diff options
author | Isaac Chen <isaacchen@isaacchen.cn> | 2018-07-27 14:27:16 +0200 |
---|---|---|
committer | Isaac Chen <isaacchen@isaacchen.cn> | 2018-07-27 00:00:11 +0000 |
commit | a59e765afb37bea328408bc6ceb9787afbfd3ecf (patch) | |
tree | 0ddb1a34c8f9cf98a12ed2148261f45bb439c9c5 /sepolicy | |
parent | 39445a3026aa961bdd372607c2e35168a643b990 (diff) |
wayne: sepolicy: Initial denials
Signed-off-by: Isaac Chen <isaacchen@isaacchen.cn>
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/bt_firmware_file.te | 2 | ||||
-rw-r--r-- | sepolicy/device.te | 1 | ||||
-rw-r--r-- | sepolicy/dpmd.te | 2 | ||||
-rw-r--r-- | sepolicy/file.te | 2 | ||||
-rw-r--r-- | sepolicy/file_contexts | 18 | ||||
-rw-r--r-- | sepolicy/firmware_file.te | 2 | ||||
-rw-r--r-- | sepolicy/hal_camera_default.te | 1 | ||||
-rw-r--r-- | sepolicy/hal_cas_default.te | 2 | ||||
-rw-r--r-- | sepolicy/hal_fingerprint_wayne.te | 36 | ||||
-rw-r--r-- | sepolicy/hal_graphics_composer_default.te | 2 | ||||
-rw-r--r-- | sepolicy/hal_power_default.te | 1 | ||||
-rw-r--r-- | sepolicy/hvdcp.te | 2 | ||||
-rw-r--r-- | sepolicy/hwservice.te | 2 | ||||
-rw-r--r-- | sepolicy/hwservice_contexts | 1 | ||||
-rw-r--r-- | sepolicy/hwservicemanager.te | 5 | ||||
-rw-r--r-- | sepolicy/init.te | 2 | ||||
-rw-r--r-- | sepolicy/per_mgr.te | 2 | ||||
-rw-r--r-- | sepolicy/property.te | 1 | ||||
-rw-r--r-- | sepolicy/property_contexts | 4 | ||||
-rw-r--r-- | sepolicy/qti_init_shell.te | 3 | ||||
-rw-r--r-- | sepolicy/radio.te | 2 | ||||
-rw-r--r-- | sepolicy/rild.te | 2 | ||||
-rw-r--r-- | sepolicy/system_server.te | 2 | ||||
-rw-r--r-- | sepolicy/tee.te | 6 | ||||
-rw-r--r-- | sepolicy/vndservice.te | 1 | ||||
-rw-r--r-- | sepolicy/vndservice_contexts | 1 | ||||
-rw-r--r-- | sepolicy/vndservicemanager.te | 3 |
27 files changed, 108 insertions, 0 deletions
diff --git a/sepolicy/bt_firmware_file.te b/sepolicy/bt_firmware_file.te new file mode 100644 index 0000000..a6a13a1 --- /dev/null +++ b/sepolicy/bt_firmware_file.te @@ -0,0 +1,2 @@ +#============= bt_firmware_file ============== +allow bt_firmware_file rootfs:filesystem associate; diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..8ec31c9 --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1 @@ +type fingerprint_device, dev_type; diff --git a/sepolicy/dpmd.te b/sepolicy/dpmd.te new file mode 100644 index 0000000..e73c6fe --- /dev/null +++ b/sepolicy/dpmd.te @@ -0,0 +1,2 @@ +#============= dpmd ============== +allow dpmd vendor_file:file { execute getattr open read }; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..7aed2d6 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,2 @@ +type fingerprint_data_file, file_type, data_file_type; +type fingerprint_sysfs, fs_type, sysfs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..a35066a --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,18 @@ +# Biometric +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_wayne u:object_r:hal_fingerprint_wayne_exec:s0 + +# Fpc Fingerprint +/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0 + +# For Goodix fingerprint +/dev/goodix_fp* u:object_r:fingerprint_device:s0 + +# Goodix Fingerprint data +/data/gf_data/frr_database.db u:object_r:fingerprint_data_file:s0 +/persist/data/gf* u:object_r:fingerprint_data_file:s0 + +# HVDCP +/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0 + +# Light HAL +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0 diff --git a/sepolicy/firmware_file.te b/sepolicy/firmware_file.te new file mode 100644 index 0000000..57f6c2d --- /dev/null +++ b/sepolicy/firmware_file.te @@ -0,0 +1,2 @@ +#============= firmware_file ============== +allow firmware_file rootfs:filesystem associate; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..6a3d424 --- /dev/null +++ b/sepolicy/hal_camera_default.te @@ -0,0 +1 @@ +allow hal_camera_default sysfs_kgsl:file r_file_perms; diff --git a/sepolicy/hal_cas_default.te b/sepolicy/hal_cas_default.te new file mode 100644 index 0000000..fec0fc4 --- /dev/null +++ b/sepolicy/hal_cas_default.te @@ -0,0 +1,2 @@ +#============= hal_cas_default ============== +allow hal_cas_default vndbinder_device:chr_file { ioctl open read write }; diff --git a/sepolicy/hal_fingerprint_wayne.te b/sepolicy/hal_fingerprint_wayne.te new file mode 100644 index 0000000..470c6d8 --- /dev/null +++ b/sepolicy/hal_fingerprint_wayne.te @@ -0,0 +1,36 @@ +type hal_fingerprint_wayne, domain, binder_in_vendor_violators; +hal_server_domain(hal_fingerprint_wayne, hal_fingerprint) + +type hal_fingerprint_wayne_exec, exec_type, vendor_file_type, file_type; +binder_use(hal_fingerprint_wayne) +init_daemon_domain(hal_fingerprint_wayne) + +allow hal_fingerprint_wayne fingerprint_device:chr_file { read write open ioctl }; +allow hal_fingerprint_wayne { tee_device uhid_device }:chr_file { read write open ioctl }; +allow hal_fingerprint_wayne fingerprint_data_file:file rw_file_perms; +allow hal_fingerprint_wayne { fuse mnt_user_file storage_file }:dir search; +allow hal_fingerprint_wayne { mnt_user_file storage_file }:lnk_file read; +allow hal_fingerprint_wayne fingerprint_sysfs:dir rw_dir_perms; +allow hal_fingerprint_wayne fingerprint_sysfs:file rw_file_perms; + +allow hal_fingerprint_wayne hal_fingerprint_wayne:netlink_socket { create bind write read }; + +binder_call(hal_fingerprint_wayne, vndservicemanager) +binder_call(hal_fingerprint_wayne, hal_perf_default) + +binder_use(hal_fingerprint_wayne) + +r_dir_file(hal_fingerprint_wayne, firmware_file) + +add_service(hal_fingerprint_wayne, goodixvnd_service) +add_hwservice(hal_fingerprint_wayne, goodixhw_service) + +allow hal_fingerprint_wayne vndbinder_device:chr_file ioctl; + +get_prop(hal_fingerprint_wayne, hal_fingerprint_prop) +set_prop(hal_fingerprint_wayne, hal_fingerprint_prop) + +vndbinder_use(hal_fingerprint_wayne) + +dontaudit hal_fingerprint_wayne { media_rw_data_file sdcardfs}:dir search; +dontaudit hal_fingerprint_wayne media_rw_data_file:dir { read open }; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te new file mode 100644 index 0000000..c8c0e02 --- /dev/null +++ b/sepolicy/hal_graphics_composer_default.te @@ -0,0 +1,2 @@ +#============= hal_graphics_composer_default ============== +allow hal_graphics_composer_default sysfs:file { getattr open read }; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te new file mode 100644 index 0000000..7e0a992 --- /dev/null +++ b/sepolicy/hal_power_default.te @@ -0,0 +1 @@ +allow hal_power_default proc:file rw_file_perms; diff --git a/sepolicy/hvdcp.te b/sepolicy/hvdcp.te new file mode 100644 index 0000000..894bb5f --- /dev/null +++ b/sepolicy/hvdcp.te @@ -0,0 +1,2 @@ +#============= hvdcp ============== +allow hvdcp sysfs:file { open read }; diff --git a/sepolicy/hwservice.te b/sepolicy/hwservice.te new file mode 100644 index 0000000..8f19cf3 --- /dev/null +++ b/sepolicy/hwservice.te @@ -0,0 +1,2 @@ + +type goodixhw_service, hwservice_manager_type; diff --git a/sepolicy/hwservice_contexts b/sepolicy/hwservice_contexts new file mode 100644 index 0000000..6fdbcd8 --- /dev/null +++ b/sepolicy/hwservice_contexts @@ -0,0 +1 @@ +vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:goodixhw_service:s0 diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te new file mode 100644 index 0000000..cc438b8 --- /dev/null +++ b/sepolicy/hwservicemanager.te @@ -0,0 +1,5 @@ +#============= hwservicemanager ============== +allow hwservicemanager init:dir search; +allow hwservicemanager init:file { open read }; +allow hwservicemanager init:process getattr; + diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..a54a2f6 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,2 @@ +#============= init ============== +allow init hwservicemanager:binder { call transfer }; diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te new file mode 100644 index 0000000..1882a34 --- /dev/null +++ b/sepolicy/per_mgr.te @@ -0,0 +1,2 @@ +#============= per_mgr ============== +allow per_mgr self:capability { dac_override net_raw }; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..0d82962 --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1 @@ +type hal_fingerprint_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..6ac6236 --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,4 @@ +sys.fp.goodix u:object_r:hal_fingerprint_prop:s0 +sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 +persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0 +persist.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te new file mode 100644 index 0000000..6967fc4 --- /dev/null +++ b/sepolicy/qti_init_shell.te @@ -0,0 +1,3 @@ +#============= qti_init_shell ============== +allow qti_init_shell sysfs_cpu_boost:file write; +allow qti_init_shell sysfs_lowmemorykiller:dir write; diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..4d6fc0f --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1,2 @@ +#============= radio ============== +allow radio vendor_file:file { execute getattr open read }; diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..d66bc7c --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,2 @@ +#============= rild ============== +allow rild vendor_file:file ioctl; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..c658e69 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,2 @@ +#============= system_server ============== +allow system_server vendor_file:file { execute getattr open read }; diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..85c98a8 --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,6 @@ +# /data/goodix labeling +type_transition tee system_data_file:{ dir file } fingerprint_data_file; + +allow tee fingerprint_data_file:dir create_dir_perms; +allow tee fingerprint_data_file:file create_file_perms; +allow tee system_data_file:dir create_dir_perms; diff --git a/sepolicy/vndservice.te b/sepolicy/vndservice.te new file mode 100644 index 0000000..ebc594c --- /dev/null +++ b/sepolicy/vndservice.te @@ -0,0 +1 @@ +type goodixvnd_service, vndservice_manager_type; diff --git a/sepolicy/vndservice_contexts b/sepolicy/vndservice_contexts new file mode 100644 index 0000000..92d3f21 --- /dev/null +++ b/sepolicy/vndservice_contexts @@ -0,0 +1 @@ +android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixvnd_service:s0 diff --git a/sepolicy/vndservicemanager.te b/sepolicy/vndservicemanager.te new file mode 100644 index 0000000..8d04dea --- /dev/null +++ b/sepolicy/vndservicemanager.te @@ -0,0 +1,3 @@ +allow vndservicemanager hal_fingerprint_default:dir { search read open }; +allow vndservicemanager hal_fingerprint_default:file { read open }; +allow vndservicemanager hal_fingerprint_default:process getattr; |