From 0477a8dcd9833fb00ae72a5a0de703165c60d476 Mon Sep 17 00:00:00 2001 From: Henrik Grimler Date: Tue, 25 Aug 2020 22:56:05 +0200 Subject: [PATCH] Use device/samsung_slsi/sepolicy and device/lineage/sepolicy No reason to re-do these policies from scratch.. Also address some more denials. --- BoardConfigCommon.mk | 6 ++++ sepolicy/adbd.te | 2 +- sepolicy/apexd.te | 1 + sepolicy/file.te | 12 ------- sepolicy/file_contexts | 28 +++------------ sepolicy/hal_bluetooth_default.te | 3 ++ sepolicy/hal_fingerprint_default.te | 23 ++---------- sepolicy/hal_graphics_composer_default.te | 43 +++++++++++++++++++---- sepolicy/hal_health_default.te | 1 + sepolicy/hal_light_default.te | 5 ++- sepolicy/hal_power_default.te | 16 +-------- sepolicy/hal_sensors_default.te | 25 ++----------- sepolicy/hal_vibrator_default.te | 2 ++ sepolicy/hal_wifi_hostapd_default.te | 2 -- sepolicy/init.te | 21 +++++++++-- sepolicy/kernel.te | 2 +- sepolicy/rild.te | 5 +++ sepolicy/vendor_init.te | 1 + 18 files changed, 89 insertions(+), 109 deletions(-) create mode 100644 sepolicy/apexd.te create mode 100644 sepolicy/hal_bluetooth_default.te create mode 100644 sepolicy/hal_vibrator_default.te delete mode 100644 sepolicy/hal_wifi_hostapd_default.te create mode 100644 sepolicy/vendor_init.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index a1c0abd..1d9c1ef 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -140,6 +140,12 @@ WIFI_HIDL_FEATURE_DISABLE_AP_MAC_RANDOMIZATION := true # MACLOADER BOARD_HAVE_SAMSUNG_WIFI := true +# SEPOLICY +include device/lineage/sepolicy/exynos/sepolicy.mk + +# HAL sepolicy +include device/samsung_slsi/sepolicy/sepolicy.mk + BOARD_SEPOLICY_DIRS += device/samsung/universal8895-common/sepolicy BOARD_SEPOLICY_VERS := $(PLATFORM_SDK_VERSION).0 diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te index bb82320..29571b7 100644 --- a/sepolicy/adbd.te +++ b/sepolicy/adbd.te @@ -1 +1 @@ -allow adbd proc_last_kmsg:file { getattr read }; +allow adbd proc_last_kmsg:file { getattr read open }; diff --git a/sepolicy/apexd.te b/sepolicy/apexd.te new file mode 100644 index 0000000..461512f --- /dev/null +++ b/sepolicy/apexd.te @@ -0,0 +1 @@ +allow apexd sysfs_virtual:file { read write }; diff --git a/sepolicy/file.te b/sepolicy/file.te index 2a71164..7d50af4 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,21 +1,12 @@ ### efs types -type app_efs_file, file_type; -type battery_efs_file, file_type; -type cpk_efs_file, file_type; type gatekeeper_efs_file, file_type; type radio_factoryapp_efs_file, file_type; -type imei_efs_file, file_type; -type bin_nv_data_efs_file, file_type; -type prov_efs_file, file_type; -type sec_efs_file, file_type; -type wifi_efs_file, file_type; type factoryprop_efs_file, file_type; type sensor_factoryapp_efs_file, file_type; type factorymode_factoryapp_efs_file, file_type; type baro_delta_factoryapp_efs_file, file_type; # gps -type gps_vendor_data_file, file_type, data_file_type; type gps_socket, file_type; # debugfs types @@ -33,7 +24,6 @@ type proc_swapiness, fs_type, proc_type; type display_vendor_data_file, file_type, data_file_type; type fingerprintd_vendor_data_file, data_file_type, file_type; type mediadrm_data_file, file_type, data_file_type; -type radio_vendor_data_file, data_file_type, file_type; type mobicore_data_file, data_file_type, core_data_file_type, file_type; # sysfs types @@ -43,9 +33,7 @@ type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject; type sysfs_sec, fs_type, sysfs_type, mlstrustedobject; type sysfs_gps, fs_type, sysfs_type, mlstrustedobject; type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject; -type sysfs_input, fs_type, sysfs_type, mlstrustedobject; type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject; -type sysfs_iio, fs_type, sysfs_type, mlstrustedobject; type sysfs_charger, fs_type, sysfs_type, mlstrustedobject; type sysfs_modem, fs_type, sysfs_type, mlstrustedobject; type sysfs_lcd, fs_type, sysfs_type, mlstrustedobject; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 658f92f..670a374 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -20,10 +20,6 @@ /dev/mtp_usb* u:object_r:mtp_device:s0 /dev/usb(/.*)? u:object_r:usb_device:s0 -# sensors -/dev/batch_io u:object_r:sensor_device:s0 -/dev/ssp_sensorhub u:object_r:sensor_device:s0 - # adbroot and storaged /dev/stune(/.*)? u:object_r:cgroup:s0 @@ -40,15 +36,9 @@ /efs/FactoryApp/test_nv u:object_r:radio_factoryapp_efs_file:s0 /efs/FactoryApp/gyro_cal_data u:object_r:sensor_factoryapp_efs_file:s0 -/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 -/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 -/efs/imei(/.*)? u:object_r:imei_efs_file:s0 /efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0 /efs/nv.log u:object_r:bin_nv_data_efs_file:s0 /efs/\.nv_core\.bak(.*) u:object_r:bin_nv_data_efs_file:s0 -/efs/prov(/.*)? u:object_r:prov_efs_file:s0 -/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 -/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 /efs/wv\.keys u:object_r:cpk_efs_file:s0 /efs/factory\.prop u:object_r:factoryprop_efs_file:s0 /efs/TEE(/.*)? u:object_r:gatekeeper_efs_file:s0 @@ -58,10 +48,6 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 -/data/vendor/secradio(/.*)? u:object_r:radio_vendor_data_file:s0 - -# gps -/data/vendor/gps(/.*)? u:object_r:gps_vendor_data_file:s0 # livedisplay /data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 @@ -72,9 +58,6 @@ # mobicore /data/misc/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 -# biometrics -/data/vendor/biometrics(/.*)? u:object_r:fingerprintd_vendor_data_file:s0 - # camera /data/camera(/.*)? u:object_r:camera_data_file:s0 @@ -147,13 +130,10 @@ # modem /sys/module/modem_ctrl_ss310ap/parameters/ds_detect u:object_r:sysfs_modem:s0 -#################################### # Lineage hals -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.universal8895 u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@[0-9]\.[0-9]-service\.universal8895 u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 + # hidl services -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.widevine u:object_r:hal_drm_widevine_exec:s0 diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..540462a --- /dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1,3 @@ +allow hal_bluetooth_default sysfs:file write; +allow hal_bluetooth_default vendor_default_prop:property_service set; +allow hal_bluetooth_default vendor_firmware_file:dir { open read }; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te index 113bde7..830e7fb 100644 --- a/sepolicy/hal_fingerprint_default.te +++ b/sepolicy/hal_fingerprint_default.te @@ -1,20 +1,3 @@ -# allow hal_fingerprint_default to communicate with various devices -binder_call(system_app, hal_fingerprint_default) - -# kernel fp device -allow hal_fingerprint_default fingerprint_device:chr_file { open read write ioctl getattr }; - -# secure memory device -allow hal_fingerprint_default secmem_device:chr_file { open read write ioctl }; - -# trust zone device -allow hal_fingerprint_default tee_device:chr_file { open read write ioctl }; -allow hal_fingerprint_default tee:unix_stream_socket connectto; - -# /data/vendor/biometrics/* -allow hal_fingerprint_default fingerprintd_vendor_data_file:dir { rmdir read write remove_name create open add_name search }; -allow hal_fingerprint_default fingerprintd_vendor_data_file:file { write create read rename open getattr unlink }; - -# sysfs_virtual -allow hal_fingerprint_default sysfs_virtual:dir search; -allow hal_fingerprint_default sysfs_virtual:file { open read }; +allow hal_fingerprint_default fingerprint_device:chr_file ioctl; +allow hal_fingerprint_default fingerprintd_data_file:dir write; +allow hal_fingerprint_default tee_device:chr_file { ioctl open read write }; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 1ba9a3c..d36a755 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -1,7 +1,38 @@ -allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { create read }; -allow hal_graphics_composer_default servicemanager:binder call; -allow hal_graphics_composer_default vendor_data_file:file { append getattr open }; -allow hal_graphics_composer_default vndbinder_device:chr_file read; +# hal_graphics_composer_default.te -# /dev/fimg2d -allow hal_graphics_composer_default video_device:chr_file { open read write ioctl }; +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator); + +vndbinder_use(hal_graphics_composer_default) + +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +allow hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add find }; + +# cgroup tasks +allow hal_graphics_composer_default cgroup:file getattr; + +# /data/vendor/log/hwc +allow hal_graphics_composer_default log_vendor_data_file:dir rw_dir_perms; +allow hal_graphics_composer_default log_vendor_data_file:file create_file_perms; + +# /dev/g2d +allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms; + +# /dev/video50 +allow hal_graphics_composer_default video_device:chr_file rw_file_perms; + +# /sys/devices/soc0/revision +allow hal_graphics_composer_default sysfs_socinfo:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_socinfo:file r_file_perms; + +# /sys/devices/platform/19030000.decon_f/psr_info +allow hal_graphics_composer_default sysfs_decon:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_decon:file r_file_perms; + +# /sys/devices/platform/19030000.decon_f/vsync +allow hal_graphics_composer_default sysfs_ss_writable:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_ss_writable:file r_file_perms; + +# /sys/kernel/debug/dma_buf/footprint/[0-9]+ +allow hal_graphics_composer_default debugfs_ion_dma:dir r_dir_perms; +allow hal_graphics_composer_default debugfs_ion_dma:file r_file_perms; diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te index 57672cd..2730563 100644 --- a/sepolicy/hal_health_default.te +++ b/sepolicy/hal_health_default.te @@ -1,3 +1,4 @@ r_dir_file(hal_health_default, sysfs_charger) allow hal_health_default sysfs_charger:file rw_file_perms; +allow hal_health_default sysfs_battery:dir { open read search }; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te index ad0b43e..c1200d1 100644 --- a/sepolicy/hal_light_default.te +++ b/sepolicy/hal_light_default.te @@ -1,4 +1,3 @@ -allow hal_light_default sysfs_brightness:file { open read write getattr }; +allow hal_light_default sysfs_graphics:file { getattr open read write }; allow hal_light_default sysfs_virtual:dir search; -allow hal_light_default sysfs_virtual:file { read write open getattr }; -allow hal_light_default sysfs_graphics:file { open read getattr write }; +allow hal_light_default sysfs_virtual:file { open write getattr }; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te index 9aeeace..7637cdf 100644 --- a/sepolicy/hal_power_default.te +++ b/sepolicy/hal_power_default.te @@ -1,15 +1 @@ -# Allow reading of sysfs nodes to find input devices - -allow hal_power_default sysfs_devices_system_cpu:file write; - -allow hal_power_default sysfs_input:dir { open read search getattr }; -allow hal_power_default sysfs_input:file { open read write getattr }; - -allow hal_power_default sysfs_virtual:dir { open read search }; -allow hal_power_default sysfs_virtual:file { open read write getattr }; - -allow hal_power_default sysfs:dir { read open }; -allow hal_power_default sysfs:file { read write open }; - -allow hal_power_default sysfs_brightness:file rw_file_perms; -allow hal_power_default sysfs_graphics:file { getattr read open }; \ No newline at end of file +allow hal_power_default sysfs_graphics:file read; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te index 5cc56bf..82e2856 100644 --- a/sepolicy/hal_sensors_default.te +++ b/sepolicy/hal_sensors_default.te @@ -1,23 +1,4 @@ -# /efs/FactoryApp/ -allow hal_sensors_default app_efs_file:dir rw_dir_perms; -allow hal_sensors_default app_efs_file:file { rw_file_perms setattr }; - -# /efs -allow hal_sensors_default efs_file:dir r_dir_perms; - -# sensor_device -allow hal_sensors_default sensor_device:chr_file rw_file_perms; - -# iio_device -allow hal_sensors_default iio_device:chr_file { open read }; - -# sysfs_iio -allow hal_sensors_default sysfs_iio:file { open read getattr write }; -allow hal_sensors_default sysfs_iio:dir { open read search }; +allow hal_sensors_default sysfs:file { open read write }; allow hal_sensors_default sysfs_iio:lnk_file read; - -# sysfs_virtual -allow hal_sensors_default sysfs_virtual:dir r_dir_perms; -allow hal_sensors_default sysfs_virtual:file rw_file_perms; - -allow hal_sensors_default sysfs:file { open read getattr write }; +allow hal_sensors_default sysfs_virtual:dir search; +allow hal_sensors_default sysfs_virtual:file { read write open }; diff --git a/sepolicy/hal_vibrator_default.te b/sepolicy/hal_vibrator_default.te new file mode 100644 index 0000000..d4b5e86 --- /dev/null +++ b/sepolicy/hal_vibrator_default.te @@ -0,0 +1,2 @@ +allow hal_vibrator_default sysfs_virtual:dir search; +allow hal_vibrator_default sysfs_virtual:file { open write getattr }; diff --git a/sepolicy/hal_wifi_hostapd_default.te b/sepolicy/hal_wifi_hostapd_default.te deleted file mode 100644 index 8f0592f..0000000 --- a/sepolicy/hal_wifi_hostapd_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_wifi_hostapd_default sysfs_virtual:dir search; -allow hal_wifi_hostapd_default sysfs_virtual:lnk_file { getattr read }; diff --git a/sepolicy/init.te b/sepolicy/init.te index 069fe16..156a97a 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,6 +1,6 @@ allow init rild:unix_stream_socket connectto; allow init self:netlink_kobject_uevent_socket { create setopt }; -allow init socket_device:sock_file create; +allow init socket_device:sock_file { create setattr unlink }; allow init sysfs_devices_system_cpu:file write; allow init vendor_data_file:fifo_file write; allow init vendor_data_file:file append; @@ -11,7 +11,18 @@ allow init netd:unix_stream_socket connectto; allow init fwmarkd_socket:sock_file write; allow init nfc:binder call; allow init nfc_device:chr_file ioctl; -allow init sysfs_virtual:file { open write }; + +allow init sysfs_virtual:file { open write setattr }; +allow init sysfs_virtual:lnk_file { read }; +allow init sysfs:file setattr; +allow init sysfs_multipdp:file setattr; +allow init sysfs_camera:file setattr; +allow init sysfs_charger:file setattr; +allow init sysfs_input:file setattr; +allow init sysfs_lcd:file setattr; +allow init sysfs_mdnie:file setattr; +allow init sysfs_modem:file write; + allow init system_server:binder { transfer call }; allow init tee_device:chr_file ioctl; allow init device:chr_file ioctl; @@ -20,8 +31,12 @@ allow init node:tcp_socket node_bind; allow init port:tcp_socket { name_bind name_connect }; allow init gps_vendor_data_file:fifo_file write; allow init gps_vendor_data_file:file lock; +allow init socket_device:sock_file { setattr unlink }; + +allow init proc:file setattr; +allow init proc_swapiness:file write; -# LED allow init sysfs_graphics:file { open read write }; +allow init sysfs_virtual:file read; unix_socket_connect(init, property, rild) diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te index 07530ef..026eeef 100644 --- a/sepolicy/kernel.te +++ b/sepolicy/kernel.te @@ -2,6 +2,6 @@ allow kernel app_efs_file:dir search; allow kernel app_efs_file:file open; allow kernel sensor_factoryapp_efs_file:file open; -allow kernel device:chr_file { getattr setattr unlink }; +allow kernel device:chr_file { getattr setattr unlink create }; allow kernel device:dir { add_name remove_name rmdir write }; allow kernel self:capability { mknod }; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index 75990d6..c50b744 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -11,5 +11,10 @@ allow rild hal_audio_default:file { getattr open read }; allow rild radio_vendor_data_file:file { create ioctl lock getattr read write open unlink }; allow rild radio_vendor_data_file:dir { add_name write open read remove_name }; +allow rild radio_data_file:file { open read }; allow rild proc_qtaguid_stat:file read; + +allow rild factoryprop_efs_file:file { open read write }; + +allow rild init:file getattr; diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te new file mode 100644 index 0000000..57f9235 --- /dev/null +++ b/sepolicy/vendor_init.te @@ -0,0 +1 @@ +allow vendor_init mobicore_data_file:dir setattr; -- 2.20.1