Merge "Adding contexts and rules to address denials."

sepolicy/device.te

@@ -1,17 +1,18 @@
-type diag_device, dev_type, mlstrustedobject;
-type smd_device, dev_type;
-type ipa_dev, dev_type;
-type rmnet_device, dev_type;
 type at_device, dev_type;
-type qsee_ipc_irq_spss_device, dev_type;
-type seemplog_device, dev_type;
-type spcom_device, dev_type;
-type qdsp_device, dev_type, mlstrustedobject;
-type dsp_device, dev_type;
 type avtimer_device, dev_type;
-type ssr_device, dev_type;
-type ramdump_device, dev_type;
+type diag_device, dev_type, mlstrustedobject;
+type dsp_device, dev_type;
 type hbtp_device, dev_type;
-type sg_device, dev_type;
+type ipa_dev, dev_type;
+type qsee_ipc_irq_spss_device, dev_type;
+type qdsp_device, dev_type, mlstrustedobject;
+type ramdump_device, dev_type;
+type rmnet_device, dev_type;
+type sda_block_device, dev_type;
 type sdd_block_device, dev_type;
 type sdf_block_device, dev_type;
+type seemplog_device, dev_type;
+type sg_device, dev_type;
+type smd_device, dev_type;
+type spcom_device, dev_type;
+type ssr_device, dev_type;

sepolicy/file.te

@@ -1,12 +1,11 @@
-type sysfs_graphics, sysfs_type, fs_type;
 type sysfs_camera, sysfs_type, fs_type;
-type sysfs_soc, sysfs_type, fs_type;
-type sysfs_rmtfs, sysfs_type, fs_type;
-type sysfs_net, sysfs_type, fs_type;
 type sysfs_fingerprint, sysfs_type, fs_type;
+type sysfs_graphics, sysfs_type, fs_type;
 type sysfs_msm_subsys, sysfs_type, fs_type;
 type sysfs_msm_subsys_restart, sysfs_type, fs_type;
-
+type sysfs_net, sysfs_type, fs_type;
+type sysfs_rmtfs, sysfs_type, fs_type;
+type sysfs_soc, sysfs_type, fs_type;
 type debugfs_rmt_storage, debugfs_type, fs_type;
 
 # /proc

sepolicy/file_contexts

@@ -50,11 +50,13 @@
 # dev block nodes
 /dev/block/sdd[0-9]+                            u:object_r:sdd_block_device:s0
 /dev/block/sdf[0-9]+                            u:object_r:sdf_block_device:s0
+/dev/block/sda[0-9]+                            u:object_r:sda_block_device:s0
 
 # files in sysfs
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
-/sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
-/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc/1d0101c\.qcom,spss(/.*)?                           u:object_r:sysfs_msm_subsys:s0
+/sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)?                     u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/cce0000\.qcom,venus(/.*)?                          u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/0\.qcom,rmtfs_sharedmem(/.*)?                      u:object_r:sysfs_rmtfs:s0

sepolicy/fsck.te

@@ -0,0 +1 @@
+allow fsck sda_block_device:blk_file rw_file_perms;

sepolicy/sensors.te

@@ -6,6 +6,8 @@ init_daemon_domain(sensors)
 
 allow sensors self:socket rw_socket_perms_no_ioctl;
 
+allow sensors persist_sensors_file:file rw_file_perms;
+
 r_dir_file(sensors, sysfs_msm_subsys)
 
 userdebug_or_eng(`

sepolicy/thermal-engine.te

@@ -5,11 +5,16 @@ init_daemon_domain(thermal-engine)
 
 allow thermal-engine self:capability2 block_suspend;
 
+# to read /sys/devices
+allow thermal-engine sysfs:dir r_dir_perms;
+
 allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
+
 allow thermal-engine sysfs_rmtfs:file r_file_perms;
-allow thermal-engine sysfs_uio:lnk_file r_file_perms;
-allow thermal-engine sysfs_uio:dir r_dir_perms;
+
+r_dir_file(thermal-engine, sysfs_uio)
+r_dir_file(thermal-engine, sysfs_msm_subsys)
 
 allow thermal-engine self:socket create_socket_perms;
 allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;