kitakami-common: sepolicy: Address Dumpstate HAL denials

* Also address vendor SPL props denial. Change-Id: I1a0875a06a7a5f26f30270fc0902e236293b666e

kitakami-common: sepolicy: Address Dumpstate HAL denials
* Also address vendor SPL props denial. Change-Id: I1a0875a06a7a5f26f30270fc0902e236293b666e
599cddda · TARKZiM · Bernhard Thoben · 60a17a8a · 599cddda · 599cddda
Commit 599cddda authored Oct 29, 2020 by TARKZiM Committed by Bernhard Thoben Nov 13, 2020
--- a/sepolicy/vendor/hal_dumpstate_impl.te
+++ b/sepolicy/vendor/hal_dumpstate_impl.te
+type hal_dumpstate_impl, domain;
+type hal_dumpstate_impl_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(hal_dumpstate_impl)
+
+allow hal_dumpstate_impl hal_dumpstate_impl_exec:file execute_no_trans;
+allow hal_dumpstate_impl hwservicemanager:binder { call transfer };
+allow hal_dumpstate_impl hwservicemanager_prop:file { getattr map open read };
+allow hal_dumpstate_impl hidl_base_hwservice:hwservice_manager add;
+allow hal_dumpstate_impl hal_dumpstate_hwservice:hwservice_manager { add find };
--- a/sepolicy/vendor/hwservicemanager.te
+++ b/sepolicy/vendor/hwservicemanager.te
 allow hwservicemanager hal_drm_clearkey:dir search;
 allow hwservicemanager hal_drm_clearkey:file { open read };
 allow hwservicemanager hal_drm_clearkey:process getattr;
+allow hwservicemanager hal_dumpstate_impl:dir rw_dir_perms;
+allow hwservicemanager hal_dumpstate_impl:file rw_file_perms;
+allow hwservicemanager hal_dumpstate_impl:binder { call transfer };
+allow hwservicemanager hal_dumpstate_impl:process getattr;
 allow hwservicemanager init:dir search;
 allow hwservicemanager init:file { open read };
 allow hwservicemanager init:process getattr;
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
 allow system_app default_android_service:service_manager find;
 allow system_app hal_power_default:binder call;
+allow system_app hal_dumpstate_impl:binder call;
 allow system_app init:binder call;
 allow system_app installd:binder call;
 allow system_app iorapd:binder call;

--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -2,4 +2,4 @@ allow system_server exported_camera_prop:file { getattr open read };
 allow system_server hal_light_default:process signal;
 allow system_server userspace_reboot_config_prop:file { getattr open read };
 allow system_server userspace_reboot_exported_prop:file { getattr open read };
-allow system_server vendor_security_patch_level_prop:file { getattr open read };
+allow system_server vendor_security_patch_level_prop:file r_file_perms;