From 884cddf51755fb0b42cba313e2c6d769315013e1 Mon Sep 17 00:00:00 2001 From: Arian Date: Tue, 20 Aug 2019 13:09:47 +0200 Subject: shinano-common: sepolicy: clean up --- sepolicy/bluetooth.te | 2 -- sepolicy/file_contexts | 24 ++++++++++---------- sepolicy/hci_attach.te | 4 ---- sepolicy/init.te | 2 +- sepolicy/keystore.te | 3 --- sepolicy/mlog_qmi.te | 1 - sepolicy/qseecomd.te | 6 ----- sepolicy/service_contexts | 58 ----------------------------------------------- 8 files changed, 13 insertions(+), 87 deletions(-) diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te index 4d4e0c9..1ae7ff4 100644 --- a/sepolicy/bluetooth.te +++ b/sepolicy/bluetooth.te @@ -1,5 +1,3 @@ allow bluetooth hci_attach_dev:chr_file { open read write }; allow bluetooth ta_data_file:file { open read }; allow bluetooth ta_data_file:dir { search }; -allow bluetooth storage_stub_file:dir { getattr }; -allow bluetooth firmware_file:file r_file_perms; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index c00c5fa..3fb01ef 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,31 +1,31 @@ # NFC -/dev/pn547 u:object_r:nfc_device:s0 +/dev/pn547 u:object_r:nfc_device:s0 # Audio -/dev/tfa98xx u:object_r:audio_device:s0 -/system/bin/tfa9890_amp u:object_r:tfa_amp_exec:s0 +/dev/tfa98xx u:object_r:audio_device:s0 +/system/bin/tfa9890_amp u:object_r:tfa_amp_exec:s0 # Dumpstate service -/system/vendor/bin/hw/android\.hardware\.dumpstate@1.0-service\.sony u:object_r:hal_dumpstate_default_exec:s0 +/system/vendor/bin/hw/android\.hardware\.dumpstate@1.0-service\.sony u:object_r:hal_dumpstate_default_exec:s0 # Modem -/system/vendor/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0 +/system/vendor/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0 # HCI /dev/ttyHS0 u:object_r:hci_attach_dev:s0 /dev/brcm_bt_drv u:object_r:hci_attach_dev:s0 # Bluetooth -/system/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 +/system/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 # WIFI -/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0 +/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0 # Quick Charge -/system/vendor/bin/hvdcp u:object_r:hvdcp_exec:s0 +/system/vendor/bin/hvdcp u:object_r:hvdcp_exec:s0 # Touch -/sys/devices/virtual/input/clearpad/glove -- u:object_r:sysfs_touch:s0 -/sys/devices/virtual/input/clearpad/wakeup_gesture -- u:object_r:sysfs_touch:s0 -/sys/devices/virtual/input/max1187x/glove -- u:object_r:sysfs_touch:s0 -/sys/devices/virtual/input/max1187x/wakeup_gesture -- u:object_r:sysfs_touch:s0 +/sys/devices/virtual/input/clearpad/glove u:object_r:sysfs_touch:s0 +/sys/devices/virtual/input/clearpad/wakeup_gesture u:object_r:sysfs_touch:s0 +/sys/devices/virtual/input/max1187x/glove u:object_r:sysfs_touch:s0 +/sys/devices/virtual/input/max1187x/wakeup_gesture u:object_r:sysfs_touch:s0 diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index 3d57abe..02ce60c 100644 --- a/sepolicy/hci_attach.te +++ b/sepolicy/hci_attach.te @@ -5,12 +5,8 @@ init_daemon_domain(hci_attach) set_prop(hci_attach, wifi_prop) -#============= hci_attach ============== allow hci_attach bluetooth_data_file:dir search; allow hci_attach bluetooth_data_file:file r_file_perms; allow hci_attach bluetooth_prop:property_service set; allow hci_attach hci_attach_dev:chr_file rw_file_perms; allow hci_attach hci_attach_exec:file execute_no_trans; -allow hci_attach shell_exec:file { entrypoint getattr read }; -allow hci_attach system_file:file execute_no_trans; -allow hci_attach toolbox_exec:file rx_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te index 9918a3d..bda5e8b 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,4 +1,4 @@ -#FM BCM +# FM BCM allow init hci_attach_dev:chr_file rw_file_perms; allow init brcm_uim_exec:file { execute getattr read open }; allow init brcm_ldisc_sysfs:lnk_file { read }; diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te index 4857479..8c2f6d1 100644 --- a/sepolicy/keystore.te +++ b/sepolicy/keystore.te @@ -2,7 +2,4 @@ allow keystore tee_device:chr_file rw_file_perms; allow keystore firmware_file:file r_file_perms; allow keystore tee_prop:file { getattr open read }; - allow vold keystore:keystore_key { get_state get insert delete exist list sign verify }; -auditallow vold keystore:keystore_key { get_state get insert delete exist list sign verify }; - diff --git a/sepolicy/mlog_qmi.te b/sepolicy/mlog_qmi.te index e8f84d1..ed983fb 100644 --- a/sepolicy/mlog_qmi.te +++ b/sepolicy/mlog_qmi.te @@ -14,4 +14,3 @@ allow mlog_qmi smem_log_device:chr_file rw_file_perms; # qseecom allow mlog_qmi tee_device:chr_file rw_file_perms; -allowxperm mlog_qmi tee_device:chr_file ioctl qseecom_sock_ipc_ioctls; diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te index 7e61f6d..e3375cf 100644 --- a/sepolicy/qseecomd.te +++ b/sepolicy/qseecomd.te @@ -1,4 +1,3 @@ - # tee starts as root, and drops privileges allow tee self:capability { setuid @@ -13,11 +12,6 @@ allow tee rpmb_device:blk_file rw_file_perms; # Provide tee access to ssd partition for HW FDE allow tee ssd_device:blk_file rw_file_perms; -# Allow tee to directly save and load fingerprint data -allow tee fingerprintd_data_file:dir rw_dir_perms; -allow tee fingerprintd_data_file:file create_file_perms; -allow tee system_data_file:dir r_dir_perms; - # allow tee to load firmware images r_dir_file(tee, firmware_file) diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index d4a1246..e3d7dcf 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -1,63 +1,5 @@ -#line 1 "system/sepolicy/service_contexts" -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - #line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts" media.cameraextension u:object_r:mediaserver_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -#line 1 "vendor/semc/system/sepolicy/Crash_Handling/1_0_0/service_contexts" -#crashmonitornative u:object_r:crashmonitor_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -#line 1 "vendor/semc/system/sepolicy/Google_Analytics_Proxy/1.0.0/service_contexts" -#platform_analytics u:object_r:platform_analytics_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" #line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts" media.cacao u:object_r:mediaserver_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -#line 1 "vendor/semc/system/sepolicy/Power_Save/1.0.0/service_contexts" -#xperiaappdepinfo u:object_r:xperiaappdepinfo_service:s0 -#xperia_power u:object_r:xperia_power_service:s0 -#stamina_qbd u:object_r:stamina_qbd_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -#line 1 "vendor/semc/system/sepolicy/Touch/1.0.0/tfsw/service_contexts" -#tfsw u:object_r:tfsw_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -#line 1 "vendor/semc/system/sepolicy/WLAN_Miracast_sink/1.1.0/service_contexts" -#WfdSinkService u:object_r:wfd_sink_exec_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -#line 1 "device/somc/shinano/sepolicy/service_contexts" -#overlay u:object_r:overlay_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -#line 1 "device/qcom/sepolicy/common/service_contexts" -#android.apps.IQfpService u:object_r:iqfp_service:s0 -#AtCmdFwd u:object_r:atfwd_service:s0 -#dpmservice u:object_r:dpmservice:s0 -#listen.service u:object_r:mediaserver_service:s0 -#cneservice u:object_r:cne_service:s0 -#gbahttpauth u:object_r:gba_auth_service:s0 -#vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0 -#com.qualcomm.qti.auth.fidocryptodaemon u:object_r:fidodaemon_service:s0 -#wbc_service u:object_r:wbc_service:s0 -#STAProxyService u:object_r:STAProxyService:s0 -#dun u:object_r:dun_service:s0 -#qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 -#com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 -#wfdservice u:object_r:wfdservice_service:s0 -#DigitalPen u:object_r:usf_service:s0 -#dts_eagle_service u:object_r:dtseagleservice_service:s0 -#wfd.native.mm.service u:object_r:wfdservice_service:s0 -#extphone u:object_r:radio_service:s0 -#com.qualcomm.location.izat.IzatService u:object_r:izat_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -#line 1 "device/qcom/sepolicy/test/service_contexts" -#com.qualcomm.qti.auth.securesampleauthdaemon u:object_r:fidotest_service:s0 -#line 1 "out/target/product/leo/obj/ETC/sectxfile_nl_intermediates/sectxfile_nl" - -- cgit v1.2.3