Commit c768f04e authored by Bernhard Thoben's avatar Bernhard Thoben
Browse files

kitakami-common: sepolicy: Changed a few properties; finetuning.

Change-Id: Ib7f84c0507b68e09cdbb709fbb2643eb1fa41ff1
parent 8958eac2
allow bootanim userspace_reboot_exported_prop:file { getattr open read };
allow bootanim userspace_reboot_exported_prop:file r_file_perms;
......@@ -69,7 +69,6 @@
/system/bin/iddd u:object_r:iddd_exec:s0
/system/bin/init\.qcom\.power\.sh u:object_r:init-power-sh_exec:s0
/system/bin/irsc_util u:object_r:irsc_util_exec:s0
/system/bin/loc_launcher u:object_r:loc_launcher_exec:s0
/system/bin/mlog_qmi_service u:object_r:mlog_qmi_service_exec:s0
/system/bin/mm-qcamera-daemon u:object_r:qcamerasvr_exec:s0
/system/bin/msm_irqbalance u:object_r:msm_irqbalance_exec:s0
......@@ -30,7 +30,7 @@ allow flags_health_check ctl_bugreport_prop:file { getattr open };
allow flags_health_check ctl_console_prop:file { getattr open };
allow flags_health_check ctl_default_prop:file { getattr open };
allow flags_health_check ctl_dumpstate_prop:file { getattr open };
allow flags_health_check ctl_fuse_prop:file { getattr open read };
allow flags_health_check ctl_fuse_prop:file r_file_perms;
allow flags_health_check ctl_gsid_prop:file { getattr open };
allow flags_health_check ctl_hbtp_prop:file { getattr open };
allow flags_health_check ctl_interface_restart_prop:file { getattr open };
......@@ -121,7 +121,7 @@ allow flags_health_check sys_usb_controller_prop:file { getattr open };
allow flags_health_check sys_usb_tethering_prop:file { getattr open };
allow flags_health_check system_adbd_prop:file { getattr open };
allow flags_health_check system_boot_reason_prop:file { getattr open };
allow flags_health_check system_jvmti_agent_prop:file { getattr open read };
allow flags_health_check system_jvmti_agent_prop:file r_file_perms;
allow flags_health_check system_lmk_prop:file { getattr open };
allow flags_health_check system_trace_prop:file { getattr open };
allow flags_health_check test_boot_reason_prop:file { getattr open };
allow fsck block_device:blk_file { read write };
allow fsck block_device:blk_file rw_file_perms;
allow fsck diag_partition_device:blk_file rw_file_perms;
allow hal_bluetooth_default firmware_file:dir search;
allow hal_bluetooth_default firmware_file:file { open read };
allow hal_bluetooth_default firmware_file:file r_file_perms;
allow hal_bluetooth_default sysfs:file write;
allow hal_bluetooth_default system_data_file:file { open read };
allow hal_bluetooth_default system_data_file:file r_file_perms;
allow hal_bluetooth_default ta_data_file:dir { read search };
allow hal_bluetooth_default ta_data_file:file { open read };
allow hal_bluetooth_default ta_data_file:file r_file_perms;
......@@ -7,4 +7,4 @@ init_daemon_domain(hal_drm_clearkey)
allow hal_drm_clearkey hal_drm_hwservice:hwservice_manager { add find };
allow hal_drm_clearkey hidl_base_hwservice:hwservice_manager add;
allow hal_drm_clearkey hwservicemanager:binder { call transfer };
allow hal_drm_clearkey hwservicemanager_prop:file { getattr open read };
allow hal_drm_clearkey hwservicemanager_prop:file r_file_perms;
......@@ -5,6 +5,6 @@ init_daemon_domain(hal_dumpstate_impl)
allow hal_dumpstate_impl hal_dumpstate_impl_exec:file execute_no_trans;
allow hal_dumpstate_impl hwservicemanager:binder { call transfer };
allow hal_dumpstate_impl hwservicemanager_prop:file { getattr map open read };
allow hal_dumpstate_impl hwservicemanager_prop:file { map r_file_perms };
allow hal_dumpstate_impl hidl_base_hwservice:hwservice_manager add;
allow hal_dumpstate_impl hal_dumpstate_hwservice:hwservice_manager { add find };
allow hal_fingerprint_default diag_data_file:dir search;
allow hal_fingerprint_default fingerprintd_data_file:dir { add_name remove_name search write };
allow hal_fingerprint_default fingerprintd_data_file:file { create getattr open read rename unlink write };
allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
allow hal_fingerprint_default firmware_file:dir search;
allow hal_fingerprint_default firmware_file:file { getattr open read };
allow hal_fingerprint_default firmware_file:file r_file_perms;
allow hal_fingerprint_default firmware_file:lnk_file read;
allow hal_fingerprint_default fpc_data_file:dir { add_name remove_name search write };
allow hal_fingerprint_default fpc_data_file:sock_file { create unlink };
allow hal_fingerprint_default input_device:chr_file { ioctl open read };
allow hal_fingerprint_default input_device:dir { open read search };
allow hal_fingerprint_default fpc_data_file:dir create_dir_perms;
allow hal_fingerprint_default fpc_data_file:sock_file create_file_perms;
allow hal_fingerprint_default input_device:chr_file r_file_perms;
allow hal_fingerprint_default input_device:dir r_dir_perms;
allow hal_fingerprint_default sysfs:file write;
allow hal_fingerprint_default sysfs_battery_supply:dir search;
allow hal_fingerprint_default sysfs_battery_supply:file { getattr open read };
allow hal_fingerprint_default system_data_file:dir { add_name remove_name write };
allow hal_fingerprint_default system_data_file:sock_file { create unlink };
allow hal_fingerprint_default tee_device:chr_file { ioctl open read write };
allow hal_fingerprint_default sysfs_battery_supply:file r_file_perms;
allow hal_fingerprint_default system_data_file:dir create_dir_perms;
allow hal_fingerprint_default system_data_file:sock_file create_file_perms;
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
allow hal_health_default sysfs:file { getattr open read };
allow hal_health_default sysfs:file rw_file_perms;
allow hal_light_default sysfs:file { open read write };
allow hal_light_default sysfs:file rw_file_perms;
allow hal_power_default sysfs:file { open write };
allow hal_power_default sysfs:file rw_file_perms;
allow hal_wifi_default firmware_file:dir search;
allow hal_wifi_default firmware_file:file { open read };
allow hal_wifi_default firmware_file:file r_file_perms;
allow hal_wifi_default sysfs:file write;
allow hal_wifi_default system_data_file:file { open read };
allow hal_wifi_default ta_data_file:dir { read search };
allow hal_wifi_default ta_data_file:file { open read };
allow hal_wifi_default system_data_file:file r_file_perms;
allow hal_wifi_default ta_data_file:dir r_dir_perms;
allow hal_wifi_default ta_data_file:file r_file_perms;
allow hwservicemanager hal_drm_clearkey:dir search;
allow hwservicemanager hal_drm_clearkey:file { open read };
allow hwservicemanager hal_drm_clearkey:file r_file_perms;
allow hwservicemanager hal_drm_clearkey:process getattr;
allow hwservicemanager hal_dumpstate_impl:dir rw_dir_perms;
allow hwservicemanager hal_dumpstate_impl:file rw_file_perms;
allow hwservicemanager hal_dumpstate_impl:binder { call transfer };
allow hwservicemanager hal_dumpstate_impl:process getattr;
allow hwservicemanager init:dir search;
allow hwservicemanager init:file { open read };
allow hwservicemanager init:file r_file_perms;
allow hwservicemanager init:process getattr;
......@@ -15,7 +15,7 @@ allow init-power-sh sysfs_cpu_boost:file rw_file_perms;
allow init-power-sh sysfs_devices_system_cpu:file w_file_perms;
allow init-power-sh sysfs_kgsl:file rw_file_perms;
allow init-power-sh sysfs_msm_perf:dir search;
allow init-power-sh sysfs_msm_perf:file { open write };
allow init-power-sh sysfs_msm_perf:file rw_file_perms;
allow init-power-sh sysfs_performance:dir r_dir_perms;
allow init-power-sh sysfs_performance:file w_file_perms;
allow init-power-sh sysfs_thermal:dir r_dir_perms;
allow init binder_per_mgr_service:service_manager find;
allow init block_device:blk_file { ioctl setattr write };
allow init block_device:blk_file create_file_perms;
allow init cameraserver:fd use;
allow init diag_data_file:dir mounton;
allow init diag_partition_device:blk_file r_file_perms;
......@@ -7,30 +7,30 @@ allow init hal_drm_hwservice:hwservice_manager { add find };
allow init hal_dumpstate_hwservice:hwservice_manager { add find };
allow init hidl_base_hwservice:hwservice_manager add;
allow init hwservicemanager:binder { call transfer };
allow init ion_device:chr_file { ioctl open read };
allow init ion_device:chr_file r_file_perms;
allow init iorapd_data_file:file getattr;
allow init per_mgr:binder { call transfer };
allow init proc:file write;
allow init proc_dirty_ratio:file write;
allow init proc_interrupts:file { getattr open read };
allow init proc_interrupts:file r_file_perms;
allow init self:capability2 block_suspend;
allow init self:socket { bind create ioctl read write };
allow init self:socket create_socket_perms;
allow init servicemanager:binder call;
allow init socket_device:sock_file { create setattr unlink write };
allow init sysfs:file { open read setattr write };
allow init socket_device:sock_file create_file_perms;
allow init sysfs:file create_file_perms;
allow init sysfs_camera_torch:lnk_file read;
allow init sysfs_cpu_boost:file { open write };
allow init sysfs_devices_system_cpu:file write;
allow init sysfs_graphics:file { open read };
allow init sysfs_kgsl:file { open write };
allow init sysfs_cpu_boost:file rw_file_perms;
allow init sysfs_devices_system_cpu:file rw_file_perms;
allow init sysfs_graphics:file r_file_perms;
allow init sysfs_kgsl:file rw_file_perms;
allow init sysfs_livedisplay_tuneable:file setattr;
allow init sysfs_msm_perf:file { open write };
allow init sysfs_msm_perf:file rw_file_perms;
allow init sysfs_thermal:file write;
allow init sysfs_wake_lock:file { append open };
allow init system_data_file:file { ioctl lock };
allow init sysfs_wake_lock:file ra_file_perms;
allow init system_data_file:file r_file_perms;
allow init system_file:dir relabelfrom;
allow init system_file:file execute_no_trans;
allow init tee_device:chr_file { ioctl open read write };
allow init tee_device:chr_file rw_file_perms;
allow init trim_area_partition_device:blk_file setattr;
allow init vendor_file:file execute_no_trans;
allow init video_device:chr_file { ioctl open read write };
allow init video_device:chr_file rw_file_perms;
type loc_launcher, domain;
type loc_launcher_exec, exec_type, file_type;
# Started by init
allow loc_launcher location_data_file:dir { add_name remove_name search write };
allow loc_launcher location_data_file:sock_file { create setattr unlink };
allow loc_launcher self:capability setuid;
......@@ -5,4 +5,4 @@ type mlog_qmi_service_exec, exec_type, file_type;
allow mlog_qmi_service self:capability net_raw;
allow mlog_qmi_service self:socket { bind create ioctl read write };
allow mlog_qmi_service self:socket create_socket_perms;
......@@ -4,8 +4,8 @@ type msm_irqbalance_exec, exec_type, file_type;
# Started by init
allow msm_irqbalance proc:file { getattr open read write };
allow msm_irqbalance proc_interrupts:file { getattr open read };
allow msm_irqbalance proc_stat:file { getattr open read };
allow msm_irqbalance proc:file rw_file_perms;
allow msm_irqbalance proc_interrupts:file r_file_perms;
allow msm_irqbalance proc_stat:file r_file_perms;
allow msm_irqbalance self:capability { dac_override setgid setuid };
allow msm_irqbalance sysfs_devices_system_cpu:file write;
......@@ -5,14 +5,14 @@ type qcamerasvr_exec, exec_type, file_type;
# Started by init
allow qcamerasvr camera_data_file:dir { add_name remove_name search write };
allow qcamerasvr camera_data_file:dir w_dir_perms;
allow qcamerasvr camera_data_file:sock_file { create unlink };
allow qcamerasvr camera_prop:file { getattr open read };
allow qcamerasvr camera_prop:file r_file_perms;
allow qcamerasvr camera_socket:sock_file unlink;
allow qcamerasvr cameraserver:fd use;
allow qcamerasvr hal_graphics_allocator_default:fd use;
allow qcamerasvr ion_device:chr_file r_file_perms;
allow qcamerasvr sysfs:file rw_file_perms;
allow qcamerasvr sysfs_graphics:file { open read };
allow qcamerasvr sysfs_graphics:file r_file_perms;
allow qcamerasvr ta_data_file:dir search;
allow qcamerasvr video_device:chr_file { ioctl open read write };
allow qcamerasvr video_device:chr_file rw_file_perms;
......@@ -2,10 +2,10 @@
unix_socket_connect(rild, tad, tad)
# Misc
allow rild cache_file:dir { rw_file_perms remove_name search };
allow rild cache_file:dir create_dir_perms;
allow rild firmware_file:dir search;
allow rild firmware_file:file { getattr open read };
allow rild ion_device:chr_file { ioctl open read };
allow rild firmware_file:file r_file_perms;
allow rild ion_device:chr_file r_file_perms;
allow rild self:capability { dac_override sys_module };
allow rild socket_device:sock_file write;
allow rild tee_device:chr_file { ioctl open read write };
allow rild tee_device:chr_file rw_file_perms;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment