kitakami-common: sepolicy: Switched back to enforced SELinux mode.

Change-Id: I565f1ea6a77e2b9667ddd039b8dcccf3656e1273

kitakami-common: sepolicy: Switched back to enforced SELinux mode.
Change-Id: I565f1ea6a77e2b9667ddd039b8dcccf3656e1273
7d3996ec · Bernhard Thoben · ee4885be · 7d3996ec · 7d3996ec · 7d3996ec
Commit 7d3996ec authored Nov 05, 2020 by Bernhard Thoben
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -51,7 +51,6 @@ BUILD_BROKEN_USES_BUILD_COPY_HEADERS := true

 # Boot image/kernel
 BOARD_KERNEL_CMDLINE := androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 boot_cpus=0-5 loop.max_part=7 dwc3_msm.hvdcp_max_current=1500 dwc3_msm.prop_chg_detect=Y coherent_pool=2M swiotlb=2048
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
 BOARD_KERNEL_IMAGE_NAME := Image.gz-dtb
 BOARD_KERNEL_PAGESIZE := 4096
 BOARD_KERNEL_BASE := 0x00000000

--- a/sepolicy/vendor/bootanim.te
+++ b/sepolicy/vendor/bootanim.te
 allow bootanim secd_exec:file { getattr read };
+allow bootanim userspace_reboot_exported_prop:file { getattr open read };
--- a/sepolicy/vendor/credstore.te
+++ b/sepolicy/vendor/credstore.te
+allow credstore secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_drm_clearkey.te
+++ b/sepolicy/vendor/hal_drm_clearkey.te
@@ -4,3 +4,8 @@ vndbinder_use(hal_drm_clearkey)

 type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_drm_clearkey)
+
+allow hal_drm_clearkey hal_drm_hwservice:hwservice_manager { add find };
+allow hal_drm_clearkey hidl_base_hwservice:hwservice_manager add;
+allow hal_drm_clearkey hwservicemanager_prop:file { getattr open read };
+allow hal_drm_clearkey secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
+allow hal_drm_widevine secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_dumpstate_impl.te
+++ b/sepolicy/vendor/hal_dumpstate_impl.te
@@ -8,3 +8,4 @@ allow hal_dumpstate_impl hwservicemanager:binder { call transfer };
 allow hal_dumpstate_impl hwservicemanager_prop:file { getattr map open read };
 allow hal_dumpstate_impl hidl_base_hwservice:hwservice_manager add;
 allow hal_dumpstate_impl hal_dumpstate_hwservice:hwservice_manager { add find };
+allow hal_dumpstate_impl secd_exec:file read;
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -19,4 +19,5 @@ allow hal_fingerprint_default diag_data_file:dir search;
 allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
 allow hal_fingerprint_default sysfs_battery_supply:dir create_dir_perms;
 allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
-allow hal_fingerprint_default sysfs_battery_supply:file create_file_perms;
\ No newline at end of file
+allow hal_fingerprint_default sysfs_battery_supply:file create_file_perms;
+allow hal_fingerprint_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_health_default.te
+++ b/sepolicy/vendor/hal_health_default.te
-allow hal_health_default sysfs:file { rw_file_perms };
\ No newline at end of file
+allow hal_health_default sysfs:file { rw_file_perms };
+allow hal_health_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_power_stats_default.te
+++ b/sepolicy/vendor/hal_power_stats_default.te
+allow hal_power_stats_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -53,3 +53,4 @@ allow init hal_fingerprint_hwservice:hwservice_manager { add find };
 allow init iorapd_data_file:file rw_file_perms;
 allow init system_file:dir relabelfrom;
 allow init system_file:file { execute_no_trans relabelfrom };
+allow init sysfs_livedisplay_tuneable:file setattr;
--- a/sepolicy/vendor/iorap_prefetcherd.te
+++ b/sepolicy/vendor/iorap_prefetcherd.te
+allow iorap_prefetcherd secd_exec:file { getattr read };
--- a/sepolicy/vendor/iorapd.te
+++ b/sepolicy/vendor/iorapd.te
+allow iorapd secd_exec:file { getattr read };
--- a/sepolicy/vendor/platform_app.te
+++ b/sepolicy/vendor/platform_app.te
 allow platform_app system_app_data_file:dir getattr;
+allow platform_app exported_camera_prop:file read;
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -15,3 +15,6 @@ allow system_server default_android_service:service_manager find;
 allow system_server init:binder { call transfer };
 allow system_server exfat:dir rw_dir_perms;
 allow system_server vendor_security_patch_level_prop:file { r_file_perms };
+allow system_server userspace_reboot_config_prop:file { getattr open read };
+allow system_server userspace_reboot_exported_prop:file { getattr open read };
+allow system_server exported_camera_prop:file read;
--- a/sepolicy/vendor/vendor_install_recovery.te
+++ b/sepolicy/vendor/vendor_install_recovery.te
+allow vendor_install_recovery block_device:blk_file { open read };
+allow vendor_install_recovery secd_exec:file { getattr read };
--- a/sepolicy/vendor/vold.te
+++ b/sepolicy/vendor/vold.te
@@ -3,3 +3,4 @@ allow vold firmware_file:dir search;
 allow vold firmware_file:file { getattr open read };
 allow vold secd_exec:file { getattr read };
 allow vold tee_prop:file { r_file_perms };
+allow vold sysfs_mmc_host:file write;
--- a/sepolicy/vendor/zygote.te
+++ b/sepolicy/vendor/zygote.te
 allow zygote proc_cmdline:file { getattr open read };
 allow zygote secd_exec:file { getattr read };
 allow zygote device:file rw_file_perms;
+allow zygote exported_camera_prop:file { getattr open read };