Evolution-x-devices/device_google_wahoo
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_wahoo synced 2026-02-01 07:50:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4e79aefebc57869df0c9476bdb8d77f072c3db75
device_google_wahoo/sepolicy
History
Max Bires 2d76a6ac61 Adding vndbinder_use statements to support the new qualcomm patches 
Leaving in the binder call until I can independently verify that none of
these domains are running anything through binder, and if they are then
file bug reports on it.

Some of these domains don't seem to use the transfer/call permissions,
so refraining from adding the full vndbinder_use statement until those
are apparent

Denials:

denied { getattr } for pid=556 comm="vndservicemanag"
scontext=u:r:vndservicemanager:s0 tcontext=u:r:hal_gnss_qti:s0
tclass=process

denied { open } for pid=556 comm="vndservicemanag"
path="/proc/744/attr/current" dev="proc" ino=25957
scontext=u:r:vndservicemanager:s0 tcontext=u:r:hal_gnss_qti:s0
tclass=file

denied { read } for pid=556 comm="vndservicemanag" name="current"
dev="proc" ino=25957 scontext=u:r:vndservicemanager:s0
tcontext=u:r:hal_gnss_qti:s0 tclass=file

denied { call } for pid=744 comm="Loc_hal" scontext=u:r:hal_gnss_qti:s0
tcontext=u:r:vndservicemanager:s0 tclass=binder

denied { ioctl open read write } for pid=744 comm="Loc_hal"
path="/dev/vndbinder" dev="tmpfs" ino=19167 ioctlcmd=6209
scontext=u:r:hal_gnss_qti:s0 tcontext=u:object_r:vndbinder_device:s0
tclass=chr_file

denied { ioctl } for pid=770 comm="Binder:770_2" path="/dev/vndbinder"
dev="tmpfs" ino=19167 ioctlcmd=6201 scontext=u:r:per_mgr:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

denied { getattr } for pid=556 comm="vndservicemanag"
scontext=u:r:vndservicemanager:s0 tcontext=u:r:per_mgr:s0 tclass=process

denied { open } for pid=556 comm="vndservicemanag"
path="/proc/770/attr/current" dev="proc" ino=24336
scontext=u:r:vndservicemanager:s0 tcontext=u:r:per_mgr:s0 tclass=file

denied { read } for pid=556 comm="vndservicemanag" name="current"
dev="proc" ino=24336 scontext=u:r:vndservicemanager:s0
tcontext=u:r:per_mgr:s0 tclass=file

denied { search } for pid=556 comm="vndservicemanag" name="770"
dev="proc" ino=8315 scontext=u:r:vndservicemanager:s0
tcontext=u:r:per_mgr:s0 tclass=dir

denied { transfer } for pid=770 comm="pm-service"
scontext=u:r:per_mgr:s0 tcontext=u:r:vndservicemanager:s0 tclass=binder

denied { call } for pid=770 comm="pm-service" scontext=u:r:per_mgr:s0
tcontext=u:r:vndservicemanager:s0 tclass=binder

denied { ioctl open read write } for pid=770 comm="pm-service"
path="/dev/vndbinder" dev="tmpfs" ino=19167 ioctlcmd=6209
scontext=u:r:per_mgr:s0 tcontext=u:object_r:vndbinder_device:s0
tclass=chr_file

denied { read write } for pid=886 comm="cnss-daemon" name="vndbinder"
dev="tmpfs" ino=19167 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

denied { ioctl } for pid=886 comm="cnss-daemon" path="/dev/vndbinder"
dev="tmpfs" ino=19167 ioctlcmd=6201 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

denied { ioctl } for pid=875 comm="rild" path="/dev/vndbinder"
dev="tmpfs" ino=19167 ioctlcmd=6201 scontext=u:r:rild:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

denied { ioctl open read write } for pid=853 comm="pm-proxy"
name="vndbinder" dev="tmpfs" ino=19167 scontext=u:r:per_proxy:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

denied { call } for pid=853 comm="pm-proxy" scontext=u:r:per_proxy:s0
tcontext=u:r:vndservicemanager:s0 tclass=binder

denied { search } for pid=556 comm="vndservicemanag" name="853"
dev="proc" ino=28401 scontext=u:r:vndservicemanager:s0
tcontext=u:r:per_proxy:s0 tclass=dir

denied { read } for pid=556 comm="vndservicemanag" name="current"
dev="proc" ino=28421 scontext=u:r:vndservicemanager:s0
tcontext=u:r:per_proxy:s0 tclass=file

denied { open } for pid=556 comm="vndservicemanag"
path="/proc/853/attr/current" dev="proc" ino=28421
scontext=u:r:vndservicemanager:s0 tcontext=u:r:per_proxy:s0 tclass=file

denied { getattr } for pid=556 comm="vndservicemanag"
scontext=u:r:vndservicemanager:s0 tcontext=u:r:per_proxy:s0
tclass=process

denied  { add } for interface=vendor.qti.qcril.am::IQcRilAudio pid=875
scontext=u:r:rild:s0 tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

denied  { find } for service=vendor.qcom.PeripheralManager pid=774
uid=1001 scontext=u:r:rild:s0
tcontext=u:object_r:default_android_vndservice:s0 tclass=service_manager

denied { call } for pid=792 comm="cnss-daemon"
scontext=u:r:wcnss_service:s0 tcontext=u:r:vndservicemanager:s0
tclass=binder

denied { read write } for pid=1197 comm="rild" name="vndbinder"
dev="tmpfs" ino=19957 scontext=u:r:rild:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

denied { call } for pid=773 comm="rild" scontext=u:r:rild:s0
tcontext=u:r:vndservicemanager:s0 tclass=binder

Bug: 34784662
Test: vndbinder functionality for these domains is working
Change-Id: Ife7d4b4734ab4aca1d314b1b6cbac3203b216adc
2017-05-21 19:32:35 -07:00
..
adsprpcd.te
Removing adsprpcd from permissive mode
2017-04-24 22:14:06 -07:00
audioserver.te
Bring up binderized Audio and Soundtrigger services on new Pixels
2017-03-30 11:19:37 -07:00
bluetooth.te
Import common file from device specific directory
2017-03-04 23:34:45 -08:00
bootanim.te
Import common file from device specific directory
2017-03-04 23:34:45 -08:00
cameraserver.te
Adding allows and file_contexts to handle the following camera denials
2017-04-26 03:28:38 +00:00
chre.te
make all vendor exec_types part of vendor_file_type
2017-04-15 19:23:59 -07:00
cnd.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
dataservice_app.te
security permissions for CNE and UCE service
2017-05-05 16:58:31 -07:00
device.te
Merge "Add eSE daemon."
2017-04-12 12:38:03 +00:00
domain.te
Fixing the following denials
2017-04-11 01:26:29 -07:00
dumpstate.te
Adding allows and context for dumpstate
2017-05-19 11:22:19 -07:00
esed.te
sepolicy: add ese_load and ese data dirs
2017-05-15 15:48:38 -05:00
file_contexts
Merge "Adding allows and context for dumpstate"
2017-05-22 01:52:35 +00:00
file.te
Merge "Adding allows and context for dumpstate"
2017-05-22 01:52:35 +00:00
folio_daemon.te
Putting folio_daemon into enforcing mode.
2017-05-10 19:04:26 -07:00
gatekeeperd.te
Import common file from device specific directory
2017-03-04 23:34:45 -08:00
genfs_contexts
Revert "power hal: Add power HAL API 1.1 impl for Wahoo"
2017-05-17 15:21:36 -07:00
hal_audio_default.te
Remove unnecessary sepolicy attributes
2017-04-12 18:52:16 -07:00
hal_bluetooth_default.te
allow wcnss_filter CAP_SYS_NICE, Bluetooth HAL binder to system_server
2017-05-01 15:36:10 -07:00
hal_bootctl.te
Fixing Taimen OTAs for enforcing before turning it on globally
2017-05-09 13:17:44 -07:00
hal_camera_default.te
Fixing the following permissions for userdebug/eng builds
2017-05-08 13:18:39 -07:00
hal_camera.te
Add Hexagon permission to hal_camera
2017-05-17 10:50:54 -07:00
hal_contexthub.te
Add binderized context hub HAL
2017-04-03 11:49:09 -07:00
hal_drm_default.te
Adding file_contexts and allows that stopped boot in enforcing.
2017-04-19 15:35:38 -07:00
hal_dumpstate_impl.te
Adding allows and context for dumpstate
2017-05-19 11:22:19 -07:00
hal_fingerprint_default.te
Annotate violators of "no Binder in vendor" rule
2017-03-24 08:40:00 -07:00
hal_fingerprint.te
Adding allows to handle the following denials
2017-04-10 15:39:09 -07:00
hal_gatekeeper_qti.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
hal_gatekeeper.te
Import common file from device specific directory
2017-03-04 23:34:45 -08:00
hal_gnss_qti.te
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
hal_graphics_composer_default.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
hal_keymaster_qti.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
hal_light_default.te
Fixing the following denials
2017-05-09 13:19:13 -07:00
hal_light.te
whaoo: enable low persist_mode for VR
2017-05-09 16:14:08 +00:00
hal_memtrack_default.te
Fixing the following run and boot time denials
2017-04-02 19:07:17 -07:00
hal_nfc_default.te
nfc: sepolicy: creates data/vendor/nfc/ for HAL specific data
2017-03-31 12:02:03 -07:00
hal_power_default.te
Revert "power hal: Add power HAL API 1.1 impl for Wahoo"
2017-05-17 15:21:36 -07:00
hal_rcsservice.te
Fixing the following startup denials
2017-05-08 10:18:50 -07:00
hal_sensors_default.te
Add sensor qdsp access
2017-05-03 17:53:14 -07:00
hal_thermal_default.te
Enable binderized Thermal HAL.
2017-04-06 16:23:51 +02:00
hal_usb_default.te
Fix selinux denial for usb hal
2017-05-19 10:28:10 -07:00
hal_vibrator_default.te
Fixing the following denials
2017-04-11 01:26:29 -07:00
hal_vr.te
VR hal to choose thermal config
2017-04-21 11:21:57 -07:00
hal_wifi_default.te
Revert "power hal: Add power HAL API 1.1 impl for Wahoo"
2017-05-17 15:21:36 -07:00
hwservice_contexts
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
hwservice.te
Grant device-specific hwservicemanager access
2017-04-21 13:06:23 -07:00
ims.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
init_power.te
Removing init_power from individual permissive domain.
2017-04-24 22:06:10 -07:00
init_radio.te
Update init.radio.sh path in file_contexts
2017-05-17 17:06:56 -07:00
init-devstart-sh.te
tag all vendor domains that rely on system executables
2017-04-15 19:30:07 -07:00
init-insmod-sh.te
tag all vendor domains that rely on system executables
2017-04-15 19:30:07 -07:00
init-ipastart-sh.te
tag all vendor domains that rely on system executables
2017-04-15 19:30:07 -07:00
init.te
Fixing the following denials
2017-05-09 13:19:13 -07:00
ioctl_defines
Adding ism service allow rules and according ioctl_define
2017-03-16 22:10:52 +00:00
ioctl_macros
Import common file from device specific directory
2017-03-04 23:34:45 -08:00
irsc_util.te
Removing irsc_util from permissive and into enforcing mode
2017-05-10 19:53:21 -07:00
kernel.te
Revert "power hal: Add power HAL API 1.1 impl for Wahoo"
2017-05-17 15:21:36 -07:00
keystore.te
declare keystore and vold as passthrough HAL clients of keymaster
2017-04-19 15:03:10 -07:00
location.te
Removing location from permissive mode and into enforcing
2017-05-10 19:49:19 -07:00
logger_app.te
Adding init script and SELinux support for qlogd
2017-05-10 09:27:57 -07:00
mediacodec.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
mediaextractor.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
netd.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
netmgrd.te
Merge "Removing netmgrd from permissive mode and into enforcing"
2017-05-20 23:15:46 +00:00
pd_services.te
Removing permissive mode on pd_mapper domain.
2017-04-24 22:07:39 -07:00
per_mgr.te
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
per_proxy.te
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
perfd.te
perfd: Add rule to allow hal_power_default signull denial
2017-05-18 04:16:08 +00:00
platform_app.te
Move logging folder from data to data/vendor
2017-04-10 17:25:14 -07:00
port-bridge.te
Removing port-bridge from permissive mode and into enforcing
2017-05-10 19:11:38 -07:00
property_contexts
Merge "Grant system_app write access to tel_mon_prop"
2017-05-19 20:29:10 +00:00
property.te
Grant system_app write access to tel_mon_prop
2017-05-18 17:57:33 -07:00
qlogd.te
Adding init script and SELinux support for qlogd
2017-05-10 09:27:57 -07:00
qmuxd.te
make all vendor exec_types part of vendor_file_type
2017-04-15 19:23:59 -07:00
qti.te
Fixing a qti denial
2017-05-19 17:04:08 +00:00
radio.te
security permissions for CNE and UCE service
2017-05-05 16:58:31 -07:00
ramdump_app.te
sepolicy: Allow ramdump_app to access surfaceflinger_service
2017-04-11 15:23:34 -07:00
ramdump.te
make all vendor exec_types part of vendor_file_type
2017-04-15 19:23:59 -07:00
rfs_access.te
make all vendor exec_types part of vendor_file_type
2017-04-15 19:23:59 -07:00
rild.te
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
rmt_storage.te
Fixed boot issue selinux policy.
2017-04-27 15:39:52 -07:00
seapp_contexts
security permissions for CNE and UCE service
2017-05-05 16:58:31 -07:00
sensors.te
Fixed boot issue selinux policy.
2017-04-27 15:39:52 -07:00
service_contexts
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
service.te
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
shell.te
Fixing denials that prevented power supply detail access.
2017-05-02 13:20:40 -07:00
smlog_dump.te
Adding allows for smlog and dumpstate
2017-04-25 13:55:49 -07:00
ssr_detector.te
Allow non-ramdump perms on user build
2017-05-05 15:35:47 -07:00
ssr_diag.te
make all vendor exec_types part of vendor_file_type
2017-04-15 19:23:59 -07:00
ssr_setup.te
Removing ssr_setup from permissive mode
2017-04-24 22:30:57 -07:00
subsystem_ramdump.te
make all vendor exec_types part of vendor_file_type
2017-04-15 19:23:59 -07:00
surfaceflinger.te
Adding allow rules and contexts to handle the following denials
2017-04-07 19:57:13 +00:00
system_app.te
Grant system_app write access to tel_mon_prop
2017-05-18 17:57:33 -07:00
system_server.te
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
tee.te
Fixing load of following denials
2017-05-11 17:07:15 +00:00
thermal-engine.te
Removing thermal-engine from permissive mode
2017-04-24 22:25:44 -07:00
time_daemon.te
make all vendor exec_types part of vendor_file_type
2017-04-15 19:23:59 -07:00
ueventd.te
Fixing denials for easel pmic sysfs
2017-05-05 07:35:46 -07:00
untrusted_app.te
Fixing camera app not launching
2017-04-24 19:56:38 -07:00
update_engine_common.te
Fixing Taimen OTAs for enforcing before turning it on globally
2017-05-09 13:17:44 -07:00
update_verifier.te
Refactoring block device labeling and adding allows.
2017-04-07 16:11:19 -07:00
vndservice_contexts
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
vndservice.te
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00
vold.te
Fixing boot blocking selinux policy.
2017-04-24 21:54:01 +00:00
wcnss_filter.te
Removing wcnss_filter from permissive mode and into enforcing
2017-05-16 13:07:21 -07:00
wcnss_service.te
Adding vndbinder_use statements to support the new qualcomm patches
2017-05-21 19:32:35 -07:00