Commit 973e9db1 authored by Bernhard Thoben's avatar Bernhard Thoben
Browse files

kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.

Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc
parent e14474c4
allow system_app time_data_file:dir search;
allow system_app timekeep_data_file:file { getattr open write };
allow system_app timekeep_prop:file { getattr open };
allow system_app timekeep_prop:property_service set;
allow system_app timekeep_prop:file read;
allow system_app sysfs_rtc:dir search;
allow system_app time_data_file:file { getattr open write };
allow system_app vendor_default_prop:property_service set;
allow system_app apex_service:service_manager find;
allow system_app proc_pagetypeinfo:file read;
allow system_app sysfs_rtc:dir search;
allow system_app sysfs_zram:dir search;
allow system_app system_suspend_control_service:service_manager find;
allow system_app time_data_file:dir search;
allow system_app time_data_file:file rw_file_perms;
allow system_app timekeep_data_file:file rw_file_perms;
allow system_app timekeep_prop:file r_file_perms;
allow system_app timekeep_prop:property_service set;
allow system_app vendor_default_prop:property_service set;
allow system_server default_android_service:service_manager find;
allow system_server exfat:dir rw_dir_perms;
allow system_server init:binder { call transfer };
allow system_server perfd:unix_stream_socket connectto;
allow system_server persist_file:dir rw_file_perms;
allow system_server ppd:unix_stream_socket connectto;
allow system_server pps_socket:sock_file write;
allow system_server self:capability sys_module;
allow system_server sensors_device:chr_file getattr;
allow system_server sensors_socket:sock_file write;
allow system_server sensors:unix_stream_socket connectto;
allow system_server socket_device:sock_file write;
allow system_server system_app_data_file:dir r_dir_perms;
allow system_server ta_data_file:dir search;
allow system_server ta_data_file:file r_file_perms;
allow system_server persist_file:dir rw_file_perms;
allow system_server perfd:unix_stream_socket connectto;
allow system_server socket_device:sock_file write;
allow system_server sensors:unix_stream_socket connectto;
allow system_server sensors_device:chr_file getattr;
allow system_server sensors_socket:sock_file write;
allow system_server unlabeled:file unlink;
allow system_server default_android_service:service_manager find;
allow system_server init:binder { call transfer };
allow system_server exfat:dir rw_dir_perms;
......@@ -13,12 +13,10 @@ allow ta_qmi_service self:capability { net_raw setgid setuid };
# Allow ta_qmi_service to create self:socket
allow ta_qmi_service self:socket create_socket_perms;
allow ta_qmi_service self:socket { create read write };
allowxperm ta_qmi_service self:socket ioctl msm_sock_ipc_ioctls;
allow ta_qmi_service self:capability2 block_suspend;
allow ta_qmi_service socket_device:sock_file write;
allow ta_qmi_service sysfs_wake_lock:file { append open };
allow ta_qmi_service sysfs_wake_lock:file w_file_perms;
allow ta_qmi_service tad:unix_stream_socket connectto;
allow ta_qmi_service tad_socket:sock_file write;
allow ta_qmi_service secd_exec:file { getattr read };
......@@ -9,6 +9,6 @@ init_daemon_domain(tad)
allow tad proc:file r_file_perms;
# Allow tad to work it's magic
allow tad trim_area_partition_device:blk_file { ioctl rw_file_perms };
allow tad block_device:dir search;
allow tad tmpfs:file rw_file_perms;
allow tad trim_area_partition_device:blk_file rw_file_perms;
......@@ -5,11 +5,10 @@ type taimport_exec, exec_type, file_type;
# Started by init
init_daemon_domain(taimport)
allow taimport tad_socket:sock_file { write };
allow taimport ta_data_file:dir { read search write add_name create remove_name };
allow taimport ta_data_file:file { read write create getattr open unlink};
allow taimport init:unix_stream_socket connectto;
allow taimport self:capability { dac_override setgid };
allow taimport socket_device:sock_file write;
allow taimport system_data_file:dir { add_name remove_name write };
allow taimport init:unix_stream_socket connectto;
allow taimport secd_exec:file { getattr read };
allow taimport system_data_file:dir w_dir_perms;
allow taimport ta_data_file:dir create_dir_perms;
allow taimport ta_data_file:file create_file_perms;
allow taimport tad_socket:sock_file write;
......@@ -23,6 +23,5 @@ allow tee rpmb_device:blk_file rw_file_perms;
allow tee ssd_device:blk_file rw_file_perms;
allow tee system_data_file:dir r_dir_perms;
allow tee vfat:file { getattr open read };
allow tee vfat:dir search;
allow tee secd_exec:file { getattr read };
allow tee vfat:file r_file_perms;
allow thermal-engine ta_data_file:dir search;
allow thermal-engine ta_data_file:file r_file_perms;
allow thermal-engine diag_partition_device:dir search;
allow thermal-engine diag_data_file:dir search;
allow thermal-engine diag_data_file:sock_file write;
allow thermal-engine socket_device:sock_file { create setattr };
allow thermal-engine init:unix_dgram_socket sendto;
allow thermal-engine diag_partition_device:dir search;
allow thermal-engine iddd:unix_dgram_socket sendto;
allow thermal-engine secd_exec:file { getattr read };
allow thermal-engine init:unix_dgram_socket sendto;
allow thermal-engine socket_device:sock_file create_file_perms;
allow thermal-engine ta_data_file:dir search;
allow thermal-engine ta_data_file:file r_file_perms;
......@@ -17,9 +17,8 @@ allow timekeep self:capability {
dac_read_search
};
allow timekeep timekeep_data_file:file create_file_perms;
allow timekeep timekeep_data_file:dir { create_dir_perms search };
allow timekeep time_data_file:dir { create_dir_perms search };
allow timekeep time_data_file:file { write open getattr setattr };
allow timekeep sysfs:file {read open };
allow timekeep timekeep_data_file:dir create_dir_perms;
allow timekeep time_data_file:dir create_dir_perms;
allow timekeep time_data_file:file create_file_perms;
allow timekeep sysfs:file r_file_perms;
allow timekeep sysfs_rtc:dir search;
allow timekeep secd_exec:file { getattr read };
allow tombstoned secd_exec:file { getattr read };
allow toolbox diag_data_file:dir { getattr open read remove_name rmdir write };
allow toolbox diag_data_file:dir create_dir_perms;
allow toolbox firmware_file:dir create_dir_perms;
allow toolbox self:capability dac_override;
allow toolbox diag_data_file:dir search;
allow toolbox firmware_file:dir { open read rmdir write };
allow toolbox firmware_file:dir search;
allow toolbox secd_exec:file { getattr read };
allow tzdatacheck secd_exec:file { getattr read };
......@@ -2,8 +2,7 @@
r_dir_file(ueventd, firmware_file)
allow ueventd device:file relabelfrom;
allow ueventd sysfs_camera_torch:file { open write };
allow ueventd vfat:dir search;
allow ueventd vfat:file { getattr open read };
allow ueventd self:capability sys_nice;
allow ueventd secd_exec:file { getattr read };
allow ueventd sysfs_camera_torch:file rw_file_perms;
allow ueventd vfat:dir search;
allow ueventd vfat:file r_file_perms;
......@@ -9,6 +9,5 @@ unix_socket_connect(taimport, tad, tad)
allow updatemiscta socket_device:sock_file write;
allow updatemiscta tad:unix_stream_socket connectto;
allow updatemiscta ta_prop:file { getattr open read };
allow updatemiscta tad_socket:sock_file write;
allow updatemiscta secd_exec:file { getattr read };
allow updatemiscta ta_prop:file r_file_perms;
allow usbd secd_exec:file { getattr read };
allow vdc secd_exec:file { getattr read };
allow vendor_init secd_exec:file { getattr read };
allow vndservicemanager secd_exec:file { getattr read };
allow vold diag_data_file:dir { read open ioctl };
allow vold diag_data_file:dir r_dir_perms;
allow vold firmware_file:dir search;
allow vold firmware_file:file { getattr open read };
allow vold secd_exec:file { getattr read };
allow vold tee_prop:file { r_file_perms };
allow vold firmware_file:file r_file_perms;
allow vold tee_prop:file r_file_perms;
allow vold_prepare_subdirs secd_exec:file { getattr read };
allow wificond secd_exec:file { getattr read };
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment