kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.

Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc

kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.
Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc
973e9db1 · Bernhard Thoben · e14474c4 · e14474c4 · 973e9db1 · 973e9db1
Commit 973e9db1 authored Nov 21, 2020 by Bernhard Thoben
--- a/sepolicy/vendor/incidentd.te
+++ b/sepolicy/vendor/incidentd.te
-allow incidentd secd_exec:file { getattr read };
--- a/sepolicy/vendor/init-power-sh.te
+++ b/sepolicy/vendor/init-power-sh.te
@@ -4,35 +4,25 @@ type init-power-sh_exec, exec_type, file_type;
 # Started by init
 init_daemon_domain(init-power-sh)

+allow init-power-sh file_contexts_file:file r_file_perms;
+allow init-power-sh proc:file rw_file_perms;
+allow init-power-sh proc_kernel_sched:file w_file_perms;
 allow init-power-sh shell_exec:file r_file_perms;
+allow init-power-sh sysfs_cpu_boost:dir search;
+allow init-power-sh sysfs_cpu_boost:file rw_file_perms;
+allow init-power-sh sysfs_devices_system_cpu:{ dir file lnk_file } relabelto;
 allow init-power-sh sysfs_devices_system_cpu:file w_file_perms;
+allow init-power-sh sysfs:{ dir file lnk_file } relabelfrom;
+allow init-power-sh sysfs:dir { open read };
+allow init-power-sh sysfs:file rw_file_perms;
+allow init-power-sh sysfs_kgsl:file rw_file_perms;
+allow init-power-sh sysfs_msm_perf:dir search;
+allow init-power-sh sysfs_msm_perf:file rw_file_perms;
 allow init-power-sh sysfs_performance:dir r_dir_perms;
 allow init-power-sh sysfs_performance:file w_file_perms;
+allow init-power-sh sysfs_rqstats:dir r_dir_perms;
+allow init-power-sh sysfs_rqstats:file r_file_perms;
 allow init-power-sh sysfs_thermal:dir r_dir_perms;
 allow init-power-sh sysfs_thermal:file rw_file_perms;
-allow init-power-sh proc_kernel_sched:file w_file_perms;
-allow init-power-sh sysfs_rqstats:dir read;
-allow init-power-sh proc:file write;
-allow init-power-sh sysfs_rqstats:dir {r_dir_perms open};
-allow init-power-sh sysfs_rqstats:file r_file_perms;
-
-# allow labeling of interactive /sys files created post-initial restorecon
-allow init-power-sh sysfs:{ dir file lnk_file } relabelfrom;
-allow init-power-sh sysfs_devices_system_cpu:{ dir file lnk_file } relabelto;
-
-# allow writes to sysfs files that have not yet been labeled
-allow init-power-sh sysfs:file rw_file_perms;
 allow init-power-sh sysfs_usb:file w_file_perms;
-
-# execute toybox/toolbox
 allow init-power-sh toolbox_exec:file rx_file_perms;
-
-allow init-power-sh sysfs:dir { open read };
-allow init-power-sh sysfs_kgsl:file { open write };
-allow init-power-sh file_contexts_file:file { getattr open read };
-allow init-power-sh sysfs_msm_perf:dir search;
-allow init-power-sh sysfs_msm_perf:file { open write };
-allow init-power-sh proc:file open;
-allow init-power-sh sysfs_cpu_boost:dir search;
-allow init-power-sh sysfs_cpu_boost:file { open write };
-allow init-power-sh secd_exec:file { getattr read };
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
-#For sdcard
-allow init tmpfs:lnk_file create_file_perms;
-allow init proc_kernel_sched:file write;
-allow init proc_dirty_ratio:file write;
-allow init persist_file:dir mounton;
-allow init debugfs:file w_file_perms;
-
-#TAD
-allow init tad_socket:sock_file create;
-
-#Torch
-allow init sysfs_camera_torch:lnk_file read;
-
-allow init trim_area_partition_device:blk_file { write setattr };
 allow init block_device:blk_file setattr;
-allow init socket_device:sock_file { create setattr };
-allow init socket_device:sock_file unlink;
 allow init cameraserver:fd use;
+allow init debugfs:file w_file_perms;
+allow init diag_data_file:dir mounton;
 allow init diag_data_file:file { lock rename };
 allow init diag_data_file:sock_file write;
-allow init ion_device:chr_file ioctl;
-allow init property_socket:sock_file write;
-allow init rpmb_device:blk_file write;
-allow init self:capability2 block_suspend;
-allow init self:socket { read write };
-allow init ssd_device:blk_file write;
-allow init tad_socket:sock_file write;
-allow init tee_device:chr_file { ioctl write };
-allow init video_device:chr_file { ioctl write };
-allow init secd_data_file:file { ioctl lock };
-allow init servicemanager:binder call;
-allow init vfat:file { getattr open read };
-allow init proc_interrupts:file getattr;
-allow init diag_data_file:dir mounton;
+allow init fingerprintd_data_file:file rename;
 allow init hal_drm_hwservice:hwservice_manager add;
 allow init hal_fingerprint_hwservice:hwservice_manager add;
 allow init hal_light_hwservice:hwservice_manager add;
 allow init hidl_base_hwservice:hwservice_manager add;
 allow init hwservicemanager:binder { call transfer };
 allow init iddd:unix_dgram_socket sendto;
-allow init ion_device:chr_file { open read };
+allow init ion_device:chr_file r_file_perms;
+allow init persist_file:dir mounton;
+allow init proc_dirty_ratio:file write;
 allow init proc:file write;
-allow init sysfs:file { open read setattr write };
-allow init sysfs_battery_supply:file { open read };
-allow init sysfs_graphics:file { open read write };
-allow init tee_device:chr_file { open read };
-allow init vendor_file:file execute_no_trans;
-allow init vndbinder_device:chr_file { ioctl open read write };
-allow init fingerprintd_data_file:file rename;
-allow init system_server:binder call;
+allow init proc_interrupts:file getattr;
+allow init proc_kernel_sched:file write;
+allow init property_socket:sock_file write;
+allow init rpmb_device:blk_file write;
+allow init secd_data_file:file r_file_perms;
+allow init self:capability2 block_suspend;
+allow init self:socket create_socket_perms;
+allow init servicemanager:binder call;
+allow init socket_device:sock_file create_file_perms;
+allow init ssd_device:blk_file write;
+allow init sysfs_battery_supply:file r_file_perms;
+allow init sysfs_camera_torch:lnk_file read;
+allow init sysfs:file create_file_perms;
+allow init sysfs_graphics:file rw_file_perms;
 allow init sysfs_livedisplay_tuneable:file setattr;
+allow init system_server:binder call;
+allow init tad_socket:sock_file rw_file_perms;
+allow init tee_device:chr_file rw_file_perms;
+allow init tmpfs:lnk_file create_file_perms;
+allow init trim_area_partition_device:blk_file create_file_perms;
+allow init vendor_file:file execute_no_trans;
+allow init vfat:file r_file_perms;
+allow init video_device:chr_file rw_file_perms;
+allow init vndbinder_device:chr_file rw_file_perms;
--- a/sepolicy/vendor/installd.te
+++ b/sepolicy/vendor/installd.te
-allow installd device:file { open write };
-allow installd secd_exec:file { getattr read };
+allow installd device:file rw_file_perms;
--- a/sepolicy/vendor/irsc_util.te
+++ b/sepolicy/vendor/irsc_util.te
-allow irsc_util secd_exec:file { getattr read };
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
+allow kernel block_device:blk_file rw_file_perms;
 allow kernel device:dir create_dir_perms;
-allow kernel tmpfs:file create_file_perms;
+allow kernel self:socket create;
 allow kernel tmpfs:dir create_dir_perms;
-allow kernel block_device:blk_file rw_file_perms;
+allow kernel tmpfs:file create_file_perms;
 allow kernel touchfusion_exec:file relabelto;
-allow kernel self:socket create;
--- a/sepolicy/vendor/keystore.te
+++ b/sepolicy/vendor/keystore.te
-allow keystore tee_prop:file { getattr open read };
-allow keystore secd_exec:file { getattr read };
+allow keystore tee_prop:file r_file_perms;
--- a/sepolicy/vendor/lmkd.te
+++ b/sepolicy/vendor/lmkd.te
-allow lmkd secd_exec:file { getattr read };
--- a/sepolicy/vendor/loc_launcher.te
+++ b/sepolicy/vendor/loc_launcher.te
@@ -4,12 +4,9 @@ type loc_launcher_exec, exec_type, file_type;

 init_daemon_domain(loc_launcher)

-allow loc_launcher self:capability setuid;
-allow loc_launcher system_data_file:dir { add_name remove_name write };
-allow loc_launcher system_data_file:sock_file { create setattr unlink };
-allow loc_launcher location_data_file:dir { add_name remove_name write };
-allow loc_launcher location_data_file:sock_file { create setattr };
+allow loc_launcher location_data_file:dir rw_dir_perms;
+allow loc_launcher location_data_file:sock_file create_file_perms;
 allow loc_launcher location_socket:sock_file unlink;
-allow loc_launcher location_data_file:sock_file unlink;
-allow loc_launcher location_data_file:dir search;
-allow loc_launcher secd_exec:file { getattr read };
+allow loc_launcher self:capability setuid;
+allow loc_launcher system_data_file:dir rw_dir_perms;
+allow loc_launcher system_data_file:sock_file create_file_perms;
--- a/sepolicy/vendor/logd.te
+++ b/sepolicy/vendor/logd.te
-allow logd secd_exec:file { getattr read };
--- a/sepolicy/vendor/mediacodec.te
+++ b/sepolicy/vendor/mediacodec.te
 allow mediacodec mpctl_socket:dir search;
 allow mediacodec perfd:unix_stream_socket connectto;
 allow mediacodec socket_device:sock_file write;
-allow mediacodec secd_exec:file { getattr read };
--- a/sepolicy/vendor/mediadrmserver.te
+++ b/sepolicy/vendor/mediadrmserver.te
-allow mediadrmserver secd_exec:file { getattr read };
--- a/sepolicy/vendor/mediaextractor.te
+++ b/sepolicy/vendor/mediaextractor.te
-allow mediaextractor secd_exec:file { getattr read };
--- a/sepolicy/vendor/mediametrics.te
+++ b/sepolicy/vendor/mediametrics.te
-allow mediametrics secd_exec:file { getattr read };
--- a/sepolicy/vendor/mediaserver.te
+++ b/sepolicy/vendor/mediaserver.te
 allow mediaserver hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
 allow mediaserver sensorservice_service:service_manager find;
-allow mediaserver sysfs_graphics:file { getattr open read };
+allow mediaserver sysfs_graphics:file r_file_perms;
 allow mediaserver system_server:unix_stream_socket read;
-allow mediaserver secd_exec:file { getattr read };
--- a/sepolicy/vendor/mediaswcodec.te
+++ b/sepolicy/vendor/mediaswcodec.te
 allow mediaswcodec servicemanager:binder call;
-allow mediaswcodec secd_exec:file { getattr read };
--- a/sepolicy/vendor/mlog_qmi_service.te
+++ b/sepolicy/vendor/mlog_qmi_service.te
@@ -12,4 +12,3 @@ allowxperm mlog_qmi_service self:socket ioctl msm_sock_ipc_ioctls;

 # Allow mlog_qmi_service to use net_raw capability
 allow mlog_qmi_service self:capability net_raw;
-allow mlog_qmi_service secd_exec:file { getattr read };
--- a/sepolicy/vendor/msm_irqbalance.te
+++ b/sepolicy/vendor/msm_irqbalance.te
@@ -5,10 +5,8 @@ type msm_irqbalance_exec, exec_type, file_type;
 # Started by init
 init_daemon_domain(msm_irqbalance)

-allow msm_irqbalance proc:file { getattr open read write };
-allow msm_irqbalance self:capability dac_override;
+allow msm_irqbalance proc:file rw_file_perms;
+allow msm_irqbalance proc_interrupts:file r_file_perms;
+allow msm_irqbalance proc_stat:file r_file_perms;
+allow msm_irqbalance self:capability { dac_override setgid setuid };
 allow msm_irqbalance sysfs_devices_system_cpu:file write;
-allow msm_irqbalance self:capability { setgid setuid };
-allow msm_irqbalance proc_interrupts:file { getattr open read };
-allow msm_irqbalance proc_stat:file { getattr open read };
-allow msm_irqbalance secd_exec:file { getattr read };
--- a/sepolicy/vendor/netd.te
+++ b/sepolicy/vendor/netd.te
-allow netd device:file { open write };
-allow netd secd_exec:file { getattr read };
+allow netd device:file rw_file_perms;
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
-allow netmgrd self:capability dac_override;
-allow netmgrd toolbox_exec:file { execute execute_no_trans getattr open read };
 allow netmgrd net_data_file:dir read;
-allow netmgrd secd_exec:file { getattr read };
+allow netmgrd self:capability dac_override;
+allow netmgrd toolbox_exec:file rx_file_perms;