From: Jan Altensen <info@stricted.net>
Date: Fri, 22 Jul 2022 07:18:42 +0000 (+0200)
Subject: universal8895: sepolicy: address denials
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a66d5a068283128717d2a9fa86e3c254e18e870b;p=GitHub%2Fexynos8895%2Fandroid_device_samsung_universal8895-common.git

universal8895: sepolicy: address denials

Change-Id: I3f98e21dcfd7c6fcee71263163a6acf37a47414d
---

diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te
new file mode 100644
index 0000000..7e5c54e
--- /dev/null
+++ b/sepolicy/vendor/bootanim.te
@@ -0,0 +1 @@
+get_prop(bootanim,userspace_reboot_exported_prop)
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
index e7fb8fa..21eb615 100644
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -12,3 +12,6 @@ type m2m1shot_device, dev_type;
 
 # gps
 type gps_device, dev_type;
+
+# partition
+type tombstones_block_device, dev_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index aee25b5..56b6de4 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -33,6 +33,7 @@
 /dev/block/platform/11120000\.ufs/by-name/RADIO         u:object_r:radio_block_device:s0
 /dev/block/platform/11120000\.ufs/by-name/SYSTEM        u:object_r:system_block_device:s0
 /dev/block/platform/11120000\.ufs/by-name/USERDATA      u:object_r:userdata_block_device:s0
+/dev/block/platform/11120000\.ufs/by-name/TOMBSTONES    u:object_r:tombstones_block_device:s0
 
 ####################################
 # efs files
@@ -156,4 +157,5 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@[0-9]\.[0-9]-service\.basic    u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@[0-9]\.[0-9]-service    u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@[0-9]\.[0-9]-service    u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android.hardware.nfc@1.2-service.samsung                 u:object_r:hal_nfc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@[0-9]\.[0-9]-service    u:object_r:hal_gnss_default_exec:s0
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
index 9eb9415..3b11e5b 100644
--- a/sepolicy/vendor/hal_audio_default.te
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -10,5 +10,6 @@ allow hal_audio_default imei_efs_file:dir search;
 allow hal_audio_default imei_efs_file:file r_file_perms;
 
 get_prop(hal_audio_default, vendor_radio_prop)
+set_prop(hal_audio_default, audio_prop)
 
 allow hal_audio_default init:unix_stream_socket connectto;
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
index d91b790..8be1eab 100644
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -34,3 +34,7 @@ allow hal_graphics_composer_default sysfs_ss_writable:file r_file_perms;
 # /sys/kernel/debug/dma_buf/footprint/[0-9]+
 allow hal_graphics_composer_default debugfs_ion_dma:dir r_dir_perms;
 allow hal_graphics_composer_default debugfs_ion_dma:file r_file_perms;
+
+# /data/log/hwc_error_log.txt
+dontaudit hal_graphics_composer_default system_data_file:dir rw_dir_perms;
+dontaudit hal_graphics_composer_default system_data_file:file { rw_file_perms create };
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index 531b33e..3d07b86 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -10,7 +10,7 @@ allow init hwservicemanager:binder call;
 allow init netd:unix_stream_socket connectto;
 allow init fwmarkd_socket:sock_file write;
 allow init nfc:binder call;
-allow init nfc_device:chr_file ioctl;
+allow init nfc_device:chr_file rw_file_perms;
 allow init efs_file:dir mounton;
 allow init efs_block_device:lnk_file relabelto;
 allow init tmpfs:lnk_file create;
@@ -49,4 +49,10 @@ allow init proc_extra:file setattr;
 allow init proc_reset_reason:file setattr;
 allow init proc_swapiness:file open;
 
+dontaudit init hal_nfc_hwservice:hwservice_manager { add find };
+dontaudit init { system_file vendor_file }:file execute_no_trans;
+
+allow init hidl_base_hwservice:hwservice_manager add;
+allow init hwservicemanager:binder transfer;
+
 unix_socket_connect(init, property, rild)
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
index a544b68..5092d7c 100644
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
@@ -1,8 +1,13 @@
 allow kernel app_efs_file:dir search;
-allow kernel app_efs_file:file open;
-allow kernel sensor_factoryapp_efs_file:file open;
+allow kernel app_efs_file:file rw_file_perms;
+allow kernel sensor_factoryapp_efs_file:file rw_file_perms;
 allow kernel efs_file:dir search;
 
 allow kernel device:chr_file { getattr setattr unlink create };
+allow kernel device:blk_file { create setattr };
 allow kernel device:dir create_dir_perms;
 allow kernel self:capability { mknod };
+
+allow kernel sysfs_virtual:dir search;
+allow kernel sysfs_virtual:file r_file_perms;
+dontaudit kernel self:capability { dac_override dac_read_search };
diff --git a/sepolicy/vendor/macloader.te b/sepolicy/vendor/macloader.te
index 9b5f5af..686e39f 100644
--- a/sepolicy/vendor/macloader.te
+++ b/sepolicy/vendor/macloader.te
@@ -1 +1,2 @@
 allow macloader sysfs_virtual:dir search;
+allow macloader self:capability { chown net_raw };
diff --git a/sepolicy/vendor/mediaserver.te b/sepolicy/vendor/mediaserver.te
new file mode 100644
index 0000000..93b5fe3
--- /dev/null
+++ b/sepolicy/vendor/mediaserver.te
@@ -0,0 +1 @@
+get_prop(mediaserver,exported_camera_prop)
diff --git a/sepolicy/vendor/nfc.te b/sepolicy/vendor/nfc.te
index 6c8e449..315fba5 100644
--- a/sepolicy/vendor/nfc.te
+++ b/sepolicy/vendor/nfc.te
@@ -1 +1,3 @@
 allow nfc sec_efs_file:dir search;
+
+dontaudit nfc init:binder { call transfer };
\ No newline at end of file
diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
index eef06d8..7b69c58 100644
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -25,6 +25,6 @@ allow rild hal_audio_default:dir search;
 allow rild hal_audio_default:file r_file_perms;
 
 # hwservice
-allow rild hal_sec_radio_hwservice:hwservice_manager add;
-allow rild hal_sec_radio_bridge_hwservice:hwservice_manager add;
-allow rild hal_sec_radio_channel_hwservice:hwservice_manager add;
+add_hwservice(rild,hal_sec_radio_hwservice)
+add_hwservice(rild,hal_sec_radio_bridge_hwservice)
+add_hwservice(rild,hal_sec_radio_channel_hwservice)
\ No newline at end of file
diff --git a/sepolicy/vendor/secril_config_svc.te b/sepolicy/vendor/secril_config_svc.te
new file mode 100644
index 0000000..453d02a
--- /dev/null
+++ b/sepolicy/vendor/secril_config_svc.te
@@ -0,0 +1,2 @@
+set_prop(secril_config_svc,exported3_radio_prop)
+allow secril_config_svc factoryprop_efs_file:file r_file_perms;
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
index e771758..67e32a3 100644
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -10,3 +10,7 @@ allow system_server debugfs_mali_mem:file r_file_perms;
 allow system_server frp_block_device:blk_file rw_file_perms;
 
 get_prop(system_server, vendor_radio_prop)
+get_prop(system_server, exported_camera_prop)
+get_prop(system_server, userspace_reboot_config_prop)
+get_prop(system_server, userspace_reboot_config_prop)
+get_prop(system_server, userspace_reboot_exported_prop)
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..50d0750
--- /dev/null
+++ b/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,2 @@
+dontaudit vendor_init vendor_toolbox_exec:file entrypoint;
+allow vendor_init mobicore_data_file:dir getattr;
diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te
index 0d68e6f..54b0ca4 100644
--- a/sepolicy/vendor/vold.te
+++ b/sepolicy/vendor/vold.te
@@ -4,3 +4,7 @@ allow vold efs_file:dir r_dir_perms;
 allow vold sysfs_mmc_host_writable:file write;
 allow vold sysfs_scsi_host_writable:file write;
 allow vold sysfs_virtual:file write;
+
+allow vold tombstones_block_device:blk_file rw_file_perms;
+
+dontaudit vold hal_bootctl_hwservice:hwservice_manager find;
diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te
new file mode 100644
index 0000000..5df9a78
--- /dev/null
+++ b/sepolicy/vendor/zygote.te
@@ -0,0 +1 @@
+get_prop(zygote, exported_camera_prop)