wayne-common: Address denials for P

Signed-off-by: Isaac Chen <tingyi364@gmail.com> Change-Id: I6759914e91c1cc437304d74328e970daeb3d25e3
author: Isaac Chen <tingyi364@gmail.com> 2019-07-24 06:04:32 +0200
committer: Isaac Chen <tingyi364@gmail.com> 2019-09-01 16:44:11 +0200
commit: 915e5bfa31e8f1f725e9e3461370c8535017d2e8 (patch)
tree: eecdd755c743e62069dba2b46622ab8813650fa0 /sepolicy
parent: eb15173eee7fe3a19fea03da5c06cba1cdb091ad (diff)
38 files changed, 106 insertions, 45 deletions
diff --git a/sepolicy/app.te b/sepolicy/app.te
index 3858674..c61957b 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -1,4 +1,6 @@
+# Allow appdomain to get vendor_camera_prop
+get_prop(appdomain, vendor_camera_prop)
 allow { appdomain -isolated_app } hal_mlipay_hwservice:hwservice_manager find;
 binder_call({ appdomain -isolated_app }, hal_mlipay_default)
-get_prop({ appdomain -isolated_app }, ifaa_prop)
+get_prop({ appdomain -isolated_app }, mlipay_prop)
 get_prop({ appdomain -isolated_app }, hal_fingerprint_prop)
diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te
new file mode 100644
index 0000000..a60277a
--- /dev/null
+++ b/sepolicy/atfwd.te
@@ -0,0 +1 @@
+allow atfwd sysfs:file read;
diff --git a/sepolicy/bt_firmware_file.te b/sepolicy/bt_firmware_file.te
deleted file mode 100644
index a6a13a1..0000000
--- a/sepolicy/bt_firmware_file.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#============= bt_firmware_file ==============
-allow bt_firmware_file rootfs:filesystem associate;
diff --git a/sepolicy/dpmd.te b/sepolicy/dpmd.te
deleted file mode 100644
index e73c6fe..0000000
--- a/sepolicy/dpmd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#============= dpmd ==============
-allow dpmd vendor_file:file { execute getattr open read };
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 7aed2d6..2ca38b9 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,2 +1,8 @@
-type fingerprint_data_file, file_type, data_file_type;
+type debugfs_wlan, debugfs_type, fs_type;
+type ir_dev_file, file_type;
+type proc_dt2w, fs_type, proc_type;
+type fingerprint_data_file, file_type, data_file_type, core_data_file_type;
 type fingerprint_sysfs, fs_type, sysfs_type;
+type vendor_keylayout_file, file_type, vendor_file_type;
+type sysfs_light, fs_type, sysfs_type;
+type thermal_data_file, file_type, data_file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 19975c3..6939ff5 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -9,22 +9,37 @@
 
 # Goodix Fingerprint data
 /data/gf_data/frr_database.db                   u:object_r:fingerprint_data_file:s0
+/data/misc/gf_data(/.*)?                        u:object_r:fingerprint_data_file:s0
+/data/misc/goodix(/.*)?                         u:object_r:fingerprint_data_file:s0
 /persist/data/gf*                               u:object_r:fingerprint_data_file:s0
 
+# Fpc Fingerprint data
+/persist/fpc(/.*)?                              u:object_r:fingerprint_data_file:s0
+
 # HVDCP
 /sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
 
 # IR
 /dev/spidev7.1                                  u:object_r:spidev_device:s0
 
+# Keylayout
+/vendor/usr/idc(/.*)?                           u:object_r:vendor_keylayout_file:s0
+/vendor/usr/keylayout(/.*)?                     u:object_r:vendor_keylayout_file:s0
+
 # Light HAL
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0
 
 # Mlipay
-/(vendor|system/vendor)/bin/mlipayd             u:object_r:hal_mlipay_default_exec:s0
+/(vendor|system/vendor)/bin/mlipayd@1.1         u:object_r:hal_mlipay_default_exec:s0
 
 # Persist
 /persist/PRSensorData\.txt                      u:object_r:sensors_persist_file:s0
 
+# RTC
+/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0(/.*)? u:object_r:sysfs_rtc:s0
+
 # Shell Script
 /(vendor|system/vendor)/bin/init\.goodix\.sh    u:object_r:init_fingerprint_exec:s0
+
+# Thermal
+/data/vendor/thermal(/.*)?                      u:object_r:thermal_data_file:s0
diff --git a/sepolicy/firmware_file.te b/sepolicy/firmware_file.te
deleted file mode 100644
index 57f6c2d..0000000
--- a/sepolicy/firmware_file.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#============= firmware_file ==============
-allow firmware_file rootfs:filesystem associate;
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..638c917
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0
+genfscon debugfs /wlan0   u:object_r:debugfs_wlan:s0
diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te
new file mode 100644
index 0000000..128920f
--- /dev/null
+++ b/sepolicy/hal_audio_default.te
@@ -0,0 +1,2 @@
+allow hal_audio_default vendor_data_file:dir { create write add_name };
+allow hal_audio_default vendor_data_file:file { append create getattr open read };
diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
index 4d5138b..0f40bbd 100644
--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@@ -1,3 +1,6 @@
-allow hal_camera_default sysfs_kgsl:file r_file_perms;
+binder_call(hal_camera_default, hal_configstore_default)
+binder_call(hal_camera_default, hal_graphics_allocator_default)
+
 allow hal_camera_default { hal_configstore_ISurfaceFlingerConfigs hal_graphics_allocator_hwservice }:hwservice_manager find;
-allow hal_camera_default { hal_configstore_default hal_graphics_allocator_default }:binder call;
+allow hal_camera_default sysfs:file { getattr open read };
+allow hal_camera_default sysfs_kgsl:file { getattr open read };
diff --git a/sepolicy/hal_cas_default.te b/sepolicy/hal_cas_default.te
index fec0fc4..18b00de 100644
--- a/sepolicy/hal_cas_default.te
+++ b/sepolicy/hal_cas_default.te
@@ -1,2 +1 @@
-#============= hal_cas_default ==============
-allow hal_cas_default vndbinder_device:chr_file { ioctl open read write };
+vndbinder_use(hal_cas_default)
diff --git a/sepolicy/hal_fingerprint_wayne.te b/sepolicy/hal_fingerprint_wayne.te
index 470c6d8..11a99de 100644
--- a/sepolicy/hal_fingerprint_wayne.te
+++ b/sepolicy/hal_fingerprint_wayne.te
@@ -2,15 +2,18 @@ type hal_fingerprint_wayne, domain, binder_in_vendor_violators;
 hal_server_domain(hal_fingerprint_wayne, hal_fingerprint)
  
 type hal_fingerprint_wayne_exec, exec_type, vendor_file_type, file_type;
+typeattribute hal_fingerprint_wayne data_between_core_and_vendor_violators;
 binder_use(hal_fingerprint_wayne)
 init_daemon_domain(hal_fingerprint_wayne)
 
 allow hal_fingerprint_wayne fingerprint_device:chr_file { read write open ioctl };
 allow hal_fingerprint_wayne { tee_device uhid_device }:chr_file { read write open ioctl };
 allow hal_fingerprint_wayne fingerprint_data_file:file rw_file_perms;
+allow hal_fingerprint_wayne fingerprintd_data_file:dir rw_dir_perms;
+allow hal_fingerprint_wayne fingerprintd_data_file:file create_file_perms;
 allow hal_fingerprint_wayne { fuse mnt_user_file storage_file }:dir search;
 allow hal_fingerprint_wayne { mnt_user_file storage_file }:lnk_file read;
-allow hal_fingerprint_wayne fingerprint_sysfs:dir rw_dir_perms;
+allow hal_fingerprint_wayne fingerprint_sysfs:dir r_dir_perms;
 allow hal_fingerprint_wayne fingerprint_sysfs:file rw_file_perms;
 
 allow hal_fingerprint_wayne hal_fingerprint_wayne:netlink_socket { create bind write read };
diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te
new file mode 100644
index 0000000..711c8bb
--- /dev/null
+++ b/sepolicy/hal_gnss_qti.te
@@ -0,0 +1 @@
+allow hal_gnss_qti sysfs:file { read open };
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
index c8c0e02..39e8fb4 100644
--- a/sepolicy/hal_graphics_composer_default.te
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -1,2 +1,2 @@
-#============= hal_graphics_composer_default ==============
-allow hal_graphics_composer_default sysfs:file { getattr open read };
+allow hal_graphics_composer_default sysfs_graphics:file r_file_perms;
+allow hal_graphics_composer_default sysfs_graphics:lnk_file read;
diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te
new file mode 100644
index 0000000..e0592d7
--- /dev/null
+++ b/sepolicy/hal_light_default.te
@@ -0,0 +1 @@
+allow hal_light_default sysfs_light:file rw_file_perms;
diff --git a/sepolicy/hal_mlipay_default.te b/sepolicy/hal_mlipay_default.te
index eb48621..c6f721c 100644
--- a/sepolicy/hal_mlipay_default.te
+++ b/sepolicy/hal_mlipay_default.te
@@ -11,6 +11,6 @@ allow hal_mlipay_default tee_device:chr_file rw_file_perms;
 allow hal_mlipay_default ion_device:chr_file r_file_perms;
 
 r_dir_file(hal_mlipay_default, firmware_file)
-set_prop(hal_mlipay_default, ifaa_prop);
+set_prop(hal_mlipay_default, mlipay_prop);
 
 get_prop(hal_mlipay_default, hal_fingerprint_prop);
diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
index 7e0a992..2df04b0 100644
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@@ -1 +1,2 @@
-allow hal_power_default proc:file rw_file_perms;
+allow hal_power_default proc_dt2w:file rw_file_perms;
+r_dir_file(hal_power_default, debugfs_wlan)
diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
new file mode 100644
index 0000000..28414f9
--- /dev/null
+++ b/sepolicy/hal_sensors_default.te
@@ -0,0 +1 @@
+allow hal_sensors_default sysfs:file { read open };
diff --git a/sepolicy/hvdcp.te b/sepolicy/hvdcp.te
index 894bb5f..49a6b78 100644
--- a/sepolicy/hvdcp.te
+++ b/sepolicy/hvdcp.te
@@ -1,2 +1 @@
-#============= hvdcp ==============
 allow hvdcp sysfs:file { open read };
diff --git a/sepolicy/hwservice.te b/sepolicy/hwservice.te
index 6c299d1..32adecb 100644
--- a/sepolicy/hwservice.te
+++ b/sepolicy/hwservice.te
@@ -1,2 +1,2 @@
 type goodixhw_service, hwservice_manager_type;
-type hal_mlipay_hwservice, hwservice_manager_type;
+type hal_mlipay_hwservice, hwservice_manager_type, untrusted_app_visible_hwservice;
diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te
index cc438b8..3262afb 100644
--- a/sepolicy/hwservicemanager.te
+++ b/sepolicy/hwservicemanager.te
@@ -2,4 +2,3 @@
 allow hwservicemanager init:dir search;
 allow hwservicemanager init:file { open read };
 allow hwservicemanager init:process getattr;
-
diff --git a/sepolicy/init.te b/sepolicy/init.te
index bba943e..734baea 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,3 +1,6 @@
-#============= init ==============
 allow init hwservicemanager:binder { call transfer };
-allow init btnvtool_exec:file execute;
+allow init ipa_dev:chr_file open;
+allow init ion_device:chr_file ioctl;
+allow init property_socket:sock_file write;
+allow init sysfs_dm:file { open write };
+allow init tee_device:chr_file { write ioctl };
diff --git a/sepolicy/init_fingerprint.te b/sepolicy/init_fingerprint.te
index 4c27535..b45cdd6 100644
--- a/sepolicy/init_fingerprint.te
+++ b/sepolicy/init_fingerprint.te
@@ -11,5 +11,4 @@ allow init_fingerprint vendor_toolbox_exec:file rx_file_perms;
 # Allow to delete file
 allow init_fingerprint persist_file:dir search;
 allow init_fingerprint persist_drm_file:dir { read search open write remove_name };
-allow init_fingerprint persist_drm_file:file { getattr unlink };
-allow init_fingerprint system_data_file:file r_file_perms;
+allow init_fingerprint persist_drm_file:file { getattr unlink };
+\ No newline at end of file
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..9ba3537
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1 @@
+allow kernel debugfs_wlan:dir search;
diff --git a/sepolicy/location.te b/sepolicy/location.te
new file mode 100644
index 0000000..4333581
--- /dev/null
+++ b/sepolicy/location.te
@@ -0,0 +1 @@
+allow location sysfs:file { read open };
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
new file mode 100644
index 0000000..47ce266
--- /dev/null
+++ b/sepolicy/netmgrd.te
@@ -0,0 +1 @@
+allow netmgrd property_socket:sock_file write;
diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te
deleted file mode 100644
index 1882a34..0000000
--- a/sepolicy/per_mgr.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#============= per_mgr ==============
-allow per_mgr self:capability { dac_override net_raw };
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
new file mode 100644
index 0000000..7ae851d
--- /dev/null
+++ b/sepolicy/priv_app.te
@@ -0,0 +1 @@
+allow priv_app sysfs_graphics:file { getattr open read };
+\ No newline at end of file
diff --git a/sepolicy/property.te b/sepolicy/property.te
index 20dd7a4..313445c 100644
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -1,3 +1,3 @@
 type hal_fingerprint_prop, property_type;
-type ifaa_prop, property_type;
-
+type mlipay_prop, property_type;
+type thermal_engine_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index 57f8ba8..037565e 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1,5 +1,12 @@
+persist.camera.                     u:object_r:camera_prop:s0
+persist.vendor.camera.              u:object_r:camera_prop:s0
 sys.fp.goodix	u:object_r:hal_fingerprint_prop:s0
 sys.fp.vendor   u:object_r:hal_fingerprint_prop:s0
 persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
-persist.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0
-persist.sys.ifaa u:object_r:ifaa_prop:s0
+persist.vendor.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0
+persist.vendor.sys.pay.fido         u:object_r:mlipay_prop:s0
+persist.vendor.sys.pay.ifaa         u:object_r:mlipay_prop:s0
+persist.vendor.sys.pay.soter        u:object_r:mlipay_prop:s0
+persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0
+persist.sys.thermal.  u:object_r:thermal_engine_prop:s0
+sys.thermal.          u:object_r:thermal_engine_prop:s0
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index 6967fc4..aa81398 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -1,3 +1,4 @@
-#============= qti_init_shell ==============
 allow qti_init_shell sysfs_cpu_boost:file write;
-allow qti_init_shell sysfs_lowmemorykiller:dir write;
+allow qti_init_shell sysfs:file write;
+allow qti_init_shell vendor_radio_data_file:dir { getattr read search };
+allow qti_init_shell vendor_radio_data_file:file { getattr read setattr write };
diff --git a/sepolicy/radio.te b/sepolicy/radio.te
deleted file mode 100644
index 4d6fc0f..0000000
--- a/sepolicy/radio.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#============= radio ==============
-allow radio vendor_file:file { execute getattr open read };
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index d66bc7c..06625de 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,2 +1 @@
-#============= rild ==============
 allow rild vendor_file:file ioctl;
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index c9f1b37..c7d0026 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1 +1,3 @@
-hal_client_domain(system_app, hal_mlipay)
+allow system_app vendor_default_prop:file { getattr open read };
+allow system_app wificond:binder call;
+add_service(system_app, goodixhw_service)
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index c658e69..c9135cf 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,2 +1,4 @@
-#============= system_server ==============
-allow system_server vendor_file:file { execute getattr open read };
+allow system_server vendor_keylayout_file:dir search;
+allow system_server vendor_keylayout_file:file r_file_perms;
+allow system_server sysfs_vibrator:file rw_file_perms;
+allow system_server sysfs_rtc:file r_file_perms;
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index 85c98a8..0a124bc 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,6 +1,6 @@
-# /data/goodix labeling
-type_transition tee system_data_file:{ dir file } fingerprint_data_file;
-
-allow tee fingerprint_data_file:dir create_dir_perms;
-allow tee fingerprint_data_file:file create_file_perms;
-allow tee system_data_file:dir create_dir_perms;
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# tee no longer directly accesses /data owned by the frameworks.
+typeattribute tee data_between_core_and_vendor_violators;
+allow tee system_data_file:dir r_dir_perms;
+allow tee fingerprintd_data_file:dir rw_dir_perms;
+allow tee fingerprintd_data_file:file create_file_perms;
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
new file mode 100644
index 0000000..0e03308
--- /dev/null
+++ b/sepolicy/thermal-engine.te
@@ -0,0 +1,6 @@
+allow thermal-engine thermal_data_file:dir rw_dir_perms;
+allow thermal-engine thermal_data_file:file create_file_perms;
+allow thermal-engine self:capability { chown fowner };
+dontaudit thermal-engine self:capability dac_override;
+
+set_prop(thermal-engine, thermal_engine_prop);
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
new file mode 100644
index 0000000..9f602b1
--- /dev/null
+++ b/sepolicy/vendor_init.te
@@ -0,0 +1,13 @@
+typeattribute vendor_init data_between_core_and_vendor_violators;
+
+allow vendor_init {
+  system_data_file
+  tombstone_data_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+set_prop(vendor_init, camera_prop)
+allow vendor_init rootfs:dir { add_name create setattr write };
+allow vendor_init persist_debug_prop:property_service set;
+allow vendor_init persist_dpm_prop:property_service set;
+allow vendor_init qcom_ims_prop:property_service set;
+allow vendor_init rootfs:lnk_file setattr;
author	Isaac Chen <tingyi364@gmail.com>	2019-07-24 06:04:32 +0200
committer	Isaac Chen <tingyi364@gmail.com>	2019-09-01 16:44:11 +0200
commit	915e5bfa31e8f1f725e9e3461370c8535017d2e8 (patch)
tree	eecdd755c743e62069dba2b46622ab8813650fa0 /sepolicy
parent	eb15173eee7fe3a19fea03da5c06cba1cdb091ad (diff)