diff --git a/sepolicy/hal_fingerprint.te b/sepolicy/hal_fingerprint.te index 7bf9e10..ba42783 100644 --- a/sepolicy/hal_fingerprint.te +++ b/sepolicy/hal_fingerprint.te @@ -1,2 +1,4 @@ allow hal_fingerprint sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint tee_device:file rw_file_perms; +allow hal_fingerprint tee_device:chr_file rw_file_perms; +allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te index 7871abf..f21fc16 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,3 +1,6 @@ +# symlink /sdcard to backing block +allow init tmpfs:lnk_file create; + allow init self:capability sys_module; allow init system_file:system module_load; diff --git a/sepolicy/location.te b/sepolicy/location.te index c442c86..6478e1b 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -14,6 +14,7 @@ allow location self:capability { setgid setuid }; allow location proc_net:file r_file_perms; allow location location_data_file:file w_file_perms; +allow location location_data_file:sock_file w_file_perms; allow location self:netlink_route_socket create_socket_perms_no_ioctl; allow location self:udp_socket create_socket_perms; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index 6941494..977b22b 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -11,16 +11,18 @@ unix_socket_connect(netmgrd, netd, netd) allow netmgrd self:socket create_socket_perms_no_ioctl; allow netmgrd netmgrd_socket:dir w_dir_perms; +allow netmgrd netmgrd_socket:sock_file { create setattr }; +allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; -allow netmgrd sysfs_net:file w_file_perms; +allow netmgrd sysfs_net:file rw_file_perms; allow netmgrd sysfs_net:dir r_dir_perms; -allow netmgrd proc_net:file w_file_perms; +allow netmgrd proc_net:file rw_file_perms; allow netmgrd net_data_file:dir r_dir_perms; allow netmgrd netmgr_data_file:file rw_file_perms; allow netmgrd system_file:file execute_no_trans; -allow netmgrd self:capability { net_admin setuid }; +allow netmgrd self:capability { net_admin net_raw setuid }; allow netmgrd toolbox_exec:file rx_file_perms; diff --git a/sepolicy/property.te b/sepolicy/property.te index aadf876..6a207b0 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -1,3 +1,5 @@ type wc_prop, property_type; type camera_prop, property_type; type ssr_prop, property_type; +type tee_listener_prop, property_type; +type keymaster_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 56227d2..f321d54 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,2 +1,5 @@ wc_transport. u:object_r:wc_prop:s0 persist.camera. u:object_r:camera_prop:s0 +persist.net.doxlat u:object_r:net_radio_prop:s0 +sys.listeners.registered u:object_r:tee_listener_prop:s0 +sys.keymaster.loaded u:object_r:keymaster_prop:s0 diff --git a/sepolicy/qti.te b/sepolicy/qti.te index fb0ef5f..d8f2e98 100644 --- a/sepolicy/qti.te +++ b/sepolicy/qti.te @@ -4,8 +4,8 @@ type qti_exec, exec_type, file_type; init_daemon_domain(qti) net_domain(qti) -allow qti self:socket { ioctl read }; -allowxperm qti self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT; +allow qti self:socket create_socket_perms; +allowxperm qti self:socket ioctl msm_sock_ipc_ioctls; userdebug_or_eng(` permissive qti; diff --git a/sepolicy/tee.te b/sepolicy/tee.te index acdc142..78365bc 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -2,6 +2,9 @@ allow tee self:capability { chown setgid setuid sys_admin sys_rawio }; allow tee device:dir r_dir_perms; +set_prop(tee, tee_listener_prop) +set_prop(tee, keymaster_prop) + allow tee block_device:dir { getattr search }; allow tee sdd_block_device:blk_file rw_file_perms; allow tee sg_device:chr_file { rw_file_perms setattr }; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index 276b749..6775b8f 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -1,3 +1,7 @@ allow ueventd sysfs_thermal:file w_file_perms; allow ueventd sysfs_leds:file w_file_perms; allow ueventd sysfs_camera:file w_file_perms; +allow ueventd sysfs_fingerprint:file w_file_perms; +allow ueventd sysfs_rmtfs:file w_file_perms; +allow ueventd sysfs_soc:file w_file_perms; +allow ueventd sysfs_net:file w_file_perms;