Merge "Adding context and allows to handle boot denials"

2026-02-01 07:50:47 +00:00 · 2017-03-24 16:12:17 +00:00
parent b6eac2ab5d 0ef2f5d6b6
commit 3608be21ba
24 changed files with 114 additions and 25 deletions
--- a/sepolicy/adsprpcd.te
+++ b/sepolicy/adsprpcd.te
@@ -3,6 +3,11 @@ type adsprpcd_exec, exec_type, file_type;

 init_daemon_domain(adsprpcd)

+allow adsprpcd ion_device:chr_file r_file_perms;
+allow adsprpcd qdsp_device:chr_file r_file_perms;
+
+allow adsprpcd system_file:dir r_dir_perms;
+
 userdebug_or_eng(`
 permissive adsprpcd;
 ')
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -3,6 +3,12 @@ type cnd_exec, exec_type, file_type;

 file_type_auto_trans(cnd, socket_device, cnd_socket);

+allow cnd self:capability { setgid setuid };
+
+allow cnd proc_meminfo:file r_file_perms;
+
+r_dir_file(cnd, sysfs_msm_subsys)
+
 allow cnd self:socket create_socket_perms;
 allowxperm cnd self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;

--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -1,6 +1,6 @@
 type at_device, dev_type;
-type bt_device, dev_type;
 type avtimer_device, dev_type;
+type bt_device, dev_type;
 type diag_device, dev_type, mlstrustedobject;
 type dsp_device, dev_type;
 type hbtp_device, dev_type;
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,6 +1,7 @@
 type sysfs_camera, sysfs_type, fs_type;
 type sysfs_fingerprint, sysfs_type, fs_type;
 type sysfs_graphics, sysfs_type, fs_type;
+type sysfs_mdss_mdp_caps, sysfs_type, fs_type;
 type sysfs_msm_subsys, sysfs_type, fs_type;
 type sysfs_msm_subsys_restart, sysfs_type, fs_type;
 type sysfs_net, sysfs_type, fs_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -51,14 +51,21 @@
 # dev block nodes
 /dev/block/sdd[0-9]+                            u:object_r:sdd_block_device:s0
 /dev/block/sdf[0-9]+                            u:object_r:sdf_block_device:s0
-/dev/block/sda[0-9]+                            u:object_r:sda_block_device:s0
+/dev/block/sda[0-9]*                            u:object_r:sda_block_device:s0

 # files in sysfs
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
+/sys/devices/soc/a1800000\.qcom,rmtfs_rtel_sharedmem(/.*)?          u:object_r:sysfs_rmtfs:s0
+/sys/devices/soc/800f000\.qcom,spmi(/.*)?                           u:object_r:sysfs_msm_subsys:s0
+/sys/devices/soc/4080000\.qcom,mss(/.*)?                            u:object_r:sysfs_msm_subsys:s0
+/sys/devices/soc/17300000\.qcom,lpass(/.*)?                         u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/1d0101c\.qcom,spss(/.*)?                           u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/5c00000\.qcom,ssc(/.*)?                            u:object_r:sysfs_msm_subsys:s0
+/sys/devices/soc/c900000\.qcom,mdss_rotator(/.*)?                   u:object_r:sysfs_msm_subsys:s0
+/sys/devices/soc/c900000\.qcom,mdss_mdp/caps                        u:object_r:sysfs_mdss_mdp_caps:s0
 /sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc/5000000\.qcom,kgsl-3d0(/.*)?                       u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/soc:qcom,kgsl-hyp(/.*)?                            u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)?                     u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/cce0000\.qcom,venus(/.*)?                          u:object_r:sysfs_msm_subsys:s0
--- a/sepolicy/hal_bluetooth_default.te
+++ b/sepolicy/hal_bluetooth_default.te
@@ -1,3 +1,2 @@
-get_prop(hal_bluetooth_default, wc_prop)
-
 allow hal_bluetooth_default bt_device:chr_file rw_file_perms;
+set_prop(hal_bluetooth_default, wc_prop)
--- a/sepolicy/hal_bootctl_default.te
+++ b/sepolicy/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
--- a/sepolicy/hal_fingerprint.te
+++ b/sepolicy/hal_fingerprint.te
@@ -1,8 +1,9 @@
 binder_use(hal_fingerprint)

-allow hal_fingerprint sysfs_fingerprint:file rw_file_perms;
 allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint sysfs_fingerprint:file rw_file_perms;
 allow hal_fingerprint sysfs_msm_subsys:dir search;
+allow hal_fingerprint sysfs_msm_subsys:file r_file_perms;
 allow hal_fingerprint tee_device:file rw_file_perms;
 allow hal_fingerprint tee_device:chr_file rw_file_perms;
 allow hal_fingerprint uhid_device:chr_file w_file_perms;
--- a/sepolicy/hal_graphics_composer_default.te
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -4,5 +4,16 @@ binder_service(hal_graphics_composer_default)
 binder_use(hal_graphics_composer_default)
 allow hal_graphics_composer_default surfaceflinger_service:service_manager { add find };

+allow hal_graphics_composer_default sysfs_camera:dir search;
+allow hal_graphics_composer_default sysfs_camera:file r_file_perms;
+allow hal_graphics_composer_default sysfs_msm_subsys:dir search;
+allow hal_graphics_composer_default sysfs_msm_subsys:file r_file_perms;
+allow hal_graphics_composer_default sysfs_mdss_mdp_caps:file r_file_perms;
+
+r_dir_file(hal_graphics_composer_default, sysfs_leds)
+
 # HWC_UeventThread
 allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access /sys/devices/virtual/graphics/fb0
+r_dir_file(hal_graphics_composer_default, sysfs_type)
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -4,10 +4,13 @@ type ims_exec, exec_type, file_type;
 init_daemon_domain(ims)
 net_domain(ims)

+allow ims sysfs_soc:dir search;
+allow ims sysfs_soc:file r_file_perms;
+
 allow ims self:socket create_socket_perms;
 allow ims self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow ims netmgrd_socket:sock_file w_file_perms;
 allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
 allowxperm ims self:udp_socket ioctl RMNET_IOCTL_EXTENDED;

-r_dir_file(ims, sysfs_msm_subsys);
+r_dir_file(ims, sysfs_msm_subsys)
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,5 +1,6 @@
 # symlink /sdcard to backing block
 allow init tmpfs:lnk_file create;
+allow init configfs:lnk_file create;

 allow init configfs:lnk_file create;

@@ -7,6 +8,8 @@ allow init self:capability sys_module;
 allow init system_file:system module_load;
 allow init firmware_file:dir mounton;
 allow init configfs:file w_file_perms;
+
 allow init tty_device:chr_file rw_file_perms;
+allow init ipa_dev:chr_file w_file_perms;

 allow init persist_file:dir mounton;
--- a/sepolicy/init_radio.te
+++ b/sepolicy/init_radio.te
@@ -4,7 +4,9 @@ type init_radio_exec, exec_type, file_type;

 init_daemon_domain(init_radio)

+allow init_radio shell_exec:file r_file_perms;
 allow init_radio toolbox_exec:file rx_file_perms;
+
 allow init_radio radio_data_file:dir create_dir_perms;
 allow init_radio radio_data_file:file create_file_perms;

--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -18,8 +18,8 @@ allow location location_data_file:dir w_dir_perms;
 allow location location_data_file:sock_file create_file_perms;

 allow location self:netlink_route_socket create_socket_perms_no_ioctl;
-allow location self:netlink_generic_socket rw_socket_perms_no_ioctl;
-allow location self:netlink_socket read;
+allow location self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow location self:netlink_socket create_socket_perms_no_ioctl;
 allow location self:socket create_socket_perms;
 allow location self:udp_socket create_socket_perms;
 allowxperm location self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -13,6 +13,7 @@ allow netmgrd netmgrd_socket:dir w_dir_perms;
 allow netmgrd netmgrd_socket:sock_file { create setattr };
 allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write };
 allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netmgrd self:netlink_route_socket nlmsg_write;
 allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
 allow netmgrd self:socket create_socket_perms;
 allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
@@ -24,12 +25,18 @@ allow netmgrd sysfs_soc:file r_file_perms;
 allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
 allow netmgrd sysfs_msm_subsys:file r_file_perms;

+r_dir_file(netmgrd, sysfs_msm_subsys)
+
+wakelock_use(netmgrd)
+
 allow netmgrd proc_net:file rw_file_perms;
 allow netmgrd net_data_file:dir r_dir_perms;
-allow netmgrd netmgr_data_file:file rw_file_perms;
+allow netmgrd net_data_file:file r_file_perms;
+allow netmgrd netmgr_data_file:dir rw_dir_perms;
+allow netmgrd netmgr_data_file:file create_file_perms;
 allow netmgrd system_file:file execute_no_trans;

-allow netmgrd self:capability { net_admin net_raw setuid };
+allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };

 allow netmgrd toolbox_exec:file rx_file_perms;

--- a/sepolicy/pd_services.te
+++ b/sepolicy/pd_services.te
@@ -3,7 +3,15 @@ type pd_mapper, domain;
 type pd_mapper_exec, exec_type, file_type;
 init_daemon_domain(pd_mapper);

-allow pd_mapper self:socket rw_socket_perms_no_ioctl;
+allow pd_mapper self:capability { setgid setpcap setuid net_bind_service };
+
+allow pd_mapper firmware_file:dir r_dir_perms;
+allow pd_mapper firmware_file:file r_file_perms;
+
+allow pd_mapper self:socket create_socket_perms;
+allowxperm pd_mapper self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT;
+
+r_dir_file(pd_mapper, sysfs_msm_subsys)

 userdebug_or_eng(`
 permissive pd_mapper;
--- a/sepolicy/per_mgr.te
+++ b/sepolicy/per_mgr.te
@@ -13,13 +13,12 @@ allow per_mgr self:capability net_bind_service;

 allow per_mgr firmware_file:file r_file_perms;
 allow per_mgr firmware_file:dir search;
-allow per_mgr sysfs_msm_subsys:lnk_file r_file_perms;
-allow per_mgr sysfs_msm_subsys:dir r_dir_perms;

 allow per_mgr self:socket create_socket_perms;
 allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls;
 allow per_mgr ssr_device:chr_file { open read };

+r_dir_file(per_mgr, sysfs_msm_subsys)
 r_dir_file(per_mgr, sysfs)

 userdebug_or_eng(`
--- a/sepolicy/qti.te
+++ b/sepolicy/qti.te
@@ -4,9 +4,16 @@ type qti_exec, exec_type, file_type;
 init_daemon_domain(qti)
 net_domain(qti)

+allow qti sysfs_soc:dir search;
+allow qti sysfs_soc:file r_file_perms;
+
+allow qti rmnet_device:chr_file rw_file_perms;
+
 allow qti self:socket create_socket_perms;
 allowxperm qti self:socket ioctl msm_sock_ipc_ioctls;

+r_dir_file(qti, sysfs_msm_subsys)
+
 userdebug_or_eng(`
 permissive qti;
 ')
--- a/sepolicy/ramdump.te
+++ b/sepolicy/ramdump.te
@@ -7,8 +7,9 @@ userdebug_or_eng(`
  allow ramdump self:capability sys_rawio;

  allow ramdump sda_block_device:blk_file rw_file_perms;
-  allow ramdump ramdump_data_file:file rw_file_perms;
+  allow ramdump sdd_block_device:blk_file rw_file_perms;
  allow ramdump ramdump_data_file:dir w_dir_perms;
+  allow ramdump ramdump_data_file:file create_file_perms;

  # read from /fstab.taimen
  allow ramdump rootfs:file r_file_perms;
--- a/sepolicy/rfs_access.te
+++ b/sepolicy/rfs_access.te
@@ -4,9 +4,9 @@ type rfs_access_exec, exec_type, file_type;
 init_daemon_domain(rfs_access)

 #For tftp server
-allow rfs_access self:capability { setgid setuid };
+allow rfs_access self:capability { chown setgid setpcap setuid net_bind_service };

-allow rfs_access sysfs_wake_lock:file w_file_perms;
+wakelock_use(rfs_access)

 # For tftp server file access
 allow rfs_access firmware_file:file r_file_perms;
@@ -14,9 +14,6 @@ allow rfs_access firmware_file:dir search;
 allow rfs_access persist_file:file create_file_perms;
 allow rfs_access persist_file:dir rw_dir_perms;

-allow rfs_access self:capability { chown setpcap };
-allow rfs_access self:capability2 { block_suspend };
-
 allow rfs_access self:socket create_socket_perms_no_ioctl;

 userdebug_or_eng(`
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@@ -13,12 +13,16 @@ allow rmt_storage uio_device:chr_file rw_file_perms;

 allow rmt_storage sysfs_uio:dir r_dir_perms;
 allow rmt_storage sysfs_uio:lnk_file r_file_perms;
+
+allow rmt_storage sysfs_rmtfs:dir search;
 allow rmt_storage sysfs_rmtfs:file r_file_perms;
 allow rmt_storage sysfs_rmtfs:dir search;

+allow rmt_storage debugfs_rmt_storage:dir search;
 allow rmt_storage debugfs_rmt_storage:file w_file_perms;

-allow rmt_storage self:socket create_socket_perms_no_ioctl;
+allow rmt_storage self:socket create_socket_perms;
+allowxperm rmt_storage self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT;

 userdebug_or_eng(`
 permissive rmt_storage;
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -4,13 +4,19 @@ type sensors_exec, exec_type, file_type;

 init_daemon_domain(sensors)

-allow sensors self:socket create_socket_perms;
-allowxperm sensors self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT;
+allow sensors self:capability { setgid setuid };

+allow sensors self:socket create_socket_perms;
+allowxperm sensors self:socket ioctl msm_sock_ipc_ioctls;
+
+allow sensors persist_sensors_file:dir r_dir_perms;
 allow sensors persist_sensors_file:file rw_file_perms;
 allow sensors persist_sensors_file:dir r_dir_perms;
 allow sensors persist_file:dir getattr;

+allow sensors system_file:dir r_dir_perms;
+allow sensors sensors_device:chr_file r_file_perms;
+
 r_dir_file(sensors, sysfs_msm_subsys)

 userdebug_or_eng(`
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -8,13 +8,20 @@ allow thermal-engine self:capability2 block_suspend;
 # to read /sys/devices
 allow thermal-engine sysfs:dir r_dir_perms;

+allow thermal-engine sysfs_msm_subsys:file r_file_perms;
+allow thermal-engine sysfs_msm_subsys:file rw_file_perms;
+allow thermal-engine sysfs_soc:dir search;
+allow thermal-engine sysfs_soc:file r_file_perms;
 allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;

 allow thermal-engine sysfs_rmtfs:file r_file_perms;

-r_dir_file(thermal-engine, sysfs_uio)
+allow thermal-engine audio_device:chr_file rw_file_perms;
+
+r_dir_file(thermal-engine, sysfs_leds)
 r_dir_file(thermal-engine, sysfs_msm_subsys)
+r_dir_file(thermal-engine, sysfs_uio)

 allow thermal-engine self:socket create_socket_perms;
 allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;
--- a/sepolicy/update_verifier.te
+++ b/sepolicy/update_verifier.te
@@ -0,0 +1,2 @@
+allow update_verifier block_device:dir r_dir_perms;
+allow update_verifier sda_block_device:blk_file rw_file_perms;
--- a/sepolicy/wcnss_service.te
+++ b/sepolicy/wcnss_service.te
@@ -4,14 +4,26 @@ type wcnss_service_exec, exec_type, file_type;
 init_daemon_domain(wcnss_service)
 net_domain(wcnss_service)

+binder_use(wcnss_service)
+binder_call(wcnss_service, per_mgr)
+
 allow wcnss_service shell_exec:file rx_file_perms;
 allow wcnss_service toolbox_exec:file rx_file_perms;

 allow wcnss_service proc_net:file w_file_perms;

 allow wcnss_service self:socket create_socket_perms;
-allowxperm wcnss_service self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;
-allow wcnss_service self:netlink_socket read;
+allowxperm wcnss_service self:socket ioctl msm_sock_ipc_ioctls;
+allow wcnss_service self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wcnss_service self:netlink_socket create_socket_perms_no_ioctl;
+
+allow wcnss_service wifi_data_file:dir rw_dir_perms;
+allow wcnss_service wifi_data_file:file create_file_perms;
+
+r_dir_file(wcnss_service, sysfs_msm_subsys)
+
+allow wcnss_service sysfs_soc:dir search;
+allow wcnss_service sysfs_soc:file r_file_perms;

 userdebug_or_eng(`
 permissive wcnss_service;
				`@@ -0,0 +1 @@`
				`allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;`