From: Timi Rautamäki <timi.rautamaki@gmail.com>
Date: Wed, 11 May 2022 11:45:04 +0000 (+0000)
Subject: g12: sepolicy: Address misc denials
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=5c06248e86a2ef2eacbbae8d504ff8cd89e7fb0f;p=GitHub%2FLineageOS%2FG12%2Fandroid_device_amlogic_g12-common.git

g12: sepolicy: Address misc denials

Change-Id: I611b6a78b1c29c318a0f3a856ccf250610ba73f5
---

diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
index 062f139..dc7e95b 100644
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@@ -1,2 +1,5 @@
 # Blur
 /(system_ext|system/system_ext)/bin/blur_sysprop_notifier    u:object_r:blur_sysprop_notifier_exec:s0
+
+# Media
+/sys/class/codec_mm/fastplay_enable                          u:object_r:sysfs_media:s0
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index e2ac09a..907370d 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -1,5 +1,6 @@
 type hidraw_audio_device, dev_type;
 type media_device, dev_type;
+type amstream_device, dev_type;
 
 type param_tv_file, file_type;
 
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index e6162c2..406ace2 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -56,9 +56,6 @@
 /sys/devices/platform/meson-fb/graphics/fb0/free_scale_switch u:object_r:sysfs_graphics_device:s0
 /sys/module/amdolby_vision/parameters/dolby_vision_enable     u:object_r:sysfs_graphics_device:s0
 /sys/module/amdolby_vision/parameters/dolby_vision_ll_policy  u:object_r:sysfs_graphics_device:s0
-/sys/module/amvdec_av1/parameters/frame_height                u:object_r:sysfs_graphics_device:s0
-/sys/module/amvdec_vp9/parameters/frame_height                u:object_r:sysfs_graphics_device:s0
-/sys/module/amvdec_avs2/parameters/frame_height               u:object_r:sysfs_graphics_device:s0
 /sys/module/di/parameters(/.*)?                               u:object_r:sysfs_graphics_device:s0
 /sys/module/fb/parameters/osd_logo_index                      u:object_r:sysfs_graphics_device:s0
 
@@ -106,13 +103,17 @@
 
 # Media
 /dev/amresource_mgr u:object_r:video_device:s0
+/dev/amstream_hevc_frame u:object_r:amstream_device:s0
+/dev/amstream_vframe     u:object_r:amstream_device:s0
 /dev/amvecm         u:object_r:amvecm_device:s0
 /dev/amvenc_avc     u:object_r:media_device:s0
 /dev/HevcEnc        u:object_r:media_device:s0
+/dev/ionvideo       u:object_r:video_device:s0
+/dev/v4lvideo       u:object_r:video_device:s0
 
 /sys/class/codec_mm/tvp_enable                       u:object_r:sysfs_media:s0
 /sys/module/am_vecm/parameters(/.*)?                 u:object_r:sysfs_media:s0
-/sys/module/amvdec_(.*)/parameters/double_write_mode u:object_r:sysfs_media:s0
+/sys/module/amvdec_(.*)/parameters(/.*)?              u:object_r:sysfs_media:s0
 
 # Param
 /mnt/vendor/param(/.*)? u:object_r:param_tv_file:s0
@@ -170,6 +171,7 @@
 # XBMC
 /dev/ttyS[1-2] u:object_r:hci_attach_dev:s0
 
+/sys/class/tsync/enable     u:object_r:sysfs_xbmc:s0
 /sys/class/tsync/firstapts  u:object_r:sysfs_xbmc:s0
 /sys/class/tsync/pts_audio  u:object_r:sysfs_xbmc:s0
 /sys/class/tsync/pts_pcrscr u:object_r:sysfs_xbmc:s0
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
index c3cf209..fb5f06b 100644
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -4,6 +4,7 @@ allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
 
 allow hal_graphics_composer_default sysfs_amhdmitx:dir search;
 allow hal_graphics_composer_default sysfs_amhdmitx:file rw_file_perms;
+allow hal_graphics_composer_default sysfs_graphics_device:dir search;
 allow hal_graphics_composer_default sysfs_graphics_device:file rw_file_perms;
 allow hal_graphics_composer_default sysfs_media:dir search;
 allow hal_graphics_composer_default sysfs_media:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_memtrack_default.te b/sepolicy/vendor/hal_memtrack_default.te
index f3d2fa4..45cc459 100644
--- a/sepolicy/vendor/hal_memtrack_default.te
+++ b/sepolicy/vendor/hal_memtrack_default.te
@@ -22,6 +22,7 @@ allow hal_memtrack_default hal_thermal_default:file r_file_perms;
 allow hal_memtrack_default hal_tv_cec_default:dir search;
 allow hal_memtrack_default hal_tv_cec_default:file r_file_perms;
 
+allow hal_memtrack_default sysfs_mali:dir { r_dir_perms };
 allow hal_memtrack_default sysfs_mali:file { r_file_perms };
 
 allow hal_memtrack_default system_app:file r_file_perms;
diff --git a/sepolicy/vendor/mediacodec.te b/sepolicy/vendor/mediacodec.te
index 8c27530..d16e6c0 100644
--- a/sepolicy/vendor/mediacodec.te
+++ b/sepolicy/vendor/mediacodec.te
@@ -1,14 +1,17 @@
 allow mediacodec display_device:file r_file_perms;
+allow mediacodec amstream_device:{ file chr_file } rw_file_perms;
 allow mediacodec sysfs_graphics_device:dir r_dir_perms;
 allow mediacodec sysfs_graphics_device:file r_file_perms;
-allow mediacodec sysfs_media:file r_file_perms;
+allow mediacodec sysfs_media:file rw_file_perms;
 allow mediacodec sysfs_media:dir r_dir_perms;
+allow mediacodec sysfs_xbmc:file rw_file_perms;
 allow mediacodec media_device:chr_file rw_file_perms;
 allow mediacodec media_device:file rw_file_perms;
 
 allow mediacodec tee_device:chr_file rw_file_perms;
 allow mediacodec tee_device:file rw_file_perms;
 allow mediacodec video_device:file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
 
 allow mediacodec hal_graphics_allocator_default_tmpfs:file rw_file_perms;
 
diff --git a/sepolicy/vendor/mediashell_app.te b/sepolicy/vendor/mediashell_app.te
new file mode 100644
index 0000000..e1e20e4
--- /dev/null
+++ b/sepolicy/vendor/mediashell_app.te
@@ -0,0 +1 @@
+get_prop(system_control, vendor_netflix_prop)
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
index 65f43fe..d5f1700 100644
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te
@@ -6,3 +6,4 @@ vendor_internal_prop(vendor_media_prop);
 vendor_internal_prop(vendor_wifi_prop);
 
 vendor_public_prop(vendor_hdmi_prop);
+vendor_public_prop(vendor_netflix_prop);
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 3bc84dc..9962f84 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -6,10 +6,10 @@ persist.vendor.sys.sdr.state          u:object_r:vendor_hdmi_prop:s0
 
 vendor.allm.support                 u:object_r:vendor_boot_prop:s0
 vendor.contenttype_game.support     u:object_r:vendor_hdmi_prop:s0
-vendor.display-size                 u:object_r:vendor_display_prop:s0
 vendor.sys.frc_policy               u:object_r:vendor_display_prop:s0
 vendor.sys.hwc.booted               u:object_r:vendor_boot_prop:s0
 vendor.system.support.dolbyvision   u:object_r:vendor_dolby_prop:s0
 vendor.wlan.driver.version          u:object_r:vendor_wifi_prop:s0
 
 vendor.media.                       u:object_r:vendor_media_prop:s0
+vendor.display-size                 u:object_r:vendor_netflix_prop:s0
diff --git a/sepolicy/vendor/system_control.te b/sepolicy/vendor/system_control.te
index 2057516..f67f759 100644
--- a/sepolicy/vendor/system_control.te
+++ b/sepolicy/vendor/system_control.te
@@ -45,3 +45,5 @@ set_prop(system_control, vendor_boot_prop)
 set_prop(system_control, vendor_display_prop)
 set_prop(system_control, vendor_hdmi_prop)
 set_prop(system_control, vendor_dolby_prop)
+set_prop(system_control, vendor_media_prop)
+set_prop(system_control, vendor_netflix_prop)
diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te
index 315ed9e..6787d85 100644
--- a/sepolicy/vendor/untrusted_app.te
+++ b/sepolicy/vendor/untrusted_app.te
@@ -1 +1,4 @@
 allow untrusted_app hal_graphics_allocator_default_tmpfs:file rw_file_perms;
+allow untrusted_app debugfs_mali:dir r_dir_perms;
+
+get_prop(untrusted_app, vendor_netflix_prop);