Merge "Adding allow rules and file contexts to handle denials."

2026-01-27 15:51:28 +00:00 · 2017-03-04 23:37:53 +00:00
parent 75646ac8e5 07eb4303e8
commit d949806cd4
12 changed files with 24 additions and 5 deletions
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -49,6 +49,8 @@
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
 /sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)?                     u:object_r:sysfs_msm_subsys:s0
+/sys/devices/soc/cce0000\.qcom,venus(/.*)?                          u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/0\.qcom,rmtfs_sharedmem(/.*)?                      u:object_r:sysfs_rmtfs:s0
 /sys/devices/soc/soc:fp_fpc1020(/.*)?                               u:object_r:sysfs_fingerprint:s0
 /sys/devices/virtual/thermal(/.*)?                                  u:object_r:sysfs_thermal:s0
--- a/sepolicy/gatekeeperd.te
+++ b/sepolicy/gatekeeperd.te
@@ -0,0 +1 @@
+set_prop(gatekeeperd, keymaster_prop)
--- a/sepolicy/hal_gatekeeper.te
+++ b/sepolicy/hal_gatekeeper.te
@@ -0,0 +1 @@
+set_prop(hal_gatekeeper, keymaster_prop)
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -3,7 +3,7 @@ allow init tmpfs:lnk_file create;

 allow init self:capability sys_module;
 allow init system_file:system module_load;
-
+allow init firmware_file:dir mounton;
 allow init configfs:file w_file_perms;
 allow init tty_device:chr_file rw_file_perms;

--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -14,7 +14,8 @@ allow location self:capability { setgid setuid };

 allow location proc_net:file r_file_perms;
 allow location location_data_file:file w_file_perms;
-allow location location_data_file:sock_file w_file_perms;
+allow location location_data_file:dir w_dir_perms;
+allow location location_data_file:sock_file create_file_perms;

 allow location self:netlink_route_socket create_socket_perms_no_ioctl;
 allow location self:udp_socket create_socket_perms;
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -11,6 +11,7 @@ unix_socket_connect(netmgrd, netd, netd)

 allow netmgrd netmgrd_socket:dir w_dir_perms;
 allow netmgrd netmgrd_socket:sock_file { create setattr };
+allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
 allow netmgrd self:socket create_socket_perms;
 allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
@@ -18,11 +19,11 @@ allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;

 allow netmgrd sysfs_net:file rw_file_perms;
 allow netmgrd sysfs_net:dir r_dir_perms;
-allow netmgrd proc_net:file rw_file_perms;
 allow netmgrd sysfs_soc:file r_file_perms;
 allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
+allow netmgrd sysfs_msm_subsys:file r_file_perms;

-allow netmgrd proc_net:file w_file_perms;
+allow netmgrd proc_net:file rw_file_perms;
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd netmgr_data_file:file rw_file_perms;
 allow netmgrd system_file:file execute_no_trans;
--- a/sepolicy/per_mgr.te
+++ b/sepolicy/per_mgr.te
@@ -9,6 +9,13 @@ add_service(per_mgr, per_mgr_service)
 binder_use(per_mgr)
 binder_call(per_mgr, per_proxy)

+allow per_mgr self:capability net_bind_service;
+
+allow per_mgr firmware_file:file r_file_perms;
+allow per_mgr firmware_file:dir search;
+allow per_mgr sysfs_msm_subsys:lnk_file r_file_perms;
+allow per_mgr sysfs_msm_subsys:dir r_dir_perms;
+
 allow per_mgr self:socket create_socket_perms;
 allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls;
 allow per_mgr ssr_device:chr_file { open read };
--- a/sepolicy/port-bridge.te
+++ b/sepolicy/port-bridge.te
@@ -3,6 +3,8 @@ type port-bridge_exec, exec_type, file_type;

 init_daemon_domain(port-bridge)

+allowxperm port-bridge at_device:chr_file ioctl IPC_ROUTER_IOCTL_GET_VERSION;
+
 userdebug_or_eng(`
 permissive port-bridge;
 ')
--- a/sepolicy/rfs_access.te
+++ b/sepolicy/rfs_access.te
@@ -6,7 +6,7 @@ init_daemon_domain(rfs_access)
 allow rfs_access persist_file:file rw_file_perms;
 allow rfs_access persist_file:dir { getattr setattr remove_name add_name search };

-allow rfs_access self:capability { chown };
+allow rfs_access self:capability { chown setpcap };
 allow rfs_access self:capability2 { block_suspend };

 allow rfs_access self:socket create_socket_perms_no_ioctl;
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -6,6 +6,8 @@ init_daemon_domain(sensors)

 allow sensors self:socket rw_socket_perms_no_ioctl;

+r_dir_file(sensors, sysfs_msm_subsys)
+
 userdebug_or_eng(`
 permissive sensors;
 ')
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -9,6 +9,7 @@ allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
 allow thermal-engine sysfs_rmtfs:file r_file_perms;
 allow thermal-engine sysfs_uio:lnk_file r_file_perms;
+allow thermal-engine sysfs_uio:dir r_dir_perms;

 allow thermal-engine self:socket create_socket_perms;
 allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@@ -5,3 +5,4 @@ allow ueventd sysfs_fingerprint:file w_file_perms;
 allow ueventd sysfs_rmtfs:file w_file_perms;
 allow ueventd sysfs_soc:file w_file_perms;
 allow ueventd sysfs_net:file w_file_perms;
+allow ueventd sysfs_msm_subsys:file w_file_perms;