Verified Commit c3ba8ea6 authored by steadfasterX's avatar steadfasterX 😁
Browse files

universal7870: selinux: massive policies update


Signed-off-by: steadfasterX's avatarsteadfasterX <steadfasterX@gmail.com>
parent c4004667
......@@ -49,3 +49,12 @@ allow cpboot-daemon proc_dt_firmware:file { open read };
set_prop(cpboot-daemon, cpboot-daemon_prop)
set_prop(cpboot-daemon, radio_prop)
set_prop(cpboot-daemon, system_prop)
allow cpboot-daemon log_vendor_data_file:dir search;
allow cpboot-daemon mediaserver_exec:file { getattr read };
allow cpboot-daemon mnt_vendor_file:dir search;
allow cpboot-daemon sysfs:file { open read };
allow cpboot-daemon vendor_default_prop:property_service set;
# required as cbd internally uses /vendor/bin/sh
allow cpboot-daemon vendor_shell_exec:file execute_no_trans;
......@@ -63,5 +63,6 @@ type mediadrm_vendor_data_file, file_type, data_file_type;
type radio_vendor_data_file, file_type, data_file_type;
type sswap_vendor_data_file, file_type, data_file_type;
type wifi_vendor_data_file, file_type, data_file_type;
# sfX debug
type boot_log_file, file_type, data_file_type, core_data_file_type;
# /dev/block/mmcblk0p[0-9]*
allow fsck emmcblk_device:blk_file rw_file_perms;
allow fsck emmcblk_device:blk_file { rw_file_perms ioctl };
allowxperm fsck emmcblk_device:blk_file ioctl { BLKDISCARDZEROES BLKROGET };
......@@ -4,3 +4,5 @@ allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms;
# /efs
allow hal_bluetooth_default efs_file:dir search;
r_dir_file(hal_bluetooth_default, bluetooth_efs_file)
allow hal_bluetooth_default sysfs:file write;
......@@ -4,3 +4,5 @@ allow hal_camera_default sysfs_camera:file rw_file_perms;
allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
vndbinder_use(hal_camera_default)
allow hal_camera_default sysfs:file { getattr open read write };
allow hal_fingerprint_default sysfs_input:dir search;
allow hal_fingerprint_default sysfs_input:file rw_file_perms;
allow hal_fingerprint_default fingerprintd_data_file:dir write;
allow hal_fingerprint_default vendor_data_file:dir { add_name open read remove_name rmdir write };
allow hal_fingerprint_default vendor_data_file:file { getattr open read rename unlink };
allow hal_fingerprint_default biometrics_vendor_data_file:dir { add_name create open read remove_name rmdir search write };
allow hal_fingerprint_default biometrics_vendor_data_file:file { create getattr open read rename unlink write };
......@@ -10,3 +10,7 @@ allow hal_gnss_default gps_vendor_data_file:fifo_file create_file_perms;
# /mnt/vendor
allow hal_gnss_default mnt_vendor_file:dir search;
#allow hal_gnss_default default_android_hwservice:hwservice_manager { add find };
allow hal_gnss_default fwk_sensor_hwservice:hwservice_manager find;
allow hal_gnss_default init:unix_stream_socket connectto;
allow hal_graphics_composer_default secmem_device:chr_file { open read write };
allow hal_graphics_composer_default video_device:chr_file { ioctl open read write };
allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl read open write };
#allow hal_graphics_composer_default default_android_vndservice:service_manager { add find };
allow hal_graphics_composer_default vndservicemanager:binder { call transfer };
r_dir_file(hal_health_default, sysfs_usb_supply)
allow hal_health_default sysfs_usb_supply:file rw_file_perms;
allow hal_health_default sysfs:file { getattr open read };
allow hal_lineage_touch_default sysfs_input:dir search;
allow hal_lineage_touch_default sysfs_input:file rw_file_perms;
allow hal_lineage_touch_default sysfs:file { getattr open write };
allow hal_memtrack_default debugfs:dir { open read };
#allow hal_memtrack_default debugfs:file { getattr open read };
#allow hal_nfc_default default_android_hwservice:hwservice_manager add;
allow hal_nfc_default vendor_default_prop:property_service set;
......@@ -17,3 +17,5 @@ allow hal_power_default sysfs_light:file rw_file_perms;
# Graphics
allow hal_power_default sysfs_graphics:dir search;
allow hal_power_default sysfs_graphics:file rw_file_perms;
allow hal_power_default sysfs:file write;
......@@ -2,3 +2,12 @@
# cgroup tasks
allow hal_sensors_default cgroup:file getattr;
allow hal_sensors_default app_efs_file:dir search;
allow hal_sensors_default efs_file:dir search;
allow hal_sensors_default mediaserver_exec:file { getattr read };
allow hal_sensors_default sensor_efs_file:file { open read };
allow hal_sensors_default sysfs_input:dir { open read search };
allow hal_sensors_default sysfs_input:file { open read write };
allow hal_sensors_default sysfs_sensors:dir search;
allow hal_sensors_default sysfs_sensors:file { getattr open read };
allow hal_thermal_default sysfs:dir { read open };
allow hal_thermal_default sysfs:file { getattr open read };
allow hal_thermal_default self:netlink_kobject_uevent_socket { read bind create getopt setopt };
allow hal_wifi_supplicant_default wifi_vendor_data_file:dir search;
......@@ -93,7 +93,25 @@ allow init proc_sec:file { rw_file_perms setattr };
# Sockets
allow init socket_device:sock_file { read write getattr setattr create unlink };
# allow init hal_drm_hwservice:hwservice_manager add;
allow init fwmarkd_socket:sock_file write;
allow init self:tcp_socket getopt;
#allow init hal_drm_hwservice:hwservice_manager add;
#allow init device:chr_file { open read write };
#allow init vendor_file:file execute_no_trans;
#allow init device:chr_file { read write open };
allow init dnsproxyd_socket:sock_file write;
allow init hwservicemanager:binder call;
allow init netd:unix_stream_socket connectto;
#allow init system_suspend:binder call;
allow init system_suspend_hwservice:hwservice_manager find;
allow init device:chr_file { ioctl };
allow init gps_vendor_data_file:file lock;
allow init kernel:system module_request;
allow init self:tcp_socket create;
allow init sysfs:file setattr;
allow init sysfs_wake_lock:file { write open };
allow init boot_debug:process { noatsecure rlimitinh siginh transition };
allow installd device:file { open write };
......@@ -20,3 +20,5 @@ allow kernel wifi_data_file:file rw_file_perms;
allow kernel tmpfs:dir search;
allow kernel self:capability sys_module;
allow kernel sysfs_input:dir search;
allow kernel sysfs_input:file { open read };
#allow logpersist self:capability dac_override;
#allow logpersist system_data_file:dir { add_name open read write };
#allow logpersist system_data_file:file { append create getattr open };
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment