From 5244c9e37f94e000a4ea61efa80ad3318aa39c84 Mon Sep 17 00:00:00 2001
From: Stricted <info@stricted.net>
Date: Sat, 28 Apr 2018 20:18:44 +0200
Subject: [PATCH] address some selinux denials

Change-Id: Iff77bcbfc6a496dfb587c3bcce781c3c00e2c292
---
 sepolicy/audioserver.te    | 3 +++
 sepolicy/bluetooth.te      | 2 ++
 sepolicy/init.te           | 9 +++++++++
 sepolicy/kernel.te         | 5 +++++
 sepolicy/mediaserver.te    | 4 ++++
 sepolicy/nvram_daemon.te   | 4 ++++
 sepolicy/priv_app.te       | 2 ++
 sepolicy/servicemanager.te | 3 +++
 sepolicy/system_app.te     | 4 +++-
 sepolicy/system_server.te  | 2 ++
 sepolicy/untrusted_app.te  | 4 ++++
 sepolicy/wmt_loader.te     | 2 ++
 12 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 sepolicy/servicemanager.te

diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
index 2dd472f..25924b1 100644
--- a/sepolicy/audioserver.te
+++ b/sepolicy/audioserver.te
@@ -13,3 +13,6 @@ allow audioserver sysfs_devinfo:file { open read write };
 allow audioserver sysfs_ccci:file r_file_perms;
 allow audioserver sysfs_ccci:dir search;
 allow audioserver audiohal_prop:property_service set;
+
+allow audioserver sysfs_boot_mode:file { read open };
+#allow audioserver device:chr_file { read write open };
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
index 9671019..a47886b 100644
--- a/sepolicy/bluetooth.te
+++ b/sepolicy/bluetooth.te
@@ -7,3 +7,5 @@ allow bluetooth nvdata_file:file rw_file_perms;
 allow bluetooth nvdata_file:lnk_file r_file_perms;
 
 allow bluetooth block_device:dir search;
+
+allow bluetooth sysfs_boot_mode:file { read open };
diff --git a/sepolicy/init.te b/sepolicy/init.te
index cb35bcd..5d58a33 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -7,3 +7,12 @@ allow init protect1_device:blk_file write;
 allow init protect2_device:blk_file write;
 
 allow init socket_device:sock_file { create setattr unlink };
+
+
+allow init tmpfs:lnk_file { create };
+allow init mnt_media_rw_file:dir { mounton };
+allow init asec_apk_file:dir { mounton };
+allow init perf_control_sysfs:file { getattr };
+allow init servicemanager:binder { call transfer };
+allow init sdcardd_exec:file r_file_perms;
+allow init wmtWifi_device:chr_file { write };
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index d87c6e7..9c3b64f 100644
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -4,3 +4,8 @@ allow kernel self:capability dac_override;
 allow kernel wifi_data_file:dir search;
 allow kernel wifi_data_file:file r_file_perms;
 
+# for /cache/gtp_(clk|ref).bin
+allow kernel cache_file:file { write open };
+
+#allow mediaserver device:chr_file { read open ioctl };
+#allow mediaserver default_prop:property_service { set };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index ada062a..ad2fe02 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -7,3 +7,7 @@ allow mediaserver ccci_device:chr_file rw_file_perms;
 allow mediaserver pq_service:service_manager find;
 
 allow mediaserver sysfs_devinfo:file r_file_perms;
+
+allow mediaserver camera_device:chr_file { read write open ioctl };
+allow mediaserver sysfs_boot_mode:file { read open };
+allow mediaserver sysfs_ddr_type:file { read open };
diff --git a/sepolicy/nvram_daemon.te b/sepolicy/nvram_daemon.te
index 18af42f..dbc31e8 100644
--- a/sepolicy/nvram_daemon.te
+++ b/sepolicy/nvram_daemon.te
@@ -24,3 +24,7 @@ allow nvram_daemon wmt_prop:property_service set;
 allow nvram_daemon block_device:dir search;
 
 unix_socket_connect(nvram_daemon, property, init)
+
+allow nvram_daemon sysfs_boot_mode:file { read open };
+allow nvram_daemon sysfs:file { write };
+allow nvram_daemon system_prop:property_service { set };
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index 7874778..c049c93 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -3,3 +3,5 @@ allow priv_app guiext-server_service:service_manager find;
 
 # PQ
 allow priv_app pq_service:service_manager find;
+
+allow priv_app device:dir { read open };
\ No newline at end of file
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
new file mode 100644
index 0000000..c781a2e
--- /dev/null
+++ b/sepolicy/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager init:dir { search };
+allow servicemanager init:file { read open };
+allow servicemanager init:process { getattr };
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 95fdd9e..8a847fa 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -5,4 +5,6 @@ allow system_app fast_charge_sysfs:file rw_file_perms;
 allow system_app smartwake_sysfs:file rw_file_perms;
 allow system_app perf_control_sysfs:file rw_file_perms;
 
-allow system_app em_svr:unix_stream_socket connectto;
\ No newline at end of file
+allow system_app em_svr:unix_stream_socket connectto;
+
+allow system_app radio_data_file:dir { getattr };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index a99f314..8bdc4b9 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -30,3 +30,5 @@ allow system_server storage_stub_file:dir { getattr };
 
 # Guiext
 allow system_server guiext-server_service:service_manager find;
+
+allow system_server unlabeled:file { unlink };
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
index 3eccfac..fd5677f 100644
--- a/sepolicy/untrusted_app.te
+++ b/sepolicy/untrusted_app.te
@@ -1,2 +1,6 @@
 # PQ
 allow untrusted_app pq_service:service_manager find;
+
+# These are safe for an untrusted_app -- they are the external SD card
+allow untrusted_app fuseblk:dir search;
+allow untrusted_app fuseblk:file { getattr read };
diff --git a/sepolicy/wmt_loader.te b/sepolicy/wmt_loader.te
index 33da926..2be55cc 100644
--- a/sepolicy/wmt_loader.te
+++ b/sepolicy/wmt_loader.te
@@ -9,3 +9,5 @@ allow wmt_loader proc_wmt:file setattr;
 allow wmt_loader wmt_prop:property_service set;
 
 unix_socket_connect(wmt_loader, property, init)
+
+allow wmt_loader stpwmt_device:chr_file { read write open ioctl };
-- 
2.20.1