address some selinux denials

author Stricted <info@stricted.net>

Sat, 28 Apr 2018 18:18:44 +0000 (20:18 +0200)

committer Stricted <info@stricted.net>

Sat, 28 Apr 2018 19:22:25 +0000 (21:22 +0200)
author Stricted <info@stricted.net>
Sat, 28 Apr 2018 18:18:44 +0000 (20:18 +0200)
committer Stricted <info@stricted.net>
Sat, 28 Apr 2018 19:22:25 +0000 (21:22 +0200)
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te

index 2dd472f05a1c8e6c21779aa1cc1b467f88abd20c..25924b197ce2b1deee4b522eab876c766ec0f449 100644 (file)
--- a/sepolicy/audioserver.te
+++ b/sepolicy/audioserver.te
@@ -13,3 +13,6 @@ allow audioserver sysfs_devinfo:file { open read write };
  allow audioserver sysfs_ccci:file r_file_perms;
  allow audioserver sysfs_ccci:dir search;
  allow audioserver audiohal_prop:property_service set;
+
+allow audioserver sysfs_boot_mode:file { read open };
+#allow audioserver device:chr_file { read write open };
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te

index 9671019725fe8f0aa2c597cbbc6b4c21dc4e3c7b..a47886b9e529edb28fcf77e1acfe318532ea3469 100644 (file)
--- a/sepolicy/bluetooth.te
+++ b/sepolicy/bluetooth.te
@@ -7,3 +7,5 @@ allow bluetooth nvdata_file:file rw_file_perms;
  allow bluetooth nvdata_file:lnk_file r_file_perms;
  
  allow bluetooth block_device:dir search;
+
+allow bluetooth sysfs_boot_mode:file { read open };
diff --git a/sepolicy/init.te b/sepolicy/init.te

index cb35bcd573057ad6bc2c2c111e91732749bb74d1..5d58a33e025baface5f6f795a6d1174c83435519 100644 (file)
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -7,3 +7,12 @@ allow init protect1_device:blk_file write;
  allow init protect2_device:blk_file write;
  
  allow init socket_device:sock_file { create setattr unlink };
+
+
+allow init tmpfs:lnk_file { create };
+allow init mnt_media_rw_file:dir { mounton };
+allow init asec_apk_file:dir { mounton };
+allow init perf_control_sysfs:file { getattr };
+allow init servicemanager:binder { call transfer };
+allow init sdcardd_exec:file r_file_perms;
+allow init wmtWifi_device:chr_file { write };
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te

index d87c6e7d917929cc3010846a6a4df1371f6eca10..9c3b64fb1e37ba163d0f0b885a6ae6fa87ef3df4 100644 (file)
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -4,3 +4,8 @@ allow kernel self:capability dac_override;
  allow kernel wifi_data_file:dir search;
  allow kernel wifi_data_file:file r_file_perms;
  
+# for /cache/gtp_(clk|ref).bin
+allow kernel cache_file:file { write open };
+
+#allow mediaserver device:chr_file { read open ioctl };
+#allow mediaserver default_prop:property_service { set };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te

index ada062aacf224c635bbe982ce9a1ef9412fec4fd..ad2fe02d364817f77f56684d1f3f9d9c293fd428 100644 (file)
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -7,3 +7,7 @@ allow mediaserver ccci_device:chr_file rw_file_perms;
  allow mediaserver pq_service:service_manager find;
  
  allow mediaserver sysfs_devinfo:file r_file_perms;
+
+allow mediaserver camera_device:chr_file { read write open ioctl };
+allow mediaserver sysfs_boot_mode:file { read open };
+allow mediaserver sysfs_ddr_type:file { read open };
diff --git a/sepolicy/nvram_daemon.te b/sepolicy/nvram_daemon.te

index 18af42fc3a20bcaef8272e9f1e7742b22037db03..dbc31e8e89bf65f001541de318efe1aa5c745753 100644 (file)
--- a/sepolicy/nvram_daemon.te
+++ b/sepolicy/nvram_daemon.te
@@ -24,3 +24,7 @@ allow nvram_daemon wmt_prop:property_service set;
  allow nvram_daemon block_device:dir search;
  
  unix_socket_connect(nvram_daemon, property, init)
+
+allow nvram_daemon sysfs_boot_mode:file { read open };
+allow nvram_daemon sysfs:file { write };
+allow nvram_daemon system_prop:property_service { set };
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te

index 7874778e4838596beabfdffbcd7351fb51cb7510..c049c93756d551299f6f5565daee8e47ec54831e 100644 (file)
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -3,3 +3,5 @@ allow priv_app guiext-server_service:service_manager find;
  
  # PQ
  allow priv_app pq_service:service_manager find;
+
+allow priv_app device:dir { read open };
+\ No newline at end of file
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te

new file mode 100644 (file)

index 0000000..c781a2e
--- /dev/null
+++ b/sepolicy/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager init:dir { search };
+allow servicemanager init:file { read open };
+allow servicemanager init:process { getattr };
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te

index 95fdd9ec97c76db44e9f27c312198fb1d219d53f..8a847fa93634fe45c50af90d87e910b6ecf7db85 100644 (file)
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -5,4 +5,6 @@ allow system_app fast_charge_sysfs:file rw_file_perms;
  allow system_app smartwake_sysfs:file rw_file_perms;
  allow system_app perf_control_sysfs:file rw_file_perms;
  
-allow system_app em_svr:unix_stream_socket connectto;
-\ No newline at end of file
+allow system_app em_svr:unix_stream_socket connectto;
+
+allow system_app radio_data_file:dir { getattr };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te

index a99f314f641bb743686732ad3489041967991448..8bdc4b98438ae4925fb589b1ca5dc4babb773f0a 100644 (file)
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -30,3 +30,5 @@ allow system_server storage_stub_file:dir { getattr };
  
  # Guiext
  allow system_server guiext-server_service:service_manager find;
+
+allow system_server unlabeled:file { unlink };
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te

index 3eccfac997d98b4509d2c4283be00e8df9867966..fd5677f27a7d3f954823138671dbed57e11e7a65 100644 (file)
--- a/sepolicy/untrusted_app.te
+++ b/sepolicy/untrusted_app.te
@@ -1,2 +1,6 @@
  # PQ
  allow untrusted_app pq_service:service_manager find;
+
+# These are safe for an untrusted_app -- they are the external SD card
+allow untrusted_app fuseblk:dir search;
+allow untrusted_app fuseblk:file { getattr read };
diff --git a/sepolicy/wmt_loader.te b/sepolicy/wmt_loader.te

index 33da9264421adfe8d32b0434bc9bebed085a0661..2be55ccb51723136f18f2fd7f93b3977663e1516 100644 (file)
--- a/sepolicy/wmt_loader.te
+++ b/sepolicy/wmt_loader.te
@@ -9,3 +9,5 @@ allow wmt_loader proc_wmt:file setattr;
  allow wmt_loader wmt_prop:property_service set;
  
  unix_socket_connect(wmt_loader, property, init)
+
+allow wmt_loader stpwmt_device:chr_file { read write open ioctl };
author	Stricted <info@stricted.net>
	Sat, 28 Apr 2018 18:18:44 +0000 (20:18 +0200)
committer	Stricted <info@stricted.net>
	Sat, 28 Apr 2018 19:22:25 +0000 (21:22 +0200)
sepolicy/audioserver.te		patch \| blob \| blame \| history
sepolicy/bluetooth.te		patch \| blob \| blame \| history
sepolicy/init.te		patch \| blob \| blame \| history
sepolicy/kernel.te		patch \| blob \| blame \| history
sepolicy/mediaserver.te		patch \| blob \| blame \| history
sepolicy/nvram_daemon.te		patch \| blob \| blame \| history
sepolicy/priv_app.te		patch \| blob \| blame \| history
sepolicy/servicemanager.te	[new file with mode: 0644]	patch \| blob
sepolicy/system_app.te		patch \| blob \| blame \| history
sepolicy/system_server.te		patch \| blob \| blame \| history
sepolicy/untrusted_app.te		patch \| blob \| blame \| history
sepolicy/wmt_loader.te		patch \| blob \| blame \| history