Commit 973e9db1 authored by Bernhard Thoben's avatar Bernhard Thoben
Browse files

kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.

Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc
parent e14474c4
allow incidentd secd_exec:file { getattr read };
......@@ -4,35 +4,25 @@ type init-power-sh_exec, exec_type, file_type;
# Started by init
init_daemon_domain(init-power-sh)
allow init-power-sh file_contexts_file:file r_file_perms;
allow init-power-sh proc:file rw_file_perms;
allow init-power-sh proc_kernel_sched:file w_file_perms;
allow init-power-sh shell_exec:file r_file_perms;
allow init-power-sh sysfs_cpu_boost:dir search;
allow init-power-sh sysfs_cpu_boost:file rw_file_perms;
allow init-power-sh sysfs_devices_system_cpu:{ dir file lnk_file } relabelto;
allow init-power-sh sysfs_devices_system_cpu:file w_file_perms;
allow init-power-sh sysfs:{ dir file lnk_file } relabelfrom;
allow init-power-sh sysfs:dir { open read };
allow init-power-sh sysfs:file rw_file_perms;
allow init-power-sh sysfs_kgsl:file rw_file_perms;
allow init-power-sh sysfs_msm_perf:dir search;
allow init-power-sh sysfs_msm_perf:file rw_file_perms;
allow init-power-sh sysfs_performance:dir r_dir_perms;
allow init-power-sh sysfs_performance:file w_file_perms;
allow init-power-sh sysfs_rqstats:dir r_dir_perms;
allow init-power-sh sysfs_rqstats:file r_file_perms;
allow init-power-sh sysfs_thermal:dir r_dir_perms;
allow init-power-sh sysfs_thermal:file rw_file_perms;
allow init-power-sh proc_kernel_sched:file w_file_perms;
allow init-power-sh sysfs_rqstats:dir read;
allow init-power-sh proc:file write;
allow init-power-sh sysfs_rqstats:dir {r_dir_perms open};
allow init-power-sh sysfs_rqstats:file r_file_perms;
# allow labeling of interactive /sys files created post-initial restorecon
allow init-power-sh sysfs:{ dir file lnk_file } relabelfrom;
allow init-power-sh sysfs_devices_system_cpu:{ dir file lnk_file } relabelto;
# allow writes to sysfs files that have not yet been labeled
allow init-power-sh sysfs:file rw_file_perms;
allow init-power-sh sysfs_usb:file w_file_perms;
# execute toybox/toolbox
allow init-power-sh toolbox_exec:file rx_file_perms;
allow init-power-sh sysfs:dir { open read };
allow init-power-sh sysfs_kgsl:file { open write };
allow init-power-sh file_contexts_file:file { getattr open read };
allow init-power-sh sysfs_msm_perf:dir search;
allow init-power-sh sysfs_msm_perf:file { open write };
allow init-power-sh proc:file open;
allow init-power-sh sysfs_cpu_boost:dir search;
allow init-power-sh sysfs_cpu_boost:file { open write };
allow init-power-sh secd_exec:file { getattr read };
#For sdcard
allow init tmpfs:lnk_file create_file_perms;
allow init proc_kernel_sched:file write;
allow init proc_dirty_ratio:file write;
allow init persist_file:dir mounton;
allow init debugfs:file w_file_perms;
#TAD
allow init tad_socket:sock_file create;
#Torch
allow init sysfs_camera_torch:lnk_file read;
allow init trim_area_partition_device:blk_file { write setattr };
allow init block_device:blk_file setattr;
allow init socket_device:sock_file { create setattr };
allow init socket_device:sock_file unlink;
allow init cameraserver:fd use;
allow init debugfs:file w_file_perms;
allow init diag_data_file:dir mounton;
allow init diag_data_file:file { lock rename };
allow init diag_data_file:sock_file write;
allow init ion_device:chr_file ioctl;
allow init property_socket:sock_file write;
allow init rpmb_device:blk_file write;
allow init self:capability2 block_suspend;
allow init self:socket { read write };
allow init ssd_device:blk_file write;
allow init tad_socket:sock_file write;
allow init tee_device:chr_file { ioctl write };
allow init video_device:chr_file { ioctl write };
allow init secd_data_file:file { ioctl lock };
allow init servicemanager:binder call;
allow init vfat:file { getattr open read };
allow init proc_interrupts:file getattr;
allow init diag_data_file:dir mounton;
allow init fingerprintd_data_file:file rename;
allow init hal_drm_hwservice:hwservice_manager add;
allow init hal_fingerprint_hwservice:hwservice_manager add;
allow init hal_light_hwservice:hwservice_manager add;
allow init hidl_base_hwservice:hwservice_manager add;
allow init hwservicemanager:binder { call transfer };
allow init iddd:unix_dgram_socket sendto;
allow init ion_device:chr_file { open read };
allow init ion_device:chr_file r_file_perms;
allow init persist_file:dir mounton;
allow init proc_dirty_ratio:file write;
allow init proc:file write;
allow init sysfs:file { open read setattr write };
allow init sysfs_battery_supply:file { open read };
allow init sysfs_graphics:file { open read write };
allow init tee_device:chr_file { open read };
allow init vendor_file:file execute_no_trans;
allow init vndbinder_device:chr_file { ioctl open read write };
allow init fingerprintd_data_file:file rename;
allow init system_server:binder call;
allow init proc_interrupts:file getattr;
allow init proc_kernel_sched:file write;
allow init property_socket:sock_file write;
allow init rpmb_device:blk_file write;
allow init secd_data_file:file r_file_perms;
allow init self:capability2 block_suspend;
allow init self:socket create_socket_perms;
allow init servicemanager:binder call;
allow init socket_device:sock_file create_file_perms;
allow init ssd_device:blk_file write;
allow init sysfs_battery_supply:file r_file_perms;
allow init sysfs_camera_torch:lnk_file read;
allow init sysfs:file create_file_perms;
allow init sysfs_graphics:file rw_file_perms;
allow init sysfs_livedisplay_tuneable:file setattr;
allow init system_server:binder call;
allow init tad_socket:sock_file rw_file_perms;
allow init tee_device:chr_file rw_file_perms;
allow init tmpfs:lnk_file create_file_perms;
allow init trim_area_partition_device:blk_file create_file_perms;
allow init vendor_file:file execute_no_trans;
allow init vfat:file r_file_perms;
allow init video_device:chr_file rw_file_perms;
allow init vndbinder_device:chr_file rw_file_perms;
allow installd device:file { open write };
allow installd secd_exec:file { getattr read };
allow installd device:file rw_file_perms;
allow irsc_util secd_exec:file { getattr read };
allow kernel block_device:blk_file rw_file_perms;
allow kernel device:dir create_dir_perms;
allow kernel tmpfs:file create_file_perms;
allow kernel self:socket create;
allow kernel tmpfs:dir create_dir_perms;
allow kernel block_device:blk_file rw_file_perms;
allow kernel tmpfs:file create_file_perms;
allow kernel touchfusion_exec:file relabelto;
allow kernel self:socket create;
allow keystore tee_prop:file { getattr open read };
allow keystore secd_exec:file { getattr read };
allow keystore tee_prop:file r_file_perms;
allow lmkd secd_exec:file { getattr read };
......@@ -4,12 +4,9 @@ type loc_launcher_exec, exec_type, file_type;
init_daemon_domain(loc_launcher)
allow loc_launcher self:capability setuid;
allow loc_launcher system_data_file:dir { add_name remove_name write };
allow loc_launcher system_data_file:sock_file { create setattr unlink };
allow loc_launcher location_data_file:dir { add_name remove_name write };
allow loc_launcher location_data_file:sock_file { create setattr };
allow loc_launcher location_data_file:dir rw_dir_perms;
allow loc_launcher location_data_file:sock_file create_file_perms;
allow loc_launcher location_socket:sock_file unlink;
allow loc_launcher location_data_file:sock_file unlink;
allow loc_launcher location_data_file:dir search;
allow loc_launcher secd_exec:file { getattr read };
allow loc_launcher self:capability setuid;
allow loc_launcher system_data_file:dir rw_dir_perms;
allow loc_launcher system_data_file:sock_file create_file_perms;
allow logd secd_exec:file { getattr read };
allow mediacodec mpctl_socket:dir search;
allow mediacodec perfd:unix_stream_socket connectto;
allow mediacodec socket_device:sock_file write;
allow mediacodec secd_exec:file { getattr read };
allow mediadrmserver secd_exec:file { getattr read };
allow mediaextractor secd_exec:file { getattr read };
allow mediametrics secd_exec:file { getattr read };
allow mediaserver hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow mediaserver sensorservice_service:service_manager find;
allow mediaserver sysfs_graphics:file { getattr open read };
allow mediaserver sysfs_graphics:file r_file_perms;
allow mediaserver system_server:unix_stream_socket read;
allow mediaserver secd_exec:file { getattr read };
allow mediaswcodec servicemanager:binder call;
allow mediaswcodec secd_exec:file { getattr read };
......@@ -12,4 +12,3 @@ allowxperm mlog_qmi_service self:socket ioctl msm_sock_ipc_ioctls;
# Allow mlog_qmi_service to use net_raw capability
allow mlog_qmi_service self:capability net_raw;
allow mlog_qmi_service secd_exec:file { getattr read };
......@@ -5,10 +5,8 @@ type msm_irqbalance_exec, exec_type, file_type;
# Started by init
init_daemon_domain(msm_irqbalance)
allow msm_irqbalance proc:file { getattr open read write };
allow msm_irqbalance self:capability dac_override;
allow msm_irqbalance proc:file rw_file_perms;
allow msm_irqbalance proc_interrupts:file r_file_perms;
allow msm_irqbalance proc_stat:file r_file_perms;
allow msm_irqbalance self:capability { dac_override setgid setuid };
allow msm_irqbalance sysfs_devices_system_cpu:file write;
allow msm_irqbalance self:capability { setgid setuid };
allow msm_irqbalance proc_interrupts:file { getattr open read };
allow msm_irqbalance proc_stat:file { getattr open read };
allow msm_irqbalance secd_exec:file { getattr read };
allow netd device:file { open write };
allow netd secd_exec:file { getattr read };
allow netd device:file rw_file_perms;
allow netmgrd self:capability dac_override;
allow netmgrd toolbox_exec:file { execute execute_no_trans getattr open read };
allow netmgrd net_data_file:dir read;
allow netmgrd secd_exec:file { getattr read };
allow netmgrd self:capability dac_override;
allow netmgrd toolbox_exec:file rx_file_perms;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment