summaryrefslogtreecommitdiff
path: root/sepolicy/vendor
diff options
context:
space:
mode:
authorDavide Garberi <dade.garberi@gmail.com>2019-10-16 13:52:36 +0200
committerMichael Bestas <mkbestas@lineageos.org>2020-04-30 00:48:53 +0300
commit6c0bfd646b2630f8a7faa5af03b8859b20a80324 (patch)
tree6d1114ad56a34fc3c6cd6fc0064cbd914dde3c05 /sepolicy/vendor
parent9611b520dbfbd2163166915c53b0da1847a60e0c (diff)
sdm660-common: sepolicy: Fix neverallows
Change-Id: I8a6258abb13755a51d9babd1074ea3893cd13f51
Diffstat (limited to 'sepolicy/vendor')
-rw-r--r--sepolicy/vendor/app.te2
-rw-r--r--sepolicy/vendor/hal_camera_default.te1
-rw-r--r--sepolicy/vendor/init.te1
-rw-r--r--sepolicy/vendor/system_app.te1
4 files changed, 1 insertions, 4 deletions
diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
index 35378d6..776c7c6 100644
--- a/sepolicy/vendor/app.te
+++ b/sepolicy/vendor/app.te
@@ -1,5 +1,5 @@
# Allow appdomain to get vendor_camera_prop
-allow { appdomain -isolated_app } hal_mlipay_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app -ephemeral_app -mediaprovider -untrusted_app_27 -untrusted_app -untrusted_app_25 -runas_app } hal_mlipay_hwservice:hwservice_manager find;
binder_call({ appdomain -isolated_app }, hal_mlipay_default)
get_prop({ appdomain -isolated_app }, mlipay_prop)
get_prop({ appdomain -isolated_app }, hal_fingerprint_prop)
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
index 0f40bbd..34531cb 100644
--- a/sepolicy/vendor/hal_camera_default.te
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -1,6 +1,5 @@
binder_call(hal_camera_default, hal_configstore_default)
binder_call(hal_camera_default, hal_graphics_allocator_default)
-allow hal_camera_default { hal_configstore_ISurfaceFlingerConfigs hal_graphics_allocator_hwservice }:hwservice_manager find;
allow hal_camera_default sysfs:file { getattr open read };
allow hal_camera_default sysfs_kgsl:file { getattr open read };
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index 734baea..16ca39b 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -3,4 +3,3 @@ allow init ipa_dev:chr_file open;
allow init ion_device:chr_file ioctl;
allow init property_socket:sock_file write;
allow init sysfs_dm:file { open write };
-allow init tee_device:chr_file { write ioctl };
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
index c7d0026..c4a7f00 100644
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -1,3 +1,2 @@
allow system_app vendor_default_prop:file { getattr open read };
allow system_app wificond:binder call;
-add_service(system_app, goodixhw_service)