolicy/hal_memtrack_default.te
+++ b/sepolicy/hal_memtrack_default.te
+allow hal_memtrack_default debugfs:dir { open read };
+#allow hal_memtrack_default debugfs:file { getattr open read };
--- a/sepolicy/hal_nfc_default.te
+++ b/sepolicy/hal_nfc_default.te
+#allow hal_nfc_default default_android_hwservice:hwservice_manager add;
+allow hal_nfc_default vendor_default_prop:property_service set;
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@@ -17,3 +17,5 @@ allow hal_power_default sysfs_light:file rw_file_perms;
 # Graphics
 allow hal_power_default sysfs_graphics:dir search;
 allow hal_power_default sysfs_graphics:file rw_file_perms;
+
+allow hal_power_default sysfs:file write;
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@@ -2,3 +2,12 @@

 # cgroup tasks
 allow hal_sensors_default cgroup:file getattr;
+
+allow hal_sensors_default app_efs_file:dir search;
+allow hal_sensors_default efs_file:dir search;
+allow hal_sensors_default mediaserver_exec:file { getattr read };
+allow hal_sensors_default sensor_efs_file:file { open read };
+allow hal_sensors_default sysfs_input:dir { open read search };
+allow hal_sensors_default sysfs_input:file { open read write };
+allow hal_sensors_default sysfs_sensors:dir search;
+allow hal_sensors_default sysfs_sensors:file { getattr open read };
--- a/sepolicy/hal_thermal_default.te
+++ b/sepolicy/hal_thermal_default.te
+allow hal_thermal_default sysfs:dir { read open };
+allow hal_thermal_default sysfs:file { getattr open read };
+allow hal_thermal_default self:netlink_kobject_uevent_socket { read bind create getopt setopt };
--- a/sepolicy/hal_wifi_supplicant_default.te
+++ b/sepolicy/hal_wifi_supplicant_default.te
+allow hal_wifi_supplicant_default wifi_vendor_data_file:dir search;
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -93,7 +93,25 @@ allow init proc_sec:file { rw_file_perms setattr };

 # Sockets
 allow init socket_device:sock_file { read write getattr setattr create unlink };
-
-# allow init hal_drm_hwservice:hwservice_manager add;
+allow init fwmarkd_socket:sock_file write;
+allow init self:tcp_socket getopt;
+
+#allow init hal_drm_hwservice:hwservice_manager add;
+#allow init device:chr_file { open read write };
+#allow init vendor_file:file execute_no_trans;
+#allow init device:chr_file { read write open };
+
+allow init dnsproxyd_socket:sock_file write;
+allow init hwservicemanager:binder call;
+allow init netd:unix_stream_socket connectto;
+#allow init system_suspend:binder call;
+
+allow init system_suspend_hwservice:hwservice_manager find;
+allow init device:chr_file { ioctl };
+allow init gps_vendor_data_file:file lock;
+allow init kernel:system module_request;
+allow init self:tcp_socket create;
+allow init sysfs:file setattr;
+allow init sysfs_wake_lock:file { write open };

 allow init boot_debug:process { noatsecure rlimitinh siginh transition };
--- a/sepolicy/installd.te
+++ b/sepolicy/installd.te
+allow installd device:file { open write };
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -20,3 +20,5 @@ allow kernel wifi_data_file:file rw_file_perms;
 allow kernel tmpfs:dir search;

 allow kernel self:capability sys_module;
+allow kernel sysfs_input:dir search;
+allow kernel sysfs_input:file { open read };
--- a/sepolicy/logpersist.te
+++ b/sepolicy/logpersist.te
+#allow logpersist self:capability dac_override;
+#allow logpersist system_data_file:dir { add_name open read write };
+#allow logpersist system_data_file:file { append create getattr open };