shinano: Rework In Device Diagnostics sepolicy

- Fix symlinking and reading denials for iddd and credmgrd

Change-Id: I786301f2cb4f2aaa76e8f5b96a036ada0563463b

5 files changed, 10 insertions, 8 deletions

diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
index 78db47a..b354cda 100644
--- a/sepolicy/credmgrd.te
+++ b/sepolicy/credmgrd.te
@@ -49,6 +49,7 @@ allow credmgrd iddd_file:dir search;
 allow credmgrd iddd_file:sock_file write;
 allow credmgrd iddd_file:unix_stream_socket connectto;
 allow credmgrd iddd_file:unix_dgram_socket sendto;
+allow credmgrd iddd_file:lnk_file { read };
 
 #/mnt/idd is tmpfs
 allow credmgrd tmpfs:dir search;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index d817851..560f2b6 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -11,11 +11,11 @@
 # Hardware tunables
 /sys/devices/virtual/timed_output/vibrator/vtg_level   -- u:object_r:sysfs_vibrator:s0
 
-#iddd
-/system/bin/iddd        u:object_r:iddd_exec:s0
-/idd(/.*)?                      u:object_r:iddd_file:s0
-/mnt/idd						u:object_r:iddd_file:s0
-/system/bin/idd-logreader		 u:object_r:iddd_exec:s0
+# In Device Diagnostics (idd)
+/system/bin/iddd                                         u:object_r:iddd_exec:s0
+/system/bin/idd-logreader                                u:object_r:iddd_exec:s0
+/idd(/.*)?                                               u:object_r:iddd_file:s0
+/mnt/idd                                                 u:object_r:iddd_file:s0
 
 # HCI
 /dev/ttyHS0                              u:object_r:hci_attach_dev:s0
diff --git a/sepolicy/idd.te b/sepolicy/idd.te
index 6ec0b3c..1c068d7 100644
--- a/sepolicy/idd.te
+++ b/sepolicy/idd.te
@@ -33,3 +33,5 @@ allow iddd proc:file { getattr open read };
 # Allow idd to read ro.semc
 allow iddd ta_prop:file { getattr open read };
 
+# Allow reading via symlink
+allow iddd iddd_file:lnk_file { read };
\ No newline at end of file
diff --git a/sepolicy/init.te b/sepolicy/init.te
index dd6d281..78e2f75 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -3,3 +3,4 @@ allow init hci_attach_dev:chr_file rw_file_perms;
 allow init brcm_uim_exec:file { execute getattr read open };
 allow init brcm_ldisc_sysfs:lnk_file { read };
 allow init uim:process { siginh noatsecure transition rlimitinh };
+allow init tmpfs:lnk_file { relabelfrom };
\ No newline at end of file
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index dc3885b..0881f15 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1,10 +1,8 @@
 allow vold diag_data_file:dir { read open ioctl };
 allow vold tee_prop:file { getattr open read };
 allow vold firmware_file:file { getattr open read };
-allow vold iddd_file:dir { open read };
+allow vold iddd_file:dir { open read ioctl };
 allow vold tee_device:unix_stream_socket connectto;
 allow vold tee_device:sock_file write;
-allow vold iddd_file:dir read;
 allow vold tee_device:unix_stream_socket connectto;
 allow vold tee_device:sock_file write;
-