From 8cba3a9b67e69650ce8b53b72da2e209e867aad6 Mon Sep 17 00:00:00 2001 From: fire855 Date: Sun, 2 Jul 2017 13:09:49 +0200 Subject: [PATCH] changes for N1 probably needs a cleanup.. --- sepolicy/audioserver.te | 1 + sepolicy/bluetooth.te | 3 ++- sepolicy/cameraserver.te | 1 + sepolicy/ccci_fsd.te | 3 ++- sepolicy/ccci_mdinit.te | 1 + sepolicy/device.te | 1 + sepolicy/file.te | 1 + sepolicy/file_contexts | 46 +++++++++++++++++++------------------ sepolicy/ged_srv.te | 13 +++++++++++ sepolicy/init.te | 2 ++ sepolicy/mediacodec.te | 8 +++++-- sepolicy/mnld.te | 1 + sepolicy/mtkmal.te | 10 ++++++++ sepolicy/netd.te | 2 ++ sepolicy/nvram_daemon.te | 1 + sepolicy/platform_app.te | 6 +++++ sepolicy/priv_app.te | 5 ++++ sepolicy/ril-daemon-mtk.te | 5 ++++ sepolicy/service.te | 3 ++- sepolicy/service_contexts | 3 ++- sepolicy/surfaceflinger.te | 2 ++ sepolicy/system_server.te | 3 +++ sepolicy/thermal.te | 10 ++++++++ sepolicy/thermald.te | 7 ++++++ sepolicy/thermalloadalgo.te | 6 +++++ sepolicy/untrusted_app.te | 2 ++ 26 files changed, 118 insertions(+), 28 deletions(-) create mode 100644 sepolicy/ged_srv.te create mode 100644 sepolicy/mtkmal.te create mode 100644 sepolicy/priv_app.te create mode 100644 sepolicy/thermal.te create mode 100644 sepolicy/thermald.te create mode 100644 sepolicy/thermalloadalgo.te create mode 100644 sepolicy/untrusted_app.te diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te index 677d3e2..a71badd 100644 --- a/sepolicy/audioserver.te +++ b/sepolicy/audioserver.te @@ -1,6 +1,7 @@ # nvram allow audioserver nvdata_file:dir rw_dir_perms; allow audioserver nvdata_file:file create_file_perms; +allow audioserver nvdata_file:lnk_file r_file_perms; allow audioserver ccci_device:chr_file rw_file_perms; # Audio diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te index a31e960..9671019 100644 --- a/sepolicy/bluetooth.te +++ b/sepolicy/bluetooth.te @@ -4,5 +4,6 @@ allow bluetooth stpbt_device:chr_file rw_file_perms; # Allow nvram access allow bluetooth nvdata_file:dir search; allow bluetooth nvdata_file:file rw_file_perms; +allow bluetooth nvdata_file:lnk_file r_file_perms; -allow bluetooth block_device:dir search; \ No newline at end of file +allow bluetooth block_device:dir search; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te index 7c89eeb..1075e49 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/cameraserver.te @@ -15,6 +15,7 @@ allow cameraserver proc:file { read ioctl open }; allow cameraserver devmap_device:chr_file { ioctl r_file_perms }; allow cameraserver sysfs_devinfo:file rw_file_perms; allow cameraserver sysfs_membw:file rw_file_perms; +allow cameraserver proc_meminfo:file { open read getattr }; # PQ allow cameraserver pq_service:service_manager find; diff --git a/sepolicy/ccci_fsd.te b/sepolicy/ccci_fsd.te index 74cfe91..1f77080 100644 --- a/sepolicy/ccci_fsd.te +++ b/sepolicy/ccci_fsd.te @@ -8,10 +8,11 @@ allow ccci_fsd ccci_cfg_file:dir create_dir_perms; allow ccci_fsd ccci_cfg_file:file create_file_perms; allow ccci_fsd nvdata_file:dir create_dir_perms; allow ccci_fsd nvdata_file:file create_file_perms; +allow ccci_fsd nvdata_file:lnk_file r_file_perms; allow ccci_fsd protect_f_data_file:dir create_dir_perms; allow ccci_fsd protect_f_data_file:file create_file_perms; allow ccci_fsd protect_s_data_file:dir create_dir_perms; allow ccci_fsd protect_s_data_file:file create_file_perms; allow ccci_fsd sysfs_ccci:file rw_file_perms; allow ccci_fsd sysfs_ccci:dir search; -allow ccci_fsd sysfs_wake_lock:file rw_file_perms; \ No newline at end of file +allow ccci_fsd sysfs_wake_lock:file rw_file_perms; diff --git a/sepolicy/ccci_mdinit.te b/sepolicy/ccci_mdinit.te index a156341..4b3e615 100644 --- a/sepolicy/ccci_mdinit.te +++ b/sepolicy/ccci_mdinit.te @@ -8,6 +8,7 @@ allow ccci_mdinit ccci_cfg_file:dir create_dir_perms; allow ccci_mdinit ccci_cfg_file:file create_file_perms; allow ccci_mdinit nvdata_file:dir rw_dir_perms; allow ccci_mdinit nvdata_file:file create_file_perms; +allow ccci_mdinit nvdata_file:lnk_file r_file_perms; allow ccci_mdinit sysfs_ccci:dir search; allow ccci_mdinit sysfs_ccci:file rw_file_perms; allow ccci_mdinit sysfs_wake_lock:file rw_file_perms; diff --git a/sepolicy/device.te b/sepolicy/device.te index 5be36b7..0b9f58d 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -31,4 +31,5 @@ type nvdata_device, dev_type; type protect1_device, dev_type; type protect2_device, dev_type; type logo_block_device, dev_type; +type para_block_device, dev_type; type mmc_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te index 945bf68..ee8b41e 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -29,6 +29,7 @@ type proc_wmt, fs_type; type agpsd_socket, file_type; type mnld_socket, file_type; +type mal_mfi_socket, file_type; # akmd type akmd_access_file1, file_type,data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index c940f96..abd9f4e 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,31 +1,31 @@ # Services /system/bin/6620_launcher u:object_r:conn_launcher_exec:s0 -/system/bin/ccci_fsd u:object_r:ccci_fsd_exec:s0 -/system/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0 -/system/bin/md_ctrl u:object_r:md_ctrl_exec:s0 -/system/bin/fuelgauged u:object_r:fuelgauged_exec:s0 -/system/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0 -/system/xbin/mnld u:object_r:mnld_exec:s0 -/system/bin/muxreport u:object_r:muxreport_exec:s0 -/system/bin/msensord u:object_r:msensord_exec:s0 -/system/bin/akmd09911 u:object_r:akmd09911_exec:s0 -/system/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0 -/system/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0 -/system/bin/pq u:object_r:pq_exec:s0 -/system/bin/terservice u:object_r:terservice_exec:s0 -/system/bin/thermal_manager u:object_r:thermal_manager_exec:s0 -/system/bin/mtkrild u:object_r:ril-daemon-mtk_exec:s0 -/system/bin/wifi2agps u:object_r:wifi2agps_exec:s0 -/system/bin/wmt_loader u:object_r:wmt_loader_exec:s0 -/system/bin/em_svr u:object_r:em_svr_exec:s0 -/system/bin/kpoc_charger u:object_r:kpoc_charger_exec:s0 +/(system|system\/vendor|vendor)bin/ccci_fsd u:object_r:ccci_fsd_exec:s0 +/(system|system\/vendor|vendor)bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0 +/(system|system\/vendor|vendor)bin/md_ctrl u:object_r:md_ctrl_exec:s0 +/(system|system\/vendor|vendor)bin/fuelgauged u:object_r:fuelgauged_exec:s0 +/(system|system\/vendor|vendor)bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0 +/(system|system\/vendor|vendor)xbin/mnld u:object_r:mnld_exec:s0 +/(system|system\/vendor|vendor)bin/muxreport u:object_r:muxreport_exec:s0 +/(system|system\/vendor|vendor)bin/msensord u:object_r:msensord_exec:s0 +/(system|system\/vendor|vendor)bin/akmd09911 u:object_r:akmd09911_exec:s0 +/(system|system\/vendor|vendor)bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0 +/(system|system\/vendor|vendor)bin/nvram_daemon u:object_r:nvram_daemon_exec:s0 +/(system|system\/vendor|vendor)bin/pq u:object_r:pq_exec:s0 +/(system|system\/vendor|vendor)bin/terservice u:object_r:terservice_exec:s0 +/(system|system\/vendor|vendor)bin/thermal_manager u:object_r:thermal_manager_exec:s0 +/(system|system\/vendor|vendor)bin/mtkrild u:object_r:ril-daemon-mtk_exec:s0 +/(system|system\/vendor|vendor)bin/wifi2agps u:object_r:wifi2agps_exec:s0 +/(system|system\/vendor|vendor)bin/wmt_loader u:object_r:wmt_loader_exec:s0 +/(system|system\/vendor|vendor)bin/em_svr u:object_r:em_svr_exec:s0 +/(system|system\/vendor|vendor)bin/kpoc_charger u:object_r:kpoc_charger_exec:s0 # Meizupshelper -/system/bin/meizupshelper u:object_r:meizupshelper_exec:s0 +/(system|system\/vendor|vendor)bin/meizupshelper u:object_r:meizupshelper_exec:s0 # Meta mode -/system/bin/meta_tst u:object_r:meta_tst_exec:s0 -/system/bin/factory u:object_r:factory_exec:s0 +/(system|system\/vendor|vendor)bin/meta_tst u:object_r:meta_tst_exec:s0 +/(system|system\/vendor|vendor)bin/factory u:object_r:factory_exec:s0 # Files from firmware/nv partitions /protect_f(/.*)? u:object_r:protect_f_data_file:s0 @@ -80,6 +80,7 @@ /dev/socket/rild-mtk-ut u:object_r:rild_socket:s0 /dev/socket/rild-mtk-ut-2 u:object_r:rild_socket:s0 /dev/socket/rild-oem u:object_r:rild_socket:s0 +/dev/socket/mal-mfi u:object_r:mal_mfi_socket:s0 /dev/socket/agpsd u:object_r:agpsd_socket:s0 /dev/socket/agpsd[2-3] u:object_r:agpsd_socket:s0 /dev/socket/mnld u:object_r:mnld_socket:s0 @@ -100,6 +101,7 @@ /dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/recovery u:object_r:recovery_block_device:s0 /dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/para u:object_r:para_block_device:s0 /dev/block/mmcblk1 u:object_r:mmc_device:s0 /dev/block/zram0 u:object_r:swap_block_device:s0 diff --git a/sepolicy/ged_srv.te b/sepolicy/ged_srv.te new file mode 100644 index 0000000..ea66320 --- /dev/null +++ b/sepolicy/ged_srv.te @@ -0,0 +1,13 @@ +type ged_srv, domain, domain_deprecated; +type ged_srv_exec, exec_type, file_type; + +init_daemon_domain(ged_srv) + +binder_use(ged_srv) +binder_service(ged_srv) +binder_call(ged_srv, system_server) + +allow ged_srv servicemanager:binder call; +allow ged_srv surfaceflinger:binder call; +allow ged_srv surfaceflinger_service:service_manager find; +allow ged_srv self:netlink_kobject_uevent_socket { bind create setopt read}; diff --git a/sepolicy/init.te b/sepolicy/init.te index 3c9abc6..3afeef5 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -6,6 +6,8 @@ allow init nvdata_device:blk_file write; allow init protect1_device:blk_file write; allow init protect2_device:blk_file write; +allow init socket_device:sock_file { create setattr unlink }; + allow init perf_control_sysfs:file getattr; allow init tmpfs:lnk_file { create unlink }; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te index 81de934..18d9fe0 100644 --- a/sepolicy/mediacodec.te +++ b/sepolicy/mediacodec.te @@ -11,9 +11,13 @@ allow mediacodec proc:file { ioctl getattr open read }; allow mediacodec sysfs:file { open read write }; allow mediacodec sysfs_devinfo:file { open read write }; - -# proc/meminfo allow mediacodec proc_meminfo:file { getattr open read }; +allow mediacodec property_socket:sock_file write; +allow mediacodec init:unix_stream_socket connectto; + # M4U allow mediacodec M4U_device_device:chr_file rw_file_perms; + +# PQ +allow mediacodec pq_service:service_manager find; diff --git a/sepolicy/mnld.te b/sepolicy/mnld.te index 8bbb401..8e86efc 100644 --- a/sepolicy/mnld.te +++ b/sepolicy/mnld.te @@ -20,6 +20,7 @@ allow mnld mnld_data_file:file create_file_perms; allow mnld nvdata_file:dir rw_dir_perms; allow mnld nvdata_file:file create_file_perms; +allow mnld nvdata_file:lnk_file r_file_perms; allow mnld nvram_device:blk_file rw_file_perms; allow mnld sysfs_gps_file:dir search; diff --git a/sepolicy/mtkmal.te b/sepolicy/mtkmal.te new file mode 100644 index 0000000..15fd834 --- /dev/null +++ b/sepolicy/mtkmal.te @@ -0,0 +1,10 @@ +type mtkmal_exec, exec_type, file_type; +type mtkmal, domain, domain_deprecated; + +init_daemon_domain(mtkmal) + +allow mtkmal init:unix_stream_socket connectto; +allow mtkmal property_socket:sock_file write; +allow mtkmal mal_mfi_socket:sock_file write; + +allow mtkmal self:capability { setuid setgid }; diff --git a/sepolicy/netd.te b/sepolicy/netd.te index c5f1b9a..e70363e 100644 --- a/sepolicy/netd.te +++ b/sepolicy/netd.te @@ -1,2 +1,4 @@ # Wifi allow netd wmtWifi_device:chr_file w_file_perms; + +allow netd self:capability sys_module; diff --git a/sepolicy/nvram_daemon.te b/sepolicy/nvram_daemon.te index 0fc8115..e6a679e 100644 --- a/sepolicy/nvram_daemon.te +++ b/sepolicy/nvram_daemon.te @@ -8,6 +8,7 @@ allow nvram_daemon nvram_device:blk_file rw_file_perms; allow nvram_daemon nvdata_device:blk_file rw_file_perms; allow nvram_daemon nvdata_file:dir create_dir_perms; allow nvram_daemon nvdata_file:file create_file_perms; +allow nvram_daemon nvdata_file:lnk_file r_file_perms; allow nvram_daemon shell_exec:file { read execute open execute_no_trans getattr }; allow nvram_daemon als_ps_device:chr_file r_file_perms; allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te index 1c687f8..821c8fc 100644 --- a/sepolicy/platform_app.te +++ b/sepolicy/platform_app.te @@ -1 +1,7 @@ allow platform_app sysfs_devinfo:file { open read }; + +# Guiext +allow platform_app guiext-server_service:service_manager find; + +# PQ +allow platform_app pq_service:service_manager find; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..7874778 --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1,5 @@ +# Guiext +allow priv_app guiext-server_service:service_manager find; + +# PQ +allow priv_app pq_service:service_manager find; diff --git a/sepolicy/ril-daemon-mtk.te b/sepolicy/ril-daemon-mtk.te index b58f322..8c996ad 100644 --- a/sepolicy/ril-daemon-mtk.te +++ b/sepolicy/ril-daemon-mtk.te @@ -10,10 +10,15 @@ allow ril-daemon-mtk self:capability setuid; allow ril-daemon-mtk sysfs_wake_lock:file rw_file_perms; allow ril-daemon-mtk sysfs_ccci:dir search; allow ril-daemon-mtk sysfs_ccci:file r_file_perms; +allow ril-daemon-mtk block_device:dir search; +allow ril-daemon-mtk para_block_device:blk_file rw_file_perms; allow ril-daemon-mtk self:udp_socket create_socket_perms; allow ril-daemon-mtk self:capability { setuid net_admin net_raw }; +allow ril-daemon-mtk mal_mfi_socket:sock_file { w_file_perms }; +allow ril-daemon-mtk mtkmal:unix_stream_socket connectto; + allow ril-daemon-mtk radio_device:dir search; allow ril-daemon-mtk radio_prop:property_service set; diff --git a/sepolicy/service.te b/sepolicy/service.te index 8c104e4..b9db590 100644 --- a/sepolicy/service.te +++ b/sepolicy/service.te @@ -1,2 +1,3 @@ type pq_service, service_manager_type; -type nvram_agent_service, service_manager_type; \ No newline at end of file +type guiext-server_service, service_manager_type; +type nvram_agent_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index 381ac9e..21ae35d 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -1,2 +1,3 @@ PQ u:object_r:pq_service:s0 -NvRAMAgent u:object_r:nvram_agent_service:s0 \ No newline at end of file +GuiExtService u:object_r:guiext-server_service:s0 +NvRAMAgent u:object_r:nvram_agent_service:s0 diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te index 1b6a859..bb60a10 100644 --- a/sepolicy/surfaceflinger.te +++ b/sepolicy/surfaceflinger.te @@ -1,5 +1,7 @@ allow surfaceflinger pq_service:service_manager find; +allow surfaceflinger guiext-server_service:service_manager { find add }; + allow surfaceflinger debug_prop:property_service set; allow surfaceflinger mtk_smi_device:chr_file { read write open ioctl }; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index ced5e60..a9448b1 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -20,3 +20,6 @@ allow system_server sysfs_devinfo:file { open read }; # Debugfs allow system_server debugfs:dir r_file_perms; + +# Guiext +allow system_server guiext-server_service:service_manager find; diff --git a/sepolicy/thermal.te b/sepolicy/thermal.te new file mode 100644 index 0000000..3a53730 --- /dev/null +++ b/sepolicy/thermal.te @@ -0,0 +1,10 @@ +type thermal_exec, exec_type, file_type; +type thermal, domain, domain_deprecated; + +init_daemon_domain(thermal) + +allow thermal proc_thermal:dir search; +allow thermal proc_thermal:file rw_file_perms; +allow thermal rild_socket:sock_file w_file_perms; + +allow thermal ril-daemon-mtk:unix_stream_socket connectto; diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te new file mode 100644 index 0000000..a4b53b1 --- /dev/null +++ b/sepolicy/thermald.te @@ -0,0 +1,7 @@ +type thermald_exec, exec_type, file_type; +type thermald, domain, domain_deprecated; + +init_daemon_domain(thermald) + +allow thermald proc_thermal:dir search; +allow thermald proc_thermal:file rw_file_perms; diff --git a/sepolicy/thermalloadalgo.te b/sepolicy/thermalloadalgo.te new file mode 100644 index 0000000..27a3dbd --- /dev/null +++ b/sepolicy/thermalloadalgo.te @@ -0,0 +1,6 @@ +type thermalloadalgo_exec, exec_type, file_type; +type thermalloadalgo, domain, domain_deprecated; + +init_daemon_domain(thermalloadalgo) + +allow thermalloadalgo thermalloadalgo:netlink_socket { create bind write read }; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te new file mode 100644 index 0000000..3eccfac --- /dev/null +++ b/sepolicy/untrusted_app.te @@ -0,0 +1,2 @@ +# PQ +allow untrusted_app pq_service:service_manager find;