update sepolicy
This commit is contained in:
Valera1978
parent
39f8af0a05
commit
08200f33a8
@ -1,3 +0,0 @@
|
||||
allow bluetooth bluetooth_device:chr_file rw_file_perms;
|
||||
allow bluetooth proc_bluetooth_writable:dir search;
|
||||
allow bluetooth wifi_data_file:file r_file_perms;
|
||||
@ -1,7 +0,0 @@
|
||||
allow cameraserver camera_socket:sock_file write;
|
||||
allow cameraserver init:unix_stream_socket connectto;
|
||||
allow cameraserver property_socket:sock_file write;
|
||||
allow cameraserver sysfs_camera:dir search;
|
||||
allow cameraserver sysfs_camera:file { open read };
|
||||
allow cameraserver system_file:file execmod;
|
||||
|
||||
2
sepolicy/common/device.te
Executable file
2
sepolicy/common/device.te
Executable file
@ -0,0 +1,2 @@
|
||||
# Fingerprint
|
||||
type vfsspi_device, dev_type;
|
||||
1
sepolicy/common/file.te
Executable file
1
sepolicy/common/file.te
Executable file
@ -0,0 +1 @@
|
||||
type vfsspi_data_file, file_type, data_file_type;
|
||||
9
sepolicy/common/file_contexts
Executable file
9
sepolicy/common/file_contexts
Executable file
@ -0,0 +1,9 @@
|
||||
# data files
|
||||
/data/validity(/.*)? u:object_r:vfsspi_data_file:s0
|
||||
|
||||
# device nodes
|
||||
/dev/ttyHS3 u:object_r:audio_device:s0
|
||||
/dev/vfsspi u:object_r:vfsspi_device:s0
|
||||
|
||||
# sysfs
|
||||
/sys/devices(/.*)?/input/input[1-2]/enabled u:object_r:sysfs_hal_pwr:s0
|
||||
6
sepolicy/common/hal_fingerprint_default.te
Executable file
6
sepolicy/common/hal_fingerprint_default.te
Executable file
@ -0,0 +1,6 @@
|
||||
r_dir_file(hal_fingerprint_default, firmware_file)
|
||||
|
||||
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
|
||||
allow hal_fingerprint_default vfsspi_data_file:dir rw_dir_perms;
|
||||
allow hal_fingerprint_default vfsspi_data_file:file create_file_perms;
|
||||
allow hal_fingerprint_default vfsspi_device:chr_file rw_file_perms;
|
||||
4
sepolicy/common/kernel.te
Executable file
4
sepolicy/common/kernel.te
Executable file
@ -0,0 +1,4 @@
|
||||
# Samsung literally vfs_write()s to the es705 UART at /dev/ttyHS3 to
|
||||
# load the firmware. Without crafting a userspace helper or re-doing
|
||||
# the whole path, there is no way around this.
|
||||
allow kernel audio_device:chr_file rw_file_perms;
|
||||
2
sepolicy/common/tee.te
Executable file
2
sepolicy/common/tee.te
Executable file
@ -0,0 +1,2 @@
|
||||
allow tee vfsspi_data_file:dir create_dir_perms;
|
||||
allow tee vfsspi_data_file:file create_file_perms;
|
||||
@ -1 +0,0 @@
|
||||
type bluetooth_device, dev_type;
|
||||
@ -1,8 +0,0 @@
|
||||
type sensors_efs_file, file_type;
|
||||
type sysfs_camera, fs_type, sysfs_type;
|
||||
type sysfs_display, fs_type, sysfs_type;
|
||||
type sysfs_sec, fs_type, sysfs_type;
|
||||
type sysfs_vibeamp, fs_type, sysfs_type;
|
||||
type sysfs_wifi_nv_path, fs_type, sysfs_type;
|
||||
type vcs_data_file, file_type, data_file_type;
|
||||
type wifi_efs_file, file_type;
|
||||
@ -1,53 +0,0 @@
|
||||
# Audience
|
||||
/dev/ttyHS3 u:object_r:audio_device:s0
|
||||
|
||||
# Bluetooth
|
||||
/dev/btlock u:object_r:bluetooth_device:s0
|
||||
/dev/rfkill u:object_r:bluetooth_device:s0
|
||||
/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
|
||||
|
||||
# Camera
|
||||
/data/cam_socket.* u:object_r:camera_socket:s0
|
||||
/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0
|
||||
|
||||
# CMHW
|
||||
/sys/devices/virtual/timed_output/vibrator(/.*)? u:object_r:sysfs_vibeamp:s0
|
||||
|
||||
# Display
|
||||
/sys/devices/virtual/lcd/panel/power_reduce u:object_r:sysfs_display:s0
|
||||
|
||||
# EFS
|
||||
/dev/block/platform/msm_sdcc.1/by-name/efs u:object_r:modem_efs_partition_device:s0
|
||||
|
||||
# Macloader
|
||||
/system/bin/macloader u:object_r:macloader_exec:s0
|
||||
|
||||
# RIL
|
||||
/data/data/com.android.providers.telephony/databases(/.*)? u:object_r:radio_data_file:s0
|
||||
/data/data/com.android.providers.telephony/shared_prefs(/.*)? u:object_r:radio_data_file:s0
|
||||
|
||||
# RIL - Variant Blobs
|
||||
/system/blobs/(.*)/bin/ks u:object_r:mdm_helper_exec:s0
|
||||
/system/blobs/(.*)/bin/qmuxd u:object_r:qmuxd_exec:s0
|
||||
/system/blobs/(.*)/bin/rfs_access u:object_r:rfs_access_exec:s0
|
||||
/system/blobs/(.*)/bin/rild u:object_r:rild_exec:s0
|
||||
/system/blobs/(.*)/bin/rmt_storage u:object_r:rmt_storage_exec:s0
|
||||
|
||||
# SEC
|
||||
/sys/devices/virtual/sec/sec_key/hall_irq_ctrl u:object_r:sysfs_sec:s0
|
||||
/sys/devices/virtual/sec/tsp(/.*)? u:object_r:sysfs_sec:s0
|
||||
|
||||
# Sensors
|
||||
/dev/batch_io u:object_r:sensors_device:s0
|
||||
/efs/FactoryApp/baro_delta u:object_r:sensors_efs_file:s0
|
||||
/efs/gyro_cal_data u:object_r:sensors_efs_file:s0
|
||||
/efs/prox_cal u:object_r:sensors_efs_file:s0
|
||||
|
||||
# Uncrypt
|
||||
/dev/block/platform/msm_sdcc.1/by-name/fota u:object_r:misc_block_device:s0
|
||||
|
||||
# WiFi
|
||||
/data/.cid.info u:object_r:wifi_data_file:s0
|
||||
/data/.wifiver.info u:object_r:wifi_data_file:s0
|
||||
/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0
|
||||
/sys/module/dhd/parameters/nvram_path u:object_r:sysfs_wifi_nv_path:s0
|
||||
@ -1 +0,0 @@
|
||||
allow fsck modem_efs_partition_device:blk_file rw_file_perms;
|
||||
@ -1 +0,0 @@
|
||||
genfscon proc /bluetooth/sleep u:object_r:proc_bluetooth_writable:s0
|
||||
@ -1,2 +0,0 @@
|
||||
allow healthd device:dir r_dir_perms;
|
||||
allow healthd rtc_device:chr_file rw_file_perms;
|
||||
@ -1 +0,0 @@
|
||||
allow hostapd bluetooth_device:chr_file { open read };
|
||||
@ -1,3 +0,0 @@
|
||||
allow init sysfs_sec:lnk_file r_file_perms;
|
||||
allow init debugfs:file write;
|
||||
allow init socket_device:sock_file { create write setattr };
|
||||
@ -1,2 +0,0 @@
|
||||
allow kernel audio_device:chr_file rw_file_perms;
|
||||
allow kernel efs_file:dir search;
|
||||
@ -1,13 +0,0 @@
|
||||
type macloader, domain;
|
||||
type macloader_exec, exec_type, file_type;
|
||||
init_daemon_domain(macloader)
|
||||
|
||||
type_transition macloader system_data_file:file wifi_data_file;
|
||||
|
||||
allow macloader efs_file:dir search;
|
||||
allow macloader self:capability { chown dac_override fowner fsetid };
|
||||
allow macloader sysfs_wifi_nv_path:file { open write };
|
||||
allow macloader system_data_file:dir { add_name search write };
|
||||
allow macloader wifi_data_file:file { create_file_perms getattr setattr };
|
||||
allow macloader wifi_efs_file:dir search;
|
||||
allow macloader wifi_efs_file:file r_file_perms;
|
||||
@ -1,6 +0,0 @@
|
||||
allow mediaserver cameraproxy_service:service_manager find;
|
||||
allow mediaserver sensorservice_service:service_manager find;
|
||||
allow mediaserver sysfs_camera:dir search;
|
||||
allow mediaserver sysfs_camera:file { getattr open read };
|
||||
allow mediaserver system_file:file execmod; # for libmmjpeg
|
||||
allow mediaserver system_prop:property_service set;
|
||||
@ -1,6 +0,0 @@
|
||||
allow mm-qcamerad media_rw_data_file:dir search;
|
||||
allow mm-qcamerad sysfs_camera:dir search;
|
||||
allow mm-qcamerad sysfs_camera:file rw_file_perms;
|
||||
allow mm-qcamerad system_data_file:dir w_dir_perms;
|
||||
allow mm-qcamerad system_file:file execmod; # for libmmcamera_faceproc
|
||||
type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3";
|
||||
@ -1,2 +0,0 @@
|
||||
allow mpdecision system_data_file:dir { add_name remove_name write };
|
||||
allow mpdecision system_data_file:sock_file write;
|
||||
@ -1,4 +0,0 @@
|
||||
allow platform_app exfat:dir create_dir_perms;
|
||||
allow platform_app exfat:file create_file_perms;
|
||||
allow platform_app fuseblk:dir create_dir_perms;
|
||||
allow platform_app fuseblk:file create_file_perms;
|
||||
@ -1,5 +0,0 @@
|
||||
allow priv_app device:dir { open read };
|
||||
allow priv_app exfat:dir create_dir_perms;
|
||||
allow priv_app exfat:file create_file_perms;
|
||||
allow priv_app fuseblk:dir create_dir_perms;
|
||||
allow priv_app fuseblk:file create_file_perms;
|
||||
@ -1,10 +0,0 @@
|
||||
##########################
|
||||
# property service keys
|
||||
#
|
||||
#
|
||||
persist.ril.radiocapa.tdscdma u:object_r:radio_prop:s0
|
||||
persist.ril.modem.board u:object_r:radio_prop:s0
|
||||
persist.ril.ims.eutranParam u:object_r:radio_prop:s0
|
||||
persist.ril.ims.utranParam u:object_r:radio_prop:s0
|
||||
persist.ril.xcap.pdnFailCause u:object_r:radio_prop:s0
|
||||
persist.ril.ims.pdnFailCause u:object_r:radio_prop:s0
|
||||
@ -1,5 +0,0 @@
|
||||
allow rild proc_net:file rw_file_perms;
|
||||
allow rild self:capability dac_override;
|
||||
allow rild sysfs_sec:file rw_file_perms;
|
||||
allow rild radio_data_file:lnk_file read;
|
||||
allow rild radio_prop:property_service set;
|
||||
19
sepolicy/sepolicy.mk
Executable file
19
sepolicy/sepolicy.mk
Executable file
@ -0,0 +1,19 @@
|
||||
#
|
||||
# Copyright (C) 2018 The LineageOS Project
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# Board specific SELinux policy variable definitions
|
||||
BOARD_SEPOLICY_DIRS += \
|
||||
device/samsung/klte-common/sepolicy/common
|
||||
@ -1,4 +0,0 @@
|
||||
allow shell exfat:dir create_dir_perms;
|
||||
allow shell exfat:file create_file_perms;
|
||||
allow shell fuseblk:dir create_dir_perms;
|
||||
allow shell fuseblk:file create_file_perms;
|
||||
@ -1,10 +0,0 @@
|
||||
allow system_server efs_file:dir search;
|
||||
allow system_server sensors_efs_file:file r_file_perms;
|
||||
allow system_server sysfs_display:file rw_file_perms;
|
||||
allow system_server sysfs_sec:dir search;
|
||||
allow system_server sysfs_sec:file rw_file_perms;
|
||||
allow system_server sysfs_vibeamp:dir search;
|
||||
allow system_server sysfs_vibeamp:file rw_file_perms;
|
||||
allow system_server wifi_efs_file:dir search;
|
||||
allow system_server wifi_efs_file:file r_file_perms;
|
||||
allow system_server app_data_file:file rename;
|
||||
@ -1,2 +0,0 @@
|
||||
allow tee vcs_data_file:dir create_dir_perms;
|
||||
allow tee vcs_data_file:file create_file_perms;
|
||||
@ -1 +0,0 @@
|
||||
allow thermal-engine self:capability chown;
|
||||
@ -1,6 +0,0 @@
|
||||
allow ueventd sysfs_camera:file rw_file_perms;
|
||||
allow ueventd sysfs_sec:file rw_file_perms;
|
||||
allow ueventd sysfs_vibeamp:file rw_file_perms;
|
||||
allow ueventd vcs_device:chr_file create_file_perms;
|
||||
allow ueventd vfat:dir search;
|
||||
allow ueventd vfat:file { getattr open read };
|
||||
@ -1,5 +0,0 @@
|
||||
# These are safe for an untrusted_app -- they are the external SD card
|
||||
allow untrusted_app exfat:dir create_dir_perms;
|
||||
allow untrusted_app exfat:file create_file_perms;
|
||||
allow untrusted_app fuseblk:dir create_dir_perms;
|
||||
allow untrusted_app fuseblk:file create_file_perms;
|
||||
@ -1 +0,0 @@
|
||||
allow vold efs_file:dir r_file_perms;
|
||||
@ -1,4 +0,0 @@
|
||||
allow wpa bluetooth_device:chr_file rw_file_perms;
|
||||
allow wpa efs_file:dir search;
|
||||
allow wpa wifi_efs_file:dir search;
|
||||
allow wpa wifi_efs_file:file r_file_perms;
|
||||
Loading…
Reference in New Issue
Block a user