projects / GitHub / LineageOS / G12 / android_device_amlogic_g12-common.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9654e73)
g12: sepolicy: update for S
authorTimi Rautamäki <timi.rautamaki@gmail.com>
Wed, 23 Mar 2022 19:33:19 +0000 (19:33 +0000)
committerBruno Martins <bgcngm@gmail.com>
Fri, 25 Mar 2022 14:10:16 +0000 (14:10 +0000)
* vendor_kernel_modules, hal_oemlock_default are defined in
  system/sepolicy
* priv_app doesn't need cgroup_bpf dir access
* audioserver accessing vendor_prop is a neverallow
* ro.rfkilldisabled, init.svc.tee_supplicant, ro.vendor.hdmi.auto_otp
  are unused
* ro.crypto.fuse_sdcard is not labeled in stock
* Update property labels according to
  https://source.android.com/devices/architecture/configuration/add-system-properties#vendor-sepolicies

Change-Id: I9a13c93ccfbb4358b57dd113d27b90416eb0384f

sepolicy/vendor/audioserver.te [deleted file] patch | blob | blame | history
sepolicy/vendor/file.te patch | blob | blame | history
sepolicy/vendor/hal_bluetooth_default.te patch | blob | blame | history
sepolicy/vendor/hal_oemlock_default.te patch | blob | blame | history
sepolicy/vendor/priv_app.te [deleted file] patch | blob | blame | history
sepolicy/vendor/property.te patch | blob | blame | history
sepolicy/vendor/property_contexts patch | blob | blame | history
sepolicy/vendor/system_control.te patch | blob | blame | history
sepolicy/vendor/vendor_init.te patch | blob | blame | history

diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te
deleted file mode 100644 (file)
index 79cfb9f..0000000
--- a/sepolicy/vendor/audioserver.te
+++ /dev/null
@@ -1 +0,0 @@
-get_prop(audioserver, vendor_default_prop)
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index a22bcf7b6a17e8ebd50b48635508b1a1d1fba698..ac8a6300219eadd669b0d6212c06c2aadba7178a 100644 (file)
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -17,5 +17,4 @@ type sysfs_xbmc, fs_type, sysfs_type;
 
 type tee_firmload_exec, exec_type, vendor_file_type, file_type;
 
-type vendor_kernel_modules, vendor_file_type, file_type;
 type vendor_mediadrm_vendor_data_file, file_type, data_file_type;
diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te
index 2c7ec8ec58023531193ff444dd60cd42fb14561c..a1347ff7b85a074740c122b566c5fc86300df571 100644 (file)
--- a/sepolicy/vendor/hal_bluetooth_default.te
+++ b/sepolicy/vendor/hal_bluetooth_default.te
@@ -1,7 +1,5 @@
 allow hal_bluetooth_default hci_attach_dev:file rw_file_perms;
 allow hal_bluetooth_default sysfs_bluetooth_writable:file rw_file_perms;
 
-get_prop(hal_bluetooth_default, vendor_bluetooth_prop)
-
 # This is a neverallow (somehow), but Bluetooth functions all work without it
 dontaudit hal_bluetooth_default self:udp_socket create;
diff --git a/sepolicy/vendor/hal_oemlock_default.te b/sepolicy/vendor/hal_oemlock_default.te
index 1aab031252d6ce59b1003453c2405e20261dcc64..6a454167e46d0f9814add2bdb461dac72be6a5b0 100644 (file)
--- a/sepolicy/vendor/hal_oemlock_default.te
+++ b/sepolicy/vendor/hal_oemlock_default.te
@@ -1,10 +1,2 @@
-type hal_oemlock_default, domain;
-type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
-
-hal_server_domain(hal_oemlock_default, hal_oemlock)
-
-init_daemon_domain(hal_oemlock_default)
-
 allow hal_oemlock_default systemcontrol_hwservice:hwservice_manager find;
-
 allow hal_oemlock_default system_control:binder call;
diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te
deleted file mode 100644 (file)
index a692350..0000000
--- a/sepolicy/vendor/priv_app.te
+++ /dev/null
@@ -1 +0,0 @@
-allow priv_app cgroup_bpf:dir search;
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
index 3d7a51c8a669a5d7e2c22c154040a892840a6cf7..34ad0781ee23d3f714ffad813946e43d3e552096 100644 (file)
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te
@@ -1,9 +1,7 @@
-type tee_prop, property_type;
+vendor_internal_prop(vendor_bluetooth_prop);
+vendor_internal_prop(vendor_dolby_prop);
+vendor_internal_prop(vendor_boot_prop);
+vendor_internal_prop(vendor_display_prop);
+vendor_internal_prop(vendor_wifi_prop);
 
-type vendor_bluetooth_prop, property_type;
-type vendor_dolby_prop, property_type;
-type vendor_boot_prop, property_type;
-type vendor_display_prop, property_type;
-type vendor_hdmi_prop, property_type;
-type vendor_vold_prop, property_type;
-type vendor_wifi_prop, property_type;
+vendor_public_prop(vendor_hdmi_prop);
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 6aee707c1d10f308418a810e3a6eed41b7b16bc0..ec6792dfa89933d573084d12a4b8c95396071e78 100644 (file)
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -1,10 +1,4 @@
-init.svc.tee_supplicant u:object_r:tee_prop:s0
-
 ro.boot.oem.locales     u:object_r:vendor_boot_prop:s0
-ro.crypto.fuse_sdcard   u:object_r:vendor_vold_prop:s0
-ro.rfkilldisabled       u:object_r:vendor_bluetooth_prop:s0
-
-ro.vendor.hdmi.auto_otp u:object_r:exported3_default_prop:s0
 
 persist.vendor.sys.cec.logicaladdress u:object_r:vendor_hdmi_prop:s0
 persist.vendor.sys.hdr.state          u:object_r:vendor_hdmi_prop:s0
diff --git a/sepolicy/vendor/system_control.te b/sepolicy/vendor/system_control.te
index 3d4115bae8910e5693c8e318174ae2db96065390..4e01820fcd2e00805e25109f13e15c6031b7c02b 100644 (file)
--- a/sepolicy/vendor/system_control.te
+++ b/sepolicy/vendor/system_control.te
@@ -38,7 +38,6 @@ allow system_control self:capability net_admin;
 allow system_control system_control:netlink_kobject_uevent_socket { bind create read setopt };
 
 get_prop(system_control, hwservicemanager_prop)
-get_prop(system_control, vendor_bluetooth_prop)
 set_prop(system_control, ctl_stop_prop)
 set_prop(system_control, vendor_boot_prop)
 set_prop(system_control, vendor_display_prop)
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index 5b1c82d2729d9d2802515bc2a585a0e4f4d7e2f6..2a86f9bd2d17796d07bd4b6d229d9fd4a9d78d94 100644 (file)
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -1,4 +1,3 @@
-allow vendor_init display_device:file setattr;
 allow vendor_init graphics_device:file setattr;
 allow vendor_init proc_vm_writable:file rw_file_perms;
 allow vendor_init sysfs_graphics_device:file setattr;
@@ -6,7 +5,4 @@ allow vendor_init sysfs_graphics_device:file setattr;
 allow vendor_init self:capability sys_module;
 allow vendor_init vendor_file:system module_load;
 
-get_prop(vendor_init, tee_prop)
-set_prop(vendor_init, tee_prop)
-set_prop(vendor_init, vendor_boot_prop) 
-set_prop(vendor_init, vendor_vold_prop)
+set_prop(vendor_init, vendor_boot_prop)