sepolicy/workarounds.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

allow cameraserver camera_socket:dir { search write add_name };
allow cameraserver camera_socket:file { read write getattr open };
allow mm-qcamerad camera_socket:dir { search write add_name };
allow mm-qcamerad camera_socket:file { read write getattr open };

#============= credmgr ==============
allow credmgr iddd:unix_dgram_socket sendto;
allow credmgr iddd_file:sock_file write;
allow credmgr secd_data_file:file { write getattr setattr read lock open };
allow credmgr self:capability dac_override;
allow credmgr socket_device:sock_file write;
allow credmgr suntrold:unix_stream_socket connectto;
allow credmgr tad:unix_stream_socket connectto;
allow credmgr tad_socket:sock_file write;
allow credmgr tee_device:chr_file { read write open ioctl };

#============= iddd ==============
allow iddd default_prop:property_service set;
allow iddd iddd_file:dir { remove_name search add_name };
allow iddd iddd_file:file { rename create };
allow iddd init:unix_stream_socket connectto;
allow iddd property_socket:sock_file write;
allow iddd iddd_file:file unlink;
allow iddd iddd_file:sock_file { write create unlink setattr };
allow iddd logd:unix_stream_socket connectto;
allow iddd logdr_socket:sock_file write;
allow iddd self:netlink_socket { write bind create };
allow iddd system_file:file execute_no_trans;

#============= mediaserver ==============
allow mediaserver credmgr:unix_stream_socket connectto;
allow mediaserver socket_device:sock_file write;

#============= suntrold ==============
allow suntrold self:capability dac_override;
allow suntrold socket_device:dir add_name;
allow suntrold socket_device:sock_file { create setattr };
allow suntrold tad:unix_stream_socket connectto;
allow suntrold tad_socket:sock_file write;
allow suntrold tee_device:chr_file { read write ioctl open };

#============= system_server ==============
allow system_server ta_data_file:file { read open };

#============= ta_qmi ==============
allow ta_qmi self:capability { setuid setgid };

#============= tad ==============
allow tad block_device:blk_file { read write ioctl open };
allow tad iddd:unix_dgram_socket sendto;
allow tad iddd_file:sock_file write;

#============= thermanager ==============
allow thermanager sysfs_battery_supply:dir search;
allow thermanager sysfs_battery_supply:file { read write open };


#============= init ==============
allow init block_device:blk_file setattr;
allow init debugfs:dir mounton;
allow init self:socket { read bind create write ioctl };
allow init smem_log_device:chr_file { write ioctl };
allow init socket_device:sock_file { create unlink setattr };

#============= taimport ==============
allow taimport ta_data_file:file unlink;


#============= credmgr ==============
allow credmgr ion_device:chr_file { ioctl open read };

#============= init ==============
allow init debugfs:file write;

#============= qti_init_shell ==============
allow qti_init_shell tad:unix_stream_socket connectto;
allow qti_init_shell tad_socket:sock_file write;

#============= scd ==============
allow scd socket_device:dir { add_name write };
allow scd socket_device:sock_file { create setattr };
allow scd sysfs:file { getattr open read };

#============= suntrold ==============
allow suntrold ion_device:chr_file { ioctl open read };

#============= tad ==============
allow tad proc:file { open read };
allow tad rootfs:file { entrypoint read };

#============= taimport ==============
allow taimport adbsecure_prop:property_service set;
allow taimport init:unix_stream_socket connectto;
allow taimport property_socket:sock_file write;

#============= thermanager ==============
allow thermanager sysfs:file { open read };

#============= wv ==============
allow wv ion_device:chr_file { ioctl open read };
allow wv socket_device:sock_file write;
allow wv suntrold:unix_stream_socket connectto;
allow wv tad:unix_stream_socket connectto;
allow wv tad_socket:sock_file write;
allow wv tee_device:chr_file { ioctl open read write };


#============= cameraserver ==============
allow cameraserver ta_data_file:dir { getattr open read };
allow cameraserver sudaemon:unix_dgram_socket sendto;
allow cameraserver sudaemon:unix_stream_socket connectto;
allow cameraserver mm-qcamerad:unix_stream_socket sendto;
allow cameraserver mm-qcamerad:unix_stream_socket connectto;


#============r credmgr ==============
allow credmgr ion_device:chr_file { ioctl open read };

#============= init ==============
allow init debugfs:file write;

#============= mm-qcamerad ==============
allow mm-qcamerad system_file:file execmod;
allow mm-qcamerad system_prop:property_service set;
allow mm-qcamerad ta_data_file:dir { getattr open read };

#============= qti_init_shell ==============
allow qti_init_shell tad:unix_stream_socket connectto;
allow qti_init_shell tad_socket:sock_file write;

#============= scd ==============
allow scd socket_device:dir { add_name write };
allow scd socket_device:sock_file { create setattr };
allow scd sysfs:file { getattr open read };

#============= suntrold ==============
allow suntrold ion_device:chr_file { ioctl open read };

#============= tad ==============
allow tad proc:file { open read };
allow tad rootfs:file { entrypoint read };

#============= taimport ==============
allow taimport adbsecure_prop:property_service set;
allow taimport init:unix_stream_socket connectto;
allow taimport property_socket:sock_file write;

#============= thermanager ==============
allow thermanager sysfs:file { open read };

#============= wv ==============
allow wv ion_device:chr_file { ioctl open read };
allow wv socket_device:sock_file write;
allow wv suntrold:unix_stream_socket connectto;
allow wv tad:unix_stream_socket connectto;
allow wv tad_socket:sock_file write;
allow wv tee_device:chr_file { ioctl open read write };