From: Timi Rautamäki Date: Wed, 23 Mar 2022 19:33:19 +0000 (+0000) Subject: g12: sepolicy: update for S X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=faedbe6bb13bbee91b0433c70e8fb160cd93020b;p=GitHub%2FLineageOS%2FG12%2Fandroid_device_amlogic_g12-common.git g12: sepolicy: update for S * vendor_kernel_modules, hal_oemlock_default are defined in system/sepolicy * priv_app doesn't need cgroup_bpf dir access * audioserver accessing vendor_prop is a neverallow * ro.rfkilldisabled, init.svc.tee_supplicant, ro.vendor.hdmi.auto_otp are unused * ro.crypto.fuse_sdcard is not labeled in stock * Update property labels according to https://source.android.com/devices/architecture/configuration/add-system-properties#vendor-sepolicies Change-Id: I9a13c93ccfbb4358b57dd113d27b90416eb0384f --- diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te deleted file mode 100644 index 79cfb9f..0000000 --- a/sepolicy/vendor/audioserver.te +++ /dev/null @@ -1 +0,0 @@ -get_prop(audioserver, vendor_default_prop) diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index a22bcf7..ac8a630 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -17,5 +17,4 @@ type sysfs_xbmc, fs_type, sysfs_type; type tee_firmload_exec, exec_type, vendor_file_type, file_type; -type vendor_kernel_modules, vendor_file_type, file_type; type vendor_mediadrm_vendor_data_file, file_type, data_file_type; diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te index 2c7ec8e..a1347ff 100644 --- a/sepolicy/vendor/hal_bluetooth_default.te +++ b/sepolicy/vendor/hal_bluetooth_default.te @@ -1,7 +1,5 @@ allow hal_bluetooth_default hci_attach_dev:file rw_file_perms; allow hal_bluetooth_default sysfs_bluetooth_writable:file rw_file_perms; -get_prop(hal_bluetooth_default, vendor_bluetooth_prop) - # This is a neverallow (somehow), but Bluetooth functions all work without it dontaudit hal_bluetooth_default self:udp_socket create; diff --git a/sepolicy/vendor/hal_oemlock_default.te b/sepolicy/vendor/hal_oemlock_default.te index 1aab031..6a45416 100644 --- a/sepolicy/vendor/hal_oemlock_default.te +++ b/sepolicy/vendor/hal_oemlock_default.te @@ -1,10 +1,2 @@ -type hal_oemlock_default, domain; -type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type; - -hal_server_domain(hal_oemlock_default, hal_oemlock) - -init_daemon_domain(hal_oemlock_default) - allow hal_oemlock_default systemcontrol_hwservice:hwservice_manager find; - allow hal_oemlock_default system_control:binder call; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te deleted file mode 100644 index a692350..0000000 --- a/sepolicy/vendor/priv_app.te +++ /dev/null @@ -1 +0,0 @@ -allow priv_app cgroup_bpf:dir search; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index 3d7a51c..34ad078 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,9 +1,7 @@ -type tee_prop, property_type; +vendor_internal_prop(vendor_bluetooth_prop); +vendor_internal_prop(vendor_dolby_prop); +vendor_internal_prop(vendor_boot_prop); +vendor_internal_prop(vendor_display_prop); +vendor_internal_prop(vendor_wifi_prop); -type vendor_bluetooth_prop, property_type; -type vendor_dolby_prop, property_type; -type vendor_boot_prop, property_type; -type vendor_display_prop, property_type; -type vendor_hdmi_prop, property_type; -type vendor_vold_prop, property_type; -type vendor_wifi_prop, property_type; +vendor_public_prop(vendor_hdmi_prop); diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index 6aee707..ec6792d 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -1,10 +1,4 @@ -init.svc.tee_supplicant u:object_r:tee_prop:s0 - ro.boot.oem.locales u:object_r:vendor_boot_prop:s0 -ro.crypto.fuse_sdcard u:object_r:vendor_vold_prop:s0 -ro.rfkilldisabled u:object_r:vendor_bluetooth_prop:s0 - -ro.vendor.hdmi.auto_otp u:object_r:exported3_default_prop:s0 persist.vendor.sys.cec.logicaladdress u:object_r:vendor_hdmi_prop:s0 persist.vendor.sys.hdr.state u:object_r:vendor_hdmi_prop:s0 diff --git a/sepolicy/vendor/system_control.te b/sepolicy/vendor/system_control.te index 3d4115b..4e01820 100644 --- a/sepolicy/vendor/system_control.te +++ b/sepolicy/vendor/system_control.te @@ -38,7 +38,6 @@ allow system_control self:capability net_admin; allow system_control system_control:netlink_kobject_uevent_socket { bind create read setopt }; get_prop(system_control, hwservicemanager_prop) -get_prop(system_control, vendor_bluetooth_prop) set_prop(system_control, ctl_stop_prop) set_prop(system_control, vendor_boot_prop) set_prop(system_control, vendor_display_prop) diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index 5b1c82d..2a86f9b 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -1,4 +1,3 @@ -allow vendor_init display_device:file setattr; allow vendor_init graphics_device:file setattr; allow vendor_init proc_vm_writable:file rw_file_perms; allow vendor_init sysfs_graphics_device:file setattr; @@ -6,7 +5,4 @@ allow vendor_init sysfs_graphics_device:file setattr; allow vendor_init self:capability sys_module; allow vendor_init vendor_file:system module_load; -get_prop(vendor_init, tee_prop) -set_prop(vendor_init, tee_prop) -set_prop(vendor_init, vendor_boot_prop) -set_prop(vendor_init, vendor_vold_prop) +set_prop(vendor_init, vendor_boot_prop)