Commit 973e9db1 authored by Bernhard Thoben's avatar Bernhard Thoben
Browse files

kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.

Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc
parent e14474c4
allow adbd secd_exec:file { getattr read };
allow adsprpcd secd_exec:file { getattr read };
allow apexd secd_exec:file { getattr read };
allow ashmemd secd_exec:file { getattr read };
allow audioserver tad_socket:sock_file write;
allow audioserver perfd:unix_stream_socket connectto;
allow audioserver socket_device:sock_file write;
allow audioserver secd_exec:file { getattr read };
allow audioserver tad_socket:sock_file write;
allow bootanim secd_exec:file { getattr read };
allow bootstat secd_exec:file { getattr read };
allow cameraserver camera_data_file:sock_file write;
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver perfd:unix_stream_socket connectto;
allow cameraserver rootfs:lnk_file getattr;
allow cameraserver sysfs_camera_torch:file rw_file_perms;
allow cameraserver sysfs_camera_torch:dir search;
allow cameraserver sysfs_camera_torch:lnk_file read;
allow cameraserver ta_data_file:dir search;
allow cameraserver secd_socket:sock_file write;
allow cameraserver hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow cameraserver hal_configstore_default:binder call;
allow cameraserver socket_device:sock_file write;
allow cameraserver sysfs_graphics:file { getattr open read };
allow cameraserver hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow cameraserver init:unix_dgram_socket sendto;
allow cameraserver perfd:unix_stream_socket connectto;
allow cameraserver qcamerasvr:unix_dgram_socket sendto;
allow cameraserver qcamerasvr:unix_stream_socket connectto;
allow cameraserver rootfs:lnk_file getattr;
allow cameraserver secd_socket:sock_file write;
allow cameraserver secd:unix_stream_socket connectto;
allow cameraserver secd_exec:file { getattr read };
allow cameraserver socket_device:sock_file write;
allow cameraserver sysfs_battery_supply:dir search;
allow cameraserver sysfs_battery_supply:file { getattr open read };
allow cameraserver sysfs_battery_supply:file r_file_perms;
allow cameraserver sysfs_camera_torch:dir search;
allow cameraserver sysfs_camera_torch:file rw_file_perms;
allow cameraserver sysfs_camera_torch:lnk_file read;
allow cameraserver sysfs_graphics:file r_file_perms;
allow cameraserver ta_data_file:dir search;
allow charger device:dir r_dir_perms;
allow charger self:capability { dac_override dac_read_search };
allow charger sysfs_battery_supply:file r_file_perms;
allow charger sysfs:file { open read getattr };
allow charger sysfs_usb_supply:file { open read getattr };
allow charger sysfs_battery_supply:file { open read getattr };
allow charger device:dir { open read };
allow charger sysfs_usb_supply:file r_file_perms;
type trim_area_partition_device, dev_type;
type diag_partition_device, dev_type;
type subsys_modem_device, dev_type;
type trim_area_partition_device, dev_type;
allow drmserver secd_exec:file { getattr read };
# TAD
type tad_socket, file_type;
type ta_data_file, file_type;
type secd_socket, file_type;
type fpc_data_file, file_type;
type proc_kernel_sched, fs_type;
type secd_data_file, file_type;
# Timekeep
type timekeep_data_file, file_type, data_file_type;
type sysfs_timekeep, fs_type, sysfs_type;
# Macaddr
type secd_socket, file_type;
type sysfs_addrsetup, fs_type, sysfs_type;
type proc_kernel_sched, fs_type;
type sysfs_camera, sysfs_type, fs_type;
type sysfs_camera_torch, sysfs_type, file_type;
type sysfs_performance, sysfs_type, fs_type;
type sysfs_msm_subsys, sysfs_type, fs_type;
# Fingerprint
type fpc_data_file, file_type;
# Camera
type sysfs_camera, sysfs_type, fs_type;
type sysfs_performance, sysfs_type, fs_type;
type sysfs_timekeep, fs_type, sysfs_type;
type ta_data_file, file_type;
type tad_socket, file_type;
type timekeep_data_file, file_type, data_file_type;
......@@ -19,6 +19,10 @@
/sys/devices/platform/bcmdhd_wlan/macaddr u:object_r:sysfs_addrsetup:s0
/sys/devices(/soc\.0)?/bcmdhd_wlan.83/macaddr u:object_r:sysfs_addrsetup:s0
# DRM
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service.clearkey u:object_r:hal_drm_clearkey_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine u:object_r:hal_drm_widevine_exec:s0
# Camera
/sys/devices(/soc\.0)?/pmi8994-flash-27(/.*)? u:object_r:sysfs_camera_torch:s0
......@@ -36,6 +40,9 @@
/data/fpc(/.*)? u:object_r:fpc_data_file:s0
/data/fpcd(/.*)? u:object_r:fpc_data_file:s0
# Fingerprint
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service.kitakami u:object_r:hal_fingerprint_default_exec:s0
# TA
/dev/socket/tad u:object_r:tad_socket:s0
/dev/socket/secd_credmgr_sock u:object_r:secd_socket:s0
......
allow flags_health_check alarm_boot_prop:file { getattr open };
allow flags_health_check alarm_handled_prop:file { getattr open };
allow flags_health_check crash_prop:file { getattr open };
allow flags_health_check ctl_LKCore_prop:file { getattr open };
allow flags_health_check ctl_adbd_prop:file { getattr open };
allow flags_health_check ctl_interface_start_prop:file { getattr open };
allow flags_health_check alarm_boot_prop:file r_file_perms;
allow flags_health_check alarm_handled_prop:file r_file_perms;
allow flags_health_check alarm_instance_prop:file r_file_perms;
allow flags_health_check apexd_prop:file r_file_perms;
allow flags_health_check bg_boot_complete_prop:file r_file_perms;
allow flags_health_check crash_prop:file r_file_perms;
allow flags_health_check ctl_adbd_prop:file r_file_perms;
allow flags_health_check ctl_interface_start_prop:file r_file_perms;
allow flags_health_check ctl_interface_stop_prop:file open;
allow flags_health_check ctl_LKCore_prop:file r_file_perms;
allow flags_health_check ctl_vendor_wigigsvc_prop:file open;
allow flags_health_check qemu_gles_prop:file getattr;
allow flags_health_check qti_prop:file open;
allow flags_health_check scr_enabled_prop:file getattr;
allow flags_health_check sdm_idle_time_prop:file { getattr open };
allow flags_health_check sensors_prop:file { getattr open };
allow flags_health_check serialno_prop:file { getattr open };
allow flags_health_check spcomlib_prop:file { getattr open };
allow flags_health_check sys_usb_configfs_prop:file { getattr open };
allow flags_health_check sys_usb_controller_prop:file { getattr open };
allow flags_health_check sys_usb_tethering_prop:file { getattr open };
allow flags_health_check system_boot_reason_prop:file { getattr open };
allow flags_health_check system_lmk_prop:file { getattr open };
allow flags_health_check test_boot_reason_prop:file { getattr open };
allow flags_health_check alarm_instance_prop:file { getattr open };
allow flags_health_check apexd_prop:file { getattr open };
allow flags_health_check bg_boot_complete_prop:file { getattr open };
allow flags_health_check secd_exec:file { getattr read };
allow flags_health_check sdm_idle_time_prop:file r_file_perms;
allow flags_health_check sensors_prop:file r_file_perms;
allow flags_health_check serialno_prop:file r_file_perms;
allow flags_health_check spcomlib_prop:file r_file_perms;
allow flags_health_check system_boot_reason_prop:file r_file_perms;
allow flags_health_check system_lmk_prop:file r_file_perms;
allow flags_health_check sys_usb_configfs_prop:file r_file_perms;
allow flags_health_check sys_usb_controller_prop:file r_file_perms;
allow flags_health_check sys_usb_tethering_prop:file r_file_perms;
allow flags_health_check test_boot_reason_prop:file r_file_perms;
allow fsck diag_partition_device:blk_file { read write };
allow fsck diag_partition_device:blk_file rw_file_perms;
allow fsck persist_file:dir getattr;
allow fsck self:capability { dac_override dac_read_search };
allow fsck secd_exec:file { getattr read };
allow fsck tmpfs:blk_file getattr;
allow fsck persist_file:dir getattr;
allow gatekeeperd tee_prop:file { getattr open read };
allow gatekeeperd secd_exec:file { getattr read };
allow gatekeeperd tee_prop:file r_file_perms;
allow gpuservice secd_exec:file { getattr read };
allow hal_audio_default tad_socket:sock_file { create_file_perms write };
allow hal_audio_default secd_exec:file { getattr read };
allow hal_audio_default tad_socket:sock_file create_file_perms;
allow hal_audio_default tad:unix_stream_socket connectto;
allow hal_bluetooth_default firmware_file:file { open read };
allow hal_bluetooth_default sysfs:file write;
allow hal_bluetooth_default system_data_file:file { open read };
allow hal_bluetooth_default firmware_file:dir search;
allow hal_bluetooth_default firmware_file:file r_file_perms;
allow hal_bluetooth_default sysfs:file write;
allow hal_bluetooth_default system_data_file:file r_file_perms;
allow hal_bluetooth_default ta_data_file:dir search;
allow hal_bluetooth_default ta_data_file:file { open read };
allow hal_bluetooth_default secd_exec:file { getattr read };
allow hal_bluetooth_default ta_data_file:file r_file_perms;
allow hal_camera_default camera_data_file:sock_file write;
allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow hal_camera_default hal_configstore_default:binder call;
allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow hal_camera_default socket_device:sock_file write;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment