Commit 973e9db1 authored by Bernhard Thoben's avatar Bernhard Thoben
Browse files

kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.

Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc
parent e14474c4
allow per_mgr per_mgr_service:service_manager add;
allow per_mgr subsys_modem_device:chr_file r_file_perms;
allow per_mgr per_proxy:binder call;
allow per_mgr self:capability net_raw;
allow per_mgr self:socket create_socket_perms;
allow per_mgr subsys_modem_device:chr_file r_file_perms;
allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls;
allow per_mgr per_proxy:binder call;
allow per_mgr secd_exec:file { getattr read };
......@@ -5,10 +5,8 @@ type per_proxy_exec, exec_type, file_type;
# Started by init
init_daemon_domain(per_proxy)
allow per_proxy binder_per_mgr_service:service_manager find;
allow per_proxy default_android_service:service_manager find;
allow per_proxy per_mgr:binder call;
allow per_proxy per_mgr:binder { call transfer };
allow per_proxy servicemanager:binder call;
allow per_proxy sysfs:file { open read };
allow per_proxy per_mgr:binder transfer;
allow per_proxy binder_per_mgr_service:service_manager find;
allow per_proxy secd_exec:file { getattr read };
allow per_proxy sysfs:file r_file_perms;
allow perfd sysfs_memory:dir search;
allow perfd sysfs_memory:file { open read write };
allow perfd secd_exec:file { getattr read };
allow perfd sysfs_memory:file rw_file_perms;
......@@ -5,19 +5,18 @@ type ppd_exec, exec_type, file_type;
# Started by init
init_daemon_domain(ppd)
allow ppd ion_device:chr_file write;
set_prop(ppd, display_prop);
allow ppd system_prop:property_service set;
allow ppd diag_device:chr_file { ioctl open read write };
allow ppd graphics_device:chr_file { ioctl open read write };
allow ppd ion_device:chr_file { open read };
allow ppd diag_device:chr_file rw_file_perms;
allow ppd display_vendor_data_file:dir search;
allow ppd graphics_device:chr_file rw_file_perms;
allow ppd graphics_device:dir search;
allow ppd ion_device:chr_file rw_file_perms;
allow ppd persist_display_file:dir search;
allow ppd postprocessing_prop:file { getattr open read };
allow ppd persist_file:dir search;
allow ppd postprocessing_prop:file r_file_perms;
allow ppd postprocessing_prop:property_service set;
allow ppd sysfs_graphics:dir search;
allow ppd sysfs_graphics:file { getattr open read write };
allow ppd sysfs_graphics:file rw_file_perms;
allow ppd sysfs_leds:dir search;
allow ppd graphics_device:dir search;
allow ppd persist_file:dir search;
allow ppd display_vendor_data_file:dir search;
allow ppd secd_exec:file { getattr read };
allow ppd system_prop:property_service set;
allow priv_app alarm_boot_prop:file r_file_perms;
allow priv_app alarm_handled_prop:file r_file_perms;
allow priv_app alarm_instance_prop:file r_file_perms;
allow priv_app apexd_prop:file r_file_perms;
allow priv_app bg_boot_complete_prop:file open;
allow priv_app device:dir open;
allow priv_app proc_interrupts:file open;
allow priv_app alarm_boot_prop:file open;
allow priv_app alarm_instance_prop:file getattr;
allow priv_app hal_memtrack_default:binder call;
allow priv_app hal_memtrack_hwservice:hwservice_manager find;
allow priv_app kgsl_debugfs:file read;
allow priv_app proc:file open;
allow priv_app proc_interrupts:file open;
allow priv_app sysfs_android_usb:file open;
allow priv_app secd_exec:file { getattr read };
allow priv_app sysfs:file open;
type timekeep_prop, property_type;
type tee_prop, property_type;
type ta_prop, property_type;
type display_prop, property_type;
type ta_prop, property_type;
type tee_prop, property_type;
type timekeep_prop, property_type;
sys.keymaster.loaded u:object_r:tee_prop:s0
sys.listeners.registered u:object_r:tee_prop:s0
persist.sys.timeadjust u:object_r:timekeep_prop:s0
persist.service.bdroid.bdaddr u:object_r:bluetooth_prop:s0
persist.sys.timeadjust u:object_r:timekeep_prop:s0
persist.tareset.notfirstboot u:object_r:ta_prop:s0
sys.keymaster.loaded u:object_r:tee_prop:s0
sys.listeners.registered u:object_r:tee_prop:s0
......@@ -5,20 +5,18 @@ type qcamerasvr_exec, exec_type, file_type;
# Started by init
init_daemon_domain(qcamerasvr)
allow qcamerasvr camera_data_file:dir { add_name remove_name write };
allow qcamerasvr camera_data_file:sock_file { create unlink };
allow qcamerasvr hal_camera_default:fd use;
allow qcamerasvr ion_device:chr_file { open read ioctl };
allow qcamerasvr mediaserver:fd use;
allow qcamerasvr sysfs:file { open read write };
allow qcamerasvr video_device:chr_file { ioctl open read write };
allow qcamerasvr camera_prop:file { getattr open read };
allow qcamerasvr camera_data_file:dir rw_dir_perms;
allow qcamerasvr camera_data_file:sock_file create_file_perms;
allow qcamerasvr camera_prop:file r_file_perms;
allow qcamerasvr cameraserver:fd use;
allow qcamerasvr camera_data_file:dir search;
allow qcamerasvr camera_socket:sock_file unlink;
allow qcamerasvr sysfs_graphics:file { open read };
allow qcamerasvr ta_data_file:dir search;
allow qcamerasvr secd_exec:file { getattr read };
allow qcamerasvr vendor_camera_data_file:dir { add_name remove_name write };
allow qcamerasvr vendor_camera_data_file:sock_file { create unlink };
allow qcamerasvr hal_camera_default:fd use;
allow qcamerasvr hal_graphics_allocator_default:fd use;
allow qcamerasvr ion_device:chr_file r_file_perms;
allow qcamerasvr mediaserver:fd use;
allow qcamerasvr sysfs:file rw_file_perms;
allow qcamerasvr sysfs_graphics:file r_file_perms;
allow qcamerasvr ta_data_file:dir search;
allow qcamerasvr vendor_camera_data_file:dir rw_dir_perms;
allow qcamerasvr vendor_camera_data_file:sock_file create_file_perms;
allow qcamerasvr video_device:chr_file rw_file_perms;
allow qmuxd diag_device:chr_file { ioctl open read write };
allow qmuxd diag_device:chr_file rw_file_perms;
allow qmuxd sysfs:file read;
allow qmuxd secd_exec:file { getattr read };
allow recovery_persist secd_exec:file { getattr read };
allow rild cache_file:dir { rw_file_perms remove_name };
allow rild audioserver_service:service_manager find;
allow rild cache_file:dir rw_dir_perms;
allow rild cache_file:file { r_file_perms unlink };
allow rild tad_socket:sock_file write;
allow rild tee_device:chr_file { read write open ioctl};
allow rild radio_data_file:file { getattr lock open read write };
allow rild default_android_service:service_manager find;
allow rild radio_data_file:dir { add_name getattr open read remove_name write };
allow rild radio_data_file:file { create ioctl setattr unlink };
allow rild device:file rw_file_perms;
allow rild firmware_file:dir search;
allow rild firmware_file:file r_file_perms;
allow rild ion_device:chr_file r_file_perms;
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
allow rild self:capability chown;
allow rild self:capability dac_override;
allow rild servicemanager:binder call;
allow rild tee_device:chr_file { open read write };
allow rild firmware_file:file { getattr open read };
allow rild ion_device:chr_file { ioctl open read };
allow rild self:capability sys_module;
allow rild servicemanager:binder call;
allow rild socket_device:sock_file write;
allow rild tad_socket:sock_file write;
allow rild tad:unix_stream_socket connectto;
allow rild tee_device:chr_file ioctl;
allow rild audioserver_service:service_manager find;
allow rild self:capability chown;
allow rild radio_data_file:dir search;
allow rild tee_device:chr_file rw_file_perms;
allow rild vendor_file:file ioctl;
allow rild tad:unix_stream_socket connectto;
allow rild cache_file:dir search;
allow rild firmware_file:dir search;
allow rild device:file { open write };
allow rild secd_exec:file { getattr read };
allow rmt_storage secd_exec:file { getattr read };
......@@ -10,6 +10,4 @@ allow sct_service self:capability net_raw;
# Allow sct_service to create self:socket
allow sct_service self:socket create_socket_perms;
allow sct_service self:socket { create read write };
allowxperm sct_service self:socket ioctl msm_sock_ipc_ioctls;
allow sct_service secd_exec:file { getattr read };
allow sdcardd secd_exec:file { getattr read };
......@@ -5,18 +5,16 @@ type secd_exec, exec_type, file_type;
# Started by init
init_daemon_domain(secd)
allow secd tad:unix_stream_socket connectto;
allow secd tad_socket:sock_file write;
allow secd tee_device:chr_file { ioctl open read write };
allow secd secd_data_file:file { lock open write create getattr read setattr unlink };
allow secd secd_data_file:dir { rw_file_perms add_name remove_name search };
allow secd diag_partition_device:dir search;
allow secd diag_data_file:dir search;
allow secd diag_data_file:sock_file write;
allow secd diag_partition_device:dir search;
allow secd firmware_file:dir search;
allow secd firmware_file:file { getattr open read };
allow secd firmware_file:file r_file_perms;
allow secd iddd:unix_dgram_socket sendto;
allow secd ion_device:chr_file { ioctl open read };
allow secd ion_device:chr_file r_file_perms;
allow secd secd_data_file:dir rw_dir_perms;
allow secd secd_data_file:file create_file_perms;
allow secd socket_device:sock_file write;
allow secd tee_device:chr_file { ioctl open read write };
allow secd secd_data_file:file ioctl;
allow secd tad_socket:sock_file write;
allow secd tad:unix_stream_socket connectto;
allow secd tee_device:chr_file rw_file_perms;
allow sensors device:dir { write add_name };
allow sensors device:dir w_dir_perms;
allow sensors input_device:chr_file { relabelfrom getattr link };
allow sensors input_device:dir search;
allow sensors tmpfs:file rw_file_perms;
allow sensors sysfs:file r_file_perms;
allow sensors tad_socket:sock_file { write };
allow sensors sysfs:file { open read };
allow sensors secd_exec:file { getattr read };
allow sensors tmpfs:file rw_file_perms;
allow servicemanager init:dir search;
allow servicemanager init:file { open read };
allow servicemanager init:file r_file_perms;
allow servicemanager init:process getattr;
allow servicemanager per_proxy:dir search;
allow servicemanager per_proxy:file { open read };
allow servicemanager per_proxy:process getattr;
allow servicemanager mediaswcodec:dir search;
allow servicemanager mediaswcodec:file { open read };
allow servicemanager mediaswcodec:file r_file_perms;
allow servicemanager mediaswcodec:process getattr;
allow servicemanager secd_exec:file { getattr read };
allow servicemanager per_proxy:dir search;
allow servicemanager per_proxy:file r_file_perms;
allow servicemanager per_proxy:process getattr;
allow shell alarm_boot_prop:file { getattr open };
allow shell alarm_handled_prop:file { getattr open };
allow shell alarm_instance_prop:file { getattr open };
allow shell apexd_prop:file { getattr open };
allow shell bg_boot_complete_prop:file { getattr open };
allow shell bg_daemon_prop:file { getattr open };
allow shell bluetooth_prop:file { getattr open };
allow shell boot_animation_prop:file { getattr open };
allow shell boot_mode_prop:file { getattr open };
allow shell boottime_prop:file { getattr open };
allow shell bpf_progs_loaded_prop:file { getattr open };
allow shell coresight_prop:file { getattr open };
allow shell crash_prop:file { getattr open };
allow shell ctl_LKCore_prop:file { getattr open };
allow shell ctl_adbd_prop:file { getattr open };
allow shell ctl_bootanim_prop:file { getattr open read };
allow shell ctl_console_prop:file { getattr open };
allow shell ctl_default_prop:file { getattr open };
allow shell ctl_fuse_prop:file { getattr open };
allow shell ctl_hbtp_prop:file { getattr open };
allow shell ctl_interface_restart_prop:file { getattr open };
allow shell ctl_interface_start_prop:file { getattr open };
allow shell ctl_interface_stop_prop:file { getattr open };
allow shell ctl_mdnsd_prop:file { getattr open };
allow shell ctl_netmgrd_prop:file { getattr open };
allow shell ctl_port-bridge_prop:file { getattr open };
allow shell ctl_qmuxd_prop:file { getattr open };
allow shell ctl_restart_prop:file { getattr open };
allow shell ctl_rildaemon_prop:file { getattr open };
allow shell ctl_sigstop_prop:file { getattr open };
allow shell ctl_start_prop:file { getattr open };
allow shell ctl_stop_prop:file { getattr open };
allow shell ctl_vendor_imsrcsservice_prop:file { getattr open };
allow shell ctl_vendor_wigigsvc_prop:file { getattr open };
allow shell device_config_activity_manager_native_boot_prop:file { getattr open };
allow shell device_config_boot_count_prop:file { getattr open };
allow shell device_config_input_native_boot_prop:file { getattr open };
allow shell device_config_media_native_prop:file { getattr open };
allow shell device_config_netd_native_prop:file { getattr open };
allow shell device_config_reset_performed_prop:file { getattr open };
allow shell device_config_runtime_native_boot_prop:file { getattr open };
allow shell device_config_runtime_native_prop:file { getattr open };
allow shell diag_mdlog_prop:file { getattr open };
allow shell dolby_prop:file { getattr open };
allow shell dumpstate_options_prop:file { getattr open };
allow shell firstboot_prop:file { getattr open };
allow shell fm_prop:file { getattr open };
allow shell freq_prop:file { getattr open };
allow shell fst_prop:file { getattr open };
allow shell gamed_prop:file { getattr open };
allow shell gsid_prop:file { getattr open };
allow shell ipacm-diag_prop:file { getattr open };
allow shell ipacm_prop:file { getattr open };
allow shell llkd_prop:file { getattr open };
allow shell location_prop:file { getattr open };
allow shell lowpan_prop:file { getattr open };
allow shell mdm_helper_prop:file { getattr open };
allow shell mmc_prop:file { getattr open };
allow shell mmi_prop:file { getattr open };
allow shell mpdecision_prop:file { getattr open };
allow shell msm_irqbalance_prop:file { getattr open };
allow shell msm_irqbl_sdm630_prop:file { getattr open };
allow shell net_dns_prop:file { getattr open };
allow shell netd_prop:file { getattr open };
allow shell netd_stable_secret_prop:file { getattr open };
allow shell nfc_nq_prop:file { getattr open };
allow shell opengles_prop:file { getattr open };
allow shell overlay_prop:file { getattr open };
allow shell per_mgr_state_prop:file { getattr open };
allow shell perfd_prop:file { getattr open };
allow shell persistent_properties_ready_prop:file { getattr open };
allow shell postprocessing_prop:file { getattr open };
allow shell ppd_prop:file { getattr open };
allow shell qcom_ims_prop:file { getattr open };
allow shell qdma_prop:file { getattr open };
allow shell qemu_gles_prop:file { getattr open };
allow shell qti_prop:file { getattr open };
allow shell rmnet_mux_prop:file { getattr open };
allow shell safemode_prop:file { getattr open };
allow shell scr_enabled_prop:file { getattr open };
allow shell sdm_idle_time_prop:file { getattr open };
allow shell secd_exec:file { getattr read };
allow shell sensors_prop:file { getattr open };
allow shell spcomlib_prop:file { getattr open };
allow shell sys_usb_configfs_prop:file { getattr open };
allow shell sys_usb_controller_prop:file { getattr open };
allow shell sys_usb_tethering_prop:file { getattr open };
allow shell system_lmk_prop:file { getattr open };
allow shell system_trace_prop:file { getattr open };
allow shell ta_prop:file { getattr open };
allow shell tee_prop:file { getattr open };
allow shell test_boot_reason_prop:file { getattr open };
allow shell theme_prop:file { getattr open };
allow shell time_prop:file { getattr open };
allow shell timekeep_prop:file { getattr open };
allow shell traced_lazy_prop:file { getattr open };
allow shell uicc_prop:file { getattr open };
allow shell usf_prop:file { getattr open };
allow shell vendor_mpctl_prop:file { getattr open };
allow shell vendor_rild_libpath_prop:file { getattr open };
allow shell vendor_system_prop:file { getattr open };
allow shell vendor_wifi_prop:file { getattr open };
allow shell vendor_wifi_version:file { getattr open };
allow shell vm_bms_prop:file { getattr open };
allow shell wifi_prop:file { getattr open };
allow shell wififtmd_prop:file { getattr open };
allow shell wigig_prop:file { getattr open };
allow shell xlat_prop:file { getattr open };
allow shell secd_exec:file { getattr read };
allow shell alarm_boot_prop:file r_file_perms;
allow shell alarm_handled_prop:file r_file_perms;
allow shell alarm_instance_prop:file r_file_perms;
allow shell apexd_prop:file r_file_perms;
allow shell bg_boot_complete_prop:file r_file_perms;
allow shell bg_daemon_prop:file r_file_perms;
allow shell bluetooth_prop:file r_file_perms;
allow shell boot_animation_prop:file r_file_perms;
allow shell boot_mode_prop:file r_file_perms;
allow shell boottime_prop:file r_file_perms;
allow shell bpf_progs_loaded_prop:file r_file_perms;
allow shell coresight_prop:file r_file_perms;
allow shell crash_prop:file r_file_perms;
allow shell ctl_LKCore_prop:file r_file_perms;
allow shell ctl_adbd_prop:file r_file_perms;
allow shell ctl_bootanim_prop:file r_file_perms;
allow shell ctl_console_prop:file r_file_perms;
allow shell ctl_default_prop:file r_file_perms;
allow shell ctl_fuse_prop:file r_file_perms;
allow shell ctl_hbtp_prop:file r_file_perms;
allow shell ctl_interface_restart_prop:file r_file_perms;
allow shell ctl_interface_start_prop:file r_file_perms;
allow shell ctl_interface_stop_prop:file r_file_perms;
allow shell ctl_mdnsd_prop:file r_file_perms;
allow shell ctl_netmgrd_prop:file r_file_perms;
allow shell ctl_port-bridge_prop:file r_file_perms;
allow shell ctl_qmuxd_prop:file r_file_perms;
allow shell ctl_restart_prop:file r_file_perms;
allow shell ctl_rildaemon_prop:file r_file_perms;
allow shell ctl_sigstop_prop:file r_file_perms;
allow shell ctl_start_prop:file r_file_perms;
allow shell ctl_stop_prop:file r_file_perms;
allow shell ctl_vendor_imsrcsservice_prop:file r_file_perms;
allow shell ctl_vendor_wigigsvc_prop:file r_file_perms;
allow shell device_config_activity_manager_native_boot_prop:file r_file_perms;
allow shell device_config_boot_count_prop:file r_file_perms;
allow shell device_config_input_native_boot_prop:file r_file_perms;
allow shell device_config_media_native_prop:file r_file_perms;
allow shell device_config_netd_native_prop:file r_file_perms;
allow shell device_config_reset_performed_prop:file r_file_perms;
allow shell device_config_runtime_native_boot_prop:file r_file_perms;
allow shell device_config_runtime_native_prop:file r_file_perms;
allow shell diag_mdlog_prop:file r_file_perms;
allow shell dolby_prop:file r_file_perms;
allow shell dumpstate_options_prop:file r_file_perms;
allow shell firstboot_prop:file r_file_perms;
allow shell fm_prop:file r_file_perms;
allow shell freq_prop:file r_file_perms;
allow shell fst_prop:file r_file_perms;
allow shell gamed_prop:file r_file_perms;
allow shell gsid_prop:file r_file_perms;
allow shell ipacm-diag_prop:file r_file_perms;
allow shell ipacm_prop:file r_file_perms;
allow shell llkd_prop:file r_file_perms;
allow shell location_prop:file r_file_perms;
allow shell lowpan_prop:file r_file_perms;
allow shell mdm_helper_prop:file r_file_perms;
allow shell mmc_prop:file r_file_perms;
allow shell mmi_prop:file r_file_perms;
allow shell mpdecision_prop:file r_file_perms;
allow shell msm_irqbalance_prop:file r_file_perms;
allow shell msm_irqbl_sdm630_prop:file r_file_perms;
allow shell net_dns_prop:file r_file_perms;
allow shell netd_prop:file r_file_perms;
allow shell netd_stable_secret_prop:file r_file_perms;
allow shell nfc_nq_prop:file r_file_perms;
allow shell opengles_prop:file r_file_perms;
allow shell overlay_prop:file r_file_perms;
allow shell per_mgr_state_prop:file r_file_perms;
allow shell perfd_prop:file r_file_perms;
allow shell persistent_properties_ready_prop:file r_file_perms;
allow shell postprocessing_prop:file r_file_perms;
allow shell ppd_prop:file r_file_perms;
allow shell qcom_ims_prop:file r_file_perms;
allow shell qdma_prop:file r_file_perms;
allow shell qemu_gles_prop:file r_file_perms;
allow shell qti_prop:file r_file_perms;
allow shell rmnet_mux_prop:file r_file_perms;
allow shell safemode_prop:file r_file_perms;
allow shell scr_enabled_prop:file r_file_perms;
allow shell sdm_idle_time_prop:file r_file_perms;
allow shell sensors_prop:file r_file_perms;
allow shell spcomlib_prop:file r_file_perms;
allow shell sys_usb_configfs_prop:file r_file_perms;
allow shell sys_usb_controller_prop:file r_file_perms;
allow shell sys_usb_tethering_prop:file r_file_perms;
allow shell system_lmk_prop:file r_file_perms;
allow shell system_trace_prop:file r_file_perms;
allow shell ta_prop:file r_file_perms;
allow shell tee_prop:file r_file_perms;
allow shell test_boot_reason_prop:file r_file_perms;
allow shell theme_prop:file r_file_perms;
allow shell time_prop:file r_file_perms;
allow shell timekeep_prop:file r_file_perms;
allow shell traced_lazy_prop:file r_file_perms;
allow shell uicc_prop:file r_file_perms;
allow shell usf_prop:file r_file_perms;
allow shell vendor_mpctl_prop:file r_file_perms;
allow shell vendor_rild_libpath_prop:file r_file_perms;
allow shell vendor_system_prop:file r_file_perms;
allow shell vendor_wifi_prop:file r_file_perms;
allow shell vendor_wifi_version:file r_file_perms;
allow shell vm_bms_prop:file r_file_perms;
allow shell wifi_prop:file r_file_perms;
allow shell wififtmd_prop:file r_file_perms;
allow shell wigig_prop:file r_file_perms;
allow shell xlat_prop:file r_file_perms;
allow statsd secd_exec:file { getattr read };
allow surfaceflinger default_android_service:service_manager { add find };
allow surfaceflinger perfd:unix_stream_socket connectto;
allow surfaceflinger socket_device:sock_file write;
allow surfaceflinger default_android_service:service_manager { add find };
allow surfaceflinger secd_exec:file { getattr read };
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment