diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te index bbd50a64..e3764223 100644 --- a/sepolicy/cnd.te +++ b/sepolicy/cnd.te @@ -3,14 +3,23 @@ type cnd_exec, exec_type, file_type; file_type_auto_trans(cnd, socket_device, cnd_socket); -allow cnd self:capability { setgid setuid }; +allow cnd self:capability { chown fsetid setgid setuid }; + +allow cnd self:udp_socket create_socket_perms; +allowxperm cnd self:udp_socket ioctl SIOCGIFMTU; + +allow cnd wpa_socket:dir w_dir_perms; +allow cnd wpa_socket:sock_file create_file_perms; + +allow cnd sysfs_soc:dir search; +allow cnd sysfs_soc:file r_file_perms; allow cnd proc_meminfo:file r_file_perms; r_dir_file(cnd, sysfs_msm_subsys) allow cnd self:socket create_socket_perms; -allowxperm cnd self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER; +allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls; init_daemon_domain(cnd) diff --git a/sepolicy/hal_camera.te b/sepolicy/hal_camera.te index a3354c91..34fb7190 100644 --- a/sepolicy/hal_camera.te +++ b/sepolicy/hal_camera.te @@ -12,6 +12,8 @@ allow hal_camera self:capability sys_nice; allow hal_camera gpu_device:chr_file rw_file_perms; +allow hal_camera perfd_socket:sock_file w_file_perms; + # access to /dev/input/event{5,10} allow hal_camera input_device:dir r_dir_perms; allow hal_camera input_device:chr_file r_file_perms; diff --git a/sepolicy/ims.te b/sepolicy/ims.te index 56140ff9..4b1da667 100644 --- a/sepolicy/ims.te +++ b/sepolicy/ims.te @@ -4,6 +4,8 @@ type ims_exec, exec_type, file_type; init_daemon_domain(ims) net_domain(ims) +set_prop(ims, ims_prop) + allow ims sysfs_soc:dir search; allow ims sysfs_soc:file r_file_perms; diff --git a/sepolicy/location.te b/sepolicy/location.te index 1f58f1a9..e5958559 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -22,7 +22,9 @@ allow location self:netlink_generic_socket create_socket_perms_no_ioctl; allow location self:netlink_socket create_socket_perms_no_ioctl; allow location self:socket create_socket_perms; allow location self:udp_socket create_socket_perms; -allowxperm location self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER; +allow location self:udp_socket create_socket_perms; +allowxperm location self:udp_socket ioctl { SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 }; +allowxperm location self:socket ioctl msm_sock_ipc_ioctls; # files in /sys r_dir_file(location, sysfs_type) diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index e6c16a6f..76940e4c 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -19,8 +19,9 @@ allow netmgrd self:socket create_socket_perms; allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; -allow netmgrd sysfs_net:file rw_file_perms; allow netmgrd sysfs_net:dir r_dir_perms; +allow netmgrd sysfs_net:file rw_file_perms; +allow netmgrd sysfs_soc:dir search; allow netmgrd sysfs_soc:file r_file_perms; allow netmgrd sysfs_msm_subsys:dir r_dir_perms; allow netmgrd sysfs_msm_subsys:file r_file_perms; diff --git a/sepolicy/property.te b/sepolicy/property.te index 6a207b09..d79f2ff0 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -1,5 +1,7 @@ -type wc_prop, property_type; type camera_prop, property_type; +type ims_prop, property_type; +type keymaster_prop, property_type; +type ramdump_prop, property_type; type ssr_prop, property_type; type tee_listener_prop, property_type; -type keymaster_prop, property_type; +type wc_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 183dc5b3..4dce86b5 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,6 +1,8 @@ -wc_transport. u:object_r:wc_prop:s0 persist.camera. u:object_r:camera_prop:s0 -persist.net.doxlat u:object_r:net_radio_prop:s0 -sys.listeners.registered u:object_r:tee_listener_prop:s0 +sys.ims. u:object_r:ims_prop:s0 sys.keymaster.loaded u:object_r:keymaster_prop:s0 +persist.net.doxlat u:object_r:net_radio_prop:s0 +debug.htc.hrdump u:object_r:ramdump_prop:s0 debug.ssrdump u:object_r:ssr_prop:s0 +sys.listeners.registered u:object_r:tee_listener_prop:s0 +wc_transport. u:object_r:wc_prop:s0 diff --git a/sepolicy/radio.te b/sepolicy/radio.te index 324a65da..f45adcb7 100644 --- a/sepolicy/radio.te +++ b/sepolicy/radio.te @@ -1 +1,3 @@ +get_prop(radio, ims_prop) + r_dir_file(radio, sysfs_msm_subsys) diff --git a/sepolicy/ramdump.te b/sepolicy/ramdump.te index 62a98b82..09515b84 100644 --- a/sepolicy/ramdump.te +++ b/sepolicy/ramdump.te @@ -4,6 +4,8 @@ userdebug_or_eng(` type ramdump, domain; init_daemon_domain(ramdump) + set_prop(ramdump, ramdump_prop) + allow ramdump self:capability sys_rawio; allow ramdump sda_block_device:blk_file rw_file_perms; diff --git a/sepolicy/rfs_access.te b/sepolicy/rfs_access.te index 389775c2..362416f7 100644 --- a/sepolicy/rfs_access.te +++ b/sepolicy/rfs_access.te @@ -9,10 +9,10 @@ allow rfs_access self:capability { chown setgid setpcap setuid net_bind_service wakelock_use(rfs_access) # For tftp server file access -allow rfs_access firmware_file:file r_file_perms; allow rfs_access firmware_file:dir search; +allow rfs_access firmware_file:file r_file_perms; +allow rfs_access persist_file:dir { rw_dir_perms setattr }; allow rfs_access persist_file:file create_file_perms; -allow rfs_access persist_file:dir rw_dir_perms; allow rfs_access self:socket create_socket_perms_no_ioctl; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index 7e7df228..43a5b41b 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -8,13 +8,13 @@ allow thermal-engine self:capability2 block_suspend; # to read /sys/devices allow thermal-engine sysfs:dir r_dir_perms; -allow thermal-engine sysfs_msm_subsys:file r_file_perms; +allow thermal-engine sysfs_msm_subsys:dir r_dir_perms; allow thermal-engine sysfs_msm_subsys:file rw_file_perms; allow thermal-engine sysfs_soc:dir search; allow thermal-engine sysfs_soc:file r_file_perms; allow thermal-engine sysfs_thermal:dir r_dir_perms; allow thermal-engine sysfs_thermal:file rw_file_perms; - +allow thermal-engine sysfs_rmtfs:dir search; allow thermal-engine sysfs_rmtfs:file r_file_perms; allow thermal-engine audio_device:chr_file rw_file_perms;