diff options
| author | Mister Oyster <oysterized@gmail.com> | 2017-04-19 18:44:31 +0200 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-04-19 19:19:13 +0200 |
| commit | 8df4a40dae20f9ec17d1fccdd549d780524dc70d (patch) | |
| tree | 42f65b327991351be653e05ea3ac21edc29f6647 | |
| parent | 38870fe125ecbbd2a5f7a7d768df4d44f5a225bf (diff) | |
sepolicy: fix offline charging and a few denials
| -rwxr-xr-x | rootdir/init.mt6735.rc | 2 | ||||
| -rw-r--r-- | sepolicy/bluetooth.te | 2 | ||||
| -rw-r--r-- | sepolicy/ccci_mdinit.te | 3 | ||||
| -rw-r--r-- | sepolicy/file.te | 3 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 8 | ||||
| -rw-r--r-- | sepolicy/fsck.te | 1 | ||||
| -rw-r--r-- | sepolicy/kpoc_charger.te | 22 | ||||
| -rw-r--r-- | sepolicy/mediaserver.te | 3 | ||||
| -rw-r--r-- | sepolicy/mnld.te | 4 | ||||
| -rw-r--r-- | sepolicy/nvram_daemon.te | 6 | ||||
| -rw-r--r-- | sepolicy/thermal_manager.te | 1 |
11 files changed, 47 insertions, 8 deletions
diff --git a/rootdir/init.mt6735.rc b/rootdir/init.mt6735.rc index 4f3a338..e3b2eb6 100755 --- a/rootdir/init.mt6735.rc +++ b/rootdir/init.mt6735.rc @@ -853,4 +853,4 @@ service conn_launcher /system/bin/6620_launcher -p /system/etc/firmware/ service kpoc_charger /system/bin/kpoc_charger class charger - + seclabel u:r:kpoc_charger:s0 diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te index 343d33d..dedeb33 100644 --- a/sepolicy/bluetooth.te +++ b/sepolicy/bluetooth.te @@ -10,6 +10,8 @@ allow bluetooth platform_app_tmpfs:file write; allow mediaserver bt_data_file:file read; +allow bluetooth platformblk_device:dir search; + # Mtk fix allow bluetooth nvdata_file:dir search; allow bluetooth nvdata_file:file rw_file_perms; diff --git a/sepolicy/ccci_mdinit.te b/sepolicy/ccci_mdinit.te index 6786199..bef71b1 100644 --- a/sepolicy/ccci_mdinit.te +++ b/sepolicy/ccci_mdinit.te @@ -36,6 +36,8 @@ allow ccci_mdinit nvdata_file:dir rw_dir_perms; allow ccci_mdinit nvdata_file:file create_file_perms; allow ccci_mdinit sysfs_ccci:file rw_file_perms; allow ccci_mdinit sysfs_wake_lock:file rw_file_perms; + +allow ccci_mdinit nvram_device:blk_file { open read write }; allow ccci_mdinit nvram_device:chr_file rw_file_perms; allow ccci_mdinit protect_f_data_file:dir rw_dir_perms; @@ -44,6 +46,7 @@ allow ccci_mdinit protect_f_data_file:file create_file_perms; allow ccci_mdinit protect_s_data_file:dir rw_dir_perms; allow ccci_mdinit protect_s_data_file:file create_file_perms; allow ccci_mdinit platformblk_device:blk_file { read write open }; +allow ccci_mdinit platformblk_device:dir search; allow ccci_mdinit ril_mux_report_case_prop:property_service set; diff --git a/sepolicy/file.te b/sepolicy/file.te index 772fcf5..7b28aa2 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -129,5 +129,8 @@ type sysfs_gps_file, fs_type, sysfs_type; # Gestures type gesture_sysfs, sysfs_type, file_type; +# Thermal manager +type thermal_manager_data_file, file_type, data_file_type; + # Thunderquake vibrator type sysfs_vibrator, sysfs_type, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 9976bc9..46bcda5 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -32,10 +32,12 @@ /data/misc/wpa_supplicant(/.*)? u:object_r:wpa_supplicant_data_file:s0 /data/nvram(/.*)? u:object_r:nvram_data_file:s0 /nvdata(/.*)? u:object_r:nvdata_file:s0 -/data/ipsec(./*)? u:object_r:wod_ipsec_conf_file:s0 -/data/ipsec/wo(./*)? u:object_r:wod_apn_conf_file:s0 +/data/ipsec(/.*)? u:object_r:wod_ipsec_conf_file:s0 +/data/ipsec/wo(/.*)? u:object_r:wod_apn_conf_file:s0 /data/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 /data/tmp_mnt/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 +# missing from thermal_manager rules +/data/\.tp\.settings u:object_r:thermal_manager_data_file:s0 ########################## # Devices @@ -304,4 +306,4 @@ /data/system/users/[0-9]+/smartbook_wallpaper u:object_r:wallpaper_file:s0 # Zram -/dev/block/zram0(/.*)? u:object_r:zram0_device:s0 +/dev/block/zram0(/.*)? u:object_r:zram0_device:s0 diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te index 92fe511..161c59f 100644 --- a/sepolicy/fsck.te +++ b/sepolicy/fsck.te @@ -4,3 +4,4 @@ allow fsck nvdata_device:blk_file rw_file_perms; # Mtk fix allow fsck platformblk_device:blk_file { getattr ioctl open read write }; +allow fsck platformblk_device:dir search; diff --git a/sepolicy/kpoc_charger.te b/sepolicy/kpoc_charger.te index e6cc9e2..a3ffcd7 100644 --- a/sepolicy/kpoc_charger.te +++ b/sepolicy/kpoc_charger.te @@ -4,3 +4,25 @@ type kpoc_charger_exec, exec_type, file_type; type kpoc_charger, domain; init_daemon_domain(kpoc_charger) + +allow kpoc_charger block_device:dir search; +allow kpoc_charger platformblk_device:dir search; +allow kpoc_charger graphics_device:dir search; +allow kpoc_charger input_device:dir { open read search }; +allow kpoc_charger input_device:chr_file { open read write ioctl }; +allow kpoc_charger property_socket:sock_file write; +allow kpoc_charger self:capability sys_nice; +allow kpoc_charger self:capability net_admin; +allow kpoc_charger self:capability dac_override; +allow kpoc_charger self:netlink_kobject_uevent_socket { create bind read setopt }; +allow kpoc_charger sysfs:file { open read write }; +allow kpoc_charger graphics_device:chr_file { read write ioctl open }; +allow kpoc_charger kmsg_device:chr_file { write open }; +allow kpoc_charger logo_device:blk_file { read open }; +allow kpoc_charger rtc_device:chr_file { open read write }; +allow kpoc_charger init:unix_stream_socket connectto; +allow healthd self:capability dac_override; +allow healthd app_data_file:file write; +allow healthd device:dir {open read write}; +allow kpoc_charger self:capability sys_boot; +allow kpoc_charger alarm_device:chr_file write; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..60d62ee --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,3 @@ +allow mediaserver nvdata_file:dir rw_dir_perms; +allow mediaserver nvdata_file:file create_file_perms; +allow mediaserver ccci_device:chr_file rw_file_perms; diff --git a/sepolicy/mnld.te b/sepolicy/mnld.te index 8879fbe..cda37cc 100644 --- a/sepolicy/mnld.te +++ b/sepolicy/mnld.te @@ -18,8 +18,8 @@ allow mnld nvram_data_file:dir create_dir_perms; allow mnld nvram_data_file:file create_file_perms; allow mnld nvram_data_file:lnk_file read; -allow mnld nvram_device:chr_file{read write}; -allow mnld nvram_device:chr_file { ioctl open }; +allow mnld nvram_device:blk_file { open read write }; +allow mnld nvram_device:chr_file{ ioctl open read write}; allow mnld nvdata_file:dir create_dir_perms; allow mnld nvdata_file:file create_file_perms; diff --git a/sepolicy/nvram_daemon.te b/sepolicy/nvram_daemon.te index 3269cac..2e413c0 100644 --- a/sepolicy/nvram_daemon.te +++ b/sepolicy/nvram_daemon.te @@ -33,8 +33,10 @@ allow nvram_daemon self:capability { fowner chown dac_override dac_read_search f allow nvram_daemon system_data_file:dir {create write add_name}; -allow nvram_daemon nvram_device:chr_file {read write open ioctl}; -allow nvram_daemon pro_info_device:chr_file {read write open ioctl}; +allow nvram_daemon nvram_device:blk_file { open read write }; +allow nvram_daemon nvram_device:chr_file { read write open ioctl}; +allow nvram_daemon pro_info_device:chr_file { read write open ioctl}; +allow nvram_daemon pro_info_device:blk_file { open read write }; allow nvram_daemon block_device:dir search; diff --git a/sepolicy/thermal_manager.te b/sepolicy/thermal_manager.te index 715a83c..44bb2df 100644 --- a/sepolicy/thermal_manager.te +++ b/sepolicy/thermal_manager.te @@ -4,6 +4,7 @@ type thermal_manager_exec, exec_type, file_type; type thermal_manager, domain; init_daemon_domain(thermal_manager) +file_type_auto_trans(thermal_manager, system_data_file, thermal_manager_data_file) allow thermal_manager proc_mtkcooler:dir search; allow thermal_manager proc_mtktz:dir search; |