mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-12 09:24:26 -05:00
194 lines
7.9 KiB
Diff
194 lines
7.9 KiB
Diff
From f882d4f46b119d05ed02bfb35d03507abe65df94 Mon Sep 17 00:00:00 2001
|
|
From: Tad <tad@spotco.us>
|
|
Date: Sat, 28 Sep 2019 10:57:48 -0400
|
|
Subject: [PATCH] audit2allow sepolicy
|
|
|
|
Change-Id: Ia1e82d78c0f6a59216ce62274ec678258a807ed7
|
|
---
|
|
sepolicy/hal-nfc_default.te | 2 ++
|
|
sepolicy/hal_bluetooth_default.te | 1 +
|
|
sepolicy/hal_keymaster_default.te | 1 +
|
|
sepolicy/healthd.te | 1 +
|
|
sepolicy/init-power-sh.te | 5 +++++
|
|
sepolicy/init.te | 13 +++++++++++++
|
|
sepolicy/mm-qcamerad.te | 4 ++++
|
|
sepolicy/qtelephony.te | 2 ++
|
|
sepolicy/rild.te | 4 ++++
|
|
sepolicy/rmt_storage.te | 1 +
|
|
sepolicy/sensors.te | 1 +
|
|
sepolicy/servicemanager.te | 3 +++
|
|
sepolicy/system_app.te | 3 +++
|
|
sepolicy/system_server.te | 3 +++
|
|
sepolicy/toolbox.te | 1 +
|
|
sepolicy/ueventd.te | 1 +
|
|
16 files changed, 46 insertions(+)
|
|
create mode 100644 sepolicy/hal-nfc_default.te
|
|
create mode 100644 sepolicy/hal_bluetooth_default.te
|
|
create mode 100644 sepolicy/hal_keymaster_default.te
|
|
create mode 100644 sepolicy/qtelephony.te
|
|
create mode 100644 sepolicy/servicemanager.te
|
|
|
|
diff --git a/sepolicy/hal-nfc_default.te b/sepolicy/hal-nfc_default.te
|
|
new file mode 100644
|
|
index 0000000..f4d0b78
|
|
--- /dev/null
|
|
+++ b/sepolicy/hal-nfc_default.te
|
|
@@ -0,0 +1,2 @@
|
|
+allow hal_nfc_default nfc_data_file:dir { add_name write };
|
|
+allow hal_nfc_default nfc_data_file:file { create open read write };
|
|
diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
|
|
new file mode 100644
|
|
index 0000000..ec949d1
|
|
--- /dev/null
|
|
+++ b/sepolicy/hal_bluetooth_default.te
|
|
@@ -0,0 +1 @@
|
|
+allow hal_bluetooth_default mnt_vendor_file:file { open read };
|
|
diff --git a/sepolicy/hal_keymaster_default.te b/sepolicy/hal_keymaster_default.te
|
|
new file mode 100644
|
|
index 0000000..3aad282
|
|
--- /dev/null
|
|
+++ b/sepolicy/hal_keymaster_default.te
|
|
@@ -0,0 +1 @@
|
|
+allow hal_keymaster_default unlabeled:file { getattr open read };
|
|
diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
|
|
index 114e7b7..74a252e 100644
|
|
--- a/sepolicy/healthd.te
|
|
+++ b/sepolicy/healthd.te
|
|
@@ -1,3 +1,4 @@
|
|
allow healthd sysfs_thermal:dir search;
|
|
allow healthd sysfs_thermal:file { open read };
|
|
allow healthd device:dir r_dir_perms;
|
|
+allow healthd sysfs:file { getattr open read };
|
|
diff --git a/sepolicy/init-power-sh.te b/sepolicy/init-power-sh.te
|
|
index c24dd3c..ba3cd05 100644
|
|
--- a/sepolicy/init-power-sh.te
|
|
+++ b/sepolicy/init-power-sh.te
|
|
@@ -31,3 +31,8 @@ allow init-power-sh rootfs:file { getattr open read };
|
|
allow init-power-sh sysfs:dir { open read };
|
|
allow init-power-sh sysfs:file getattr;
|
|
allow init-power-sh sysfs:lnk_file getattr;
|
|
+
|
|
+allow init-power-sh file_contexts_file:file read;
|
|
+allow init-power-sh sysfs_cpu_boost:dir search;
|
|
+allow init-power-sh sysfs_cpu_boost:file { open write };
|
|
+allow init-power-sh sysfs_net:dir search;
|
|
diff --git a/sepolicy/init.te b/sepolicy/init.te
|
|
index 5ea8334..8424ed2 100644
|
|
--- a/sepolicy/init.te
|
|
+++ b/sepolicy/init.te
|
|
@@ -14,3 +14,16 @@ allow init sysfs_lowmemorykiller:file getattr;
|
|
allow init sysfs_light:file setattr;
|
|
allow init sysfs_power:file setattr;
|
|
allow init system_data_file:file { rename append };
|
|
+allow init atfwd_service:service_manager find;
|
|
+allow init debugfs_rmt:dir relabelfrom;
|
|
+allow init debugfs_rmt:file relabelfrom;
|
|
+allow init hal_drm_hwservice:hwservice_manager add;
|
|
+allow init hal_light_hwservice:hwservice_manager add;
|
|
+allow init hidl_base_hwservice:hwservice_manager add;
|
|
+allow init mnt_vendor_file:dir mounton;
|
|
+allow init qmuxd:unix_stream_socket connectto;
|
|
+allow init qmuxd_socket:sock_file write;
|
|
+allow init servicemanager:binder call;
|
|
+allow init sysfs:file { open setattr write };
|
|
+allow init sysfs_devices_system_cpu:file write;
|
|
+allow init sysfs_graphics:file { open write };
|
|
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
|
|
index 79059bb..990fb2c 100644
|
|
--- a/sepolicy/mm-qcamerad.te
|
|
+++ b/sepolicy/mm-qcamerad.te
|
|
@@ -3,3 +3,7 @@ allow mm-qcamerad init:unix_stream_socket connectto;
|
|
allow mm-qcamerad persist_file:dir { getattr open read search };
|
|
allow mm-qcamerad persist_file:file { read open getattr };
|
|
allow mm-qcamerad property_socket:sock_file write;
|
|
+allow mm-qcamerad mnt_vendor_file:dir search;
|
|
+allow mm-qcamerad mnt_vendor_file:file { getattr open read };
|
|
+allow mm-qcamerad vendor_data_file:dir { add_name remove_name write };
|
|
+allow mm-qcamerad vendor_data_file:sock_file { create unlink };
|
|
diff --git a/sepolicy/qtelephony.te b/sepolicy/qtelephony.te
|
|
new file mode 100644
|
|
index 0000000..c9d5a74
|
|
--- /dev/null
|
|
+++ b/sepolicy/qtelephony.te
|
|
@@ -0,0 +1,2 @@
|
|
+allow qtelephony atfwd_service:service_manager add;
|
|
+allow qtelephony radio_service:service_manager find;
|
|
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
|
|
index 732d94c..9970af5 100644
|
|
--- a/sepolicy/rild.te
|
|
+++ b/sepolicy/rild.te
|
|
@@ -10,3 +10,7 @@ allow rild rmt_storage_prop:file { getattr open read };
|
|
allow rild sensors_device:chr_file { ioctl open read write };
|
|
allow rild system_data_file:dir { write remove_name add_name };
|
|
allow rild system_data_file:sock_file { create setattr unlink };
|
|
+allow rild proc:file read;
|
|
+allow rild system_data_file:dir { open read };
|
|
+allow rild system_file:file execute_no_trans;
|
|
+allow rild unlabeled:dir getattr;
|
|
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
|
|
index cf637ca..67cec68 100644
|
|
--- a/sepolicy/rmt_storage.te
|
|
+++ b/sepolicy/rmt_storage.te
|
|
@@ -10,3 +10,4 @@ allow rmt_storage fsg_file:file r_file_perms;
|
|
allow rmt_storage init:unix_stream_socket connectto;
|
|
allow rmt_storage property_socket:sock_file write;
|
|
allow rmt_storage rmt_storage_prop:property_service set;
|
|
+allow rmt_storage unlabeled:file { open read };
|
|
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
|
|
index a07201b..196ed1a 100644
|
|
--- a/sepolicy/sensors.te
|
|
+++ b/sepolicy/sensors.te
|
|
@@ -1,3 +1,4 @@
|
|
allow sensors init:unix_stream_socket connectto;
|
|
allow sensors property_socket:sock_file write;
|
|
allow sensors sensors_prop:property_service set;
|
|
+allow sensors firmware_file:file { getattr open read };
|
|
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
|
|
new file mode 100644
|
|
index 0000000..8ef184e
|
|
--- /dev/null
|
|
+++ b/sepolicy/servicemanager.te
|
|
@@ -0,0 +1,3 @@
|
|
+allow servicemanager init:dir search;
|
|
+allow servicemanager init:file { open read };
|
|
+allow servicemanager init:process getattr;
|
|
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
|
|
index d0dbdfa..92d225c 100644
|
|
--- a/sepolicy/system_app.te
|
|
+++ b/sepolicy/system_app.te
|
|
@@ -1 +1,4 @@
|
|
allow system_app sensors_device:chr_file { read write open ioctl };
|
|
+allow system_app proc_pagetypeinfo:file { getattr open read };
|
|
+allow system_app sysfs_zram:dir search;
|
|
+allow system_app sysfs_zram:file { getattr open read };
|
|
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
|
|
index c082b93..8f81c08 100644
|
|
--- a/sepolicy/system_server.te
|
|
+++ b/sepolicy/system_server.te
|
|
@@ -5,3 +5,6 @@ allow system_server sysfs_dt2w:file rw_file_perms;
|
|
allow system_server sysfs_light:file rw_file_perms;
|
|
allow system_server sysfs_power:file rw_file_perms;
|
|
allow system_server user_profile_data_file:dir r_dir_perms;
|
|
+allow system_server block_device:blk_file { getattr ioctl open read write };
|
|
+allow system_server init:binder call;
|
|
+allow system_server sensors_device:chr_file ioctl;
|
|
diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te
|
|
index 0e64d66..7c57640 100644
|
|
--- a/sepolicy/toolbox.te
|
|
+++ b/sepolicy/toolbox.te
|
|
@@ -3,3 +3,4 @@ allow toolbox hwrev_data_file:file { write unlink getattr setattr };
|
|
allow toolbox init:fifo_file { write read getattr };
|
|
allow toolbox self:capability chown;
|
|
allow toolbox sysfs:file setattr;
|
|
+allow toolbox sysfs:file { getattr open read };
|
|
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
|
|
index d069fda..65a66b8 100644
|
|
--- a/sepolicy/ueventd.te
|
|
+++ b/sepolicy/ueventd.te
|
|
@@ -1 +1,2 @@
|
|
allow ueventd radio_data_file:chr_file { create setattr };
|
|
+allow ueventd unlabeled:file { getattr open read };
|
|
--
|
|
2.21.0
|
|
|