kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.

Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc

kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.
Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc
973e9db1 · Bernhard Thoben · e14474c4 · e14474c4 · e14474c4 · 973e9db1
Commit 973e9db1 authored Nov 21, 2020 by Bernhard Thoben
--- a/sepolicy/vendor/hal_cas_default.te
+++ b/sepolicy/vendor/hal_cas_default.te
-allow hal_cas_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_configstore_default.te
+++ b/sepolicy/vendor/hal_configstore_default.te
-allow hal_configstore_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_drm_clearkey.te
+++ b/sepolicy/vendor/hal_drm_clearkey.te
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(hal_drm_clearkey)
+
+allow hal_drm_clearkey hal_drm_hwservice:hwservice_manager { add find };
+allow hal_drm_clearkey hidl_base_hwservice:hwservice_manager add;
+allow hal_drm_clearkey hwservicemanager:binder { call transfer };
+allow hal_drm_clearkey hwservicemanager_prop:file r_file_perms;
--- a/sepolicy/vendor/hal_drm_default.te
+++ b/sepolicy/vendor/hal_drm_default.te
-allow hal_drm_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
-allow hal_fingerprint_default tee_device:chr_file ioctl;
-allow hal_fingerprint_default firmware_file:dir search;
-allow hal_fingerprint_default sysfs:file write;
-allow hal_fingerprint_default tee_device:chr_file { open read write };
-allow hal_fingerprint_default firmware_file:file { getattr open read };
-allow hal_fingerprint_default input_device:chr_file { ioctl open read };
-allow hal_fingerprint_default input_device:dir { open read };
-allow hal_fingerprint_default system_data_file:dir { add_name remove_name write };
-allow hal_fingerprint_default system_data_file:sock_file { create unlink };
+allow hal_fingerprint_default diag_data_file:dir search;
 allow hal_fingerprint_default diag_data_file:sock_file write;
-allow hal_fingerprint_default fpc_data_file:dir { add_name remove_name write };
-allow hal_fingerprint_default fpc_data_file:sock_file { create unlink };
-allow hal_fingerprint_default init:unix_dgram_socket sendto;
-allow hal_fingerprint_default iddd:unix_dgram_socket sendto;
+allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+allow hal_fingerprint_default firmware_file:dir search;
+allow hal_fingerprint_default firmware_file:file r_file_perms;
 allow hal_fingerprint_default firmware_file:lnk_file read;
-allow hal_fingerprint_default fpc_data_file:dir search;
-allow hal_fingerprint_default input_device:dir search;
-allow hal_fingerprint_default diag_data_file:dir search;
+allow hal_fingerprint_default fpc_data_file:dir create_dir_perms;
+allow hal_fingerprint_default fpc_data_file:sock_file create_file_perms;
+allow hal_fingerprint_default iddd:unix_dgram_socket sendto;
+allow hal_fingerprint_default init:unix_dgram_socket sendto;
+allow hal_fingerprint_default input_device:chr_file r_file_perms;
+allow hal_fingerprint_default input_device:dir r_dir_perms;
+allow hal_fingerprint_default sysfs:file write;
+allow hal_fingerprint_default sysfs_battery_supply:dir search;
+allow hal_fingerprint_default sysfs_battery_supply:file r_file_perms;
+allow hal_fingerprint_default system_data_file:dir create_dir_perms;
+allow hal_fingerprint_default system_data_file:sock_file create_file_perms;
+allow hal_fingerprint_default tee_device:chr_file ioctl;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
--- a/sepolicy/vendor/hal_graphics_allocator_default.te
+++ b/sepolicy/vendor/hal_graphics_allocator_default.te
-allow hal_graphics_allocator_default sysfs_graphics:file { getattr open read };
-allow hal_graphics_allocator_default secd_exec:file { getattr read };
+allow hal_graphics_allocator_default sysfs_graphics:file r_file_perms;
--- a/sepolicy/vendor/hal_keymaster_qti.te
+++ b/sepolicy/vendor/hal_keymaster_qti.te
-allow hal_keymaster_qti secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_light_default.te
+++ b/sepolicy/vendor/hal_light_default.te
-allow hal_light_default secd_exec:file { getattr read };
-allow hal_light_default sysfs:file { open read write };
+allow hal_light_default sysfs:file rw_file_perms;
--- a/sepolicy/vendor/hal_lineage_livedisplay_qti.te
+++ b/sepolicy/vendor/hal_lineage_livedisplay_qti.te
 allow hal_lineage_livedisplay_qti ppd:unix_stream_socket connectto;
-allow hal_lineage_livedisplay_qti secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_lineage_livedisplay_sysfs.te
+++ b/sepolicy/vendor/hal_lineage_livedisplay_sysfs.te
 allow hal_lineage_livedisplay_sysfs ppd:unix_stream_socket connectto;
-allow hal_lineage_livedisplay_sysfs secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_lineage_trust_default.te
+++ b/sepolicy/vendor/hal_lineage_trust_default.te
-allow hal_lineage_trust_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_memtrack_default.te
+++ b/sepolicy/vendor/hal_memtrack_default.te
-allow hal_memtrack_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_power_default.te
+++ b/sepolicy/vendor/hal_power_default.te
-allow hal_power_default sysfs:file { open write };
-allow hal_power_default secd_exec:file { getattr read };
+allow hal_power_default sysfs:file rw_file_perms;
--- a/sepolicy/vendor/hal_usb_default.te
+++ b/sepolicy/vendor/hal_usb_default.te
-allow hal_usb_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/hal_wifi_default.te
+++ b/sepolicy/vendor/hal_wifi_default.te
-allow hal_wifi_default firmware_file:file { open read };
+allow hal_wifi_default firmware_file:dir search;
+allow hal_wifi_default firmware_file:file r_file_perms;
 allow hal_wifi_default sysfs:file write;
-allow hal_wifi_default system_data_file:file { open read };
+allow hal_wifi_default system_data_file:file r_file_perms;
 allow hal_wifi_default ta_data_file:dir search;
-allow hal_wifi_default ta_data_file:file { open read };
-allow hal_wifi_default firmware_file:dir search;
-allow hal_wifi_default secd_exec:file { getattr read };
+allow hal_wifi_default ta_data_file:file r_file_perms;
--- a/sepolicy/vendor/hal_wifi_supplicant_default.te
+++ b/sepolicy/vendor/hal_wifi_supplicant_default.te
-allow hal_wifi_supplicant_default secd_exec:file { getattr read };
--- a/sepolicy/vendor/healthd.te
+++ b/sepolicy/vendor/healthd.te
-allow healthd sysfs:file { getattr open read };
-allow healthd secd_exec:file { getattr read };
+allow healthd sysfs:file r_file_perms;
--- a/sepolicy/vendor/hwservicemanager.te
+++ b/sepolicy/vendor/hwservicemanager.te
+allow hwservicemanager hal_drm_clearkey:dir search;
+allow hwservicemanager hal_drm_clearkey:file r_file_perms;
+allow hwservicemanager hal_drm_clearkey:process getattr;
 allow hwservicemanager init:dir search;
-allow hwservicemanager init:file { open read };
+allow hwservicemanager init:file r_file_perms;
 allow hwservicemanager init:process getattr;
-allow hwservicemanager secd_exec:file { getattr read };
--- a/sepolicy/vendor/iddd.te
+++ b/sepolicy/vendor/iddd.te
@@ -5,16 +5,10 @@ type iddd_exec, exec_type, file_type;
 # Started by init
 init_daemon_domain(iddd)

-allow iddd diag_data_file:dir { add_name search write };
-allow iddd diag_data_file:file { create lock open read write };
-allow iddd diag_data_file:dir { getattr open read remove_name };
-allow iddd diag_data_file:file { getattr rename unlink };
-allow iddd diag_data_file:sock_file { create setattr };
+allow iddd diag_data_file:dir create_dir_perms;
+allow iddd diag_data_file:file create_file_perms;
+allow iddd diag_data_file:sock_file create_file_perms;
+allow iddd firmware_file:dir search;
 allow iddd socket_device:sock_file write;
-allow iddd diag_data_file:sock_file unlink;
 allow iddd tad:unix_stream_socket connectto;
 allow iddd tad_socket:sock_file write;
-allow iddd diag_data_file:dir { create rmdir };
-allow iddd diag_data_file:sock_file write;
-allow iddd firmware_file:dir search;
-allow iddd secd_exec:file { getattr read };
--- a/sepolicy/vendor/idmap.te
+++ b/sepolicy/vendor/idmap.te
-allow idmap secd_exec:file { getattr read };