From c61ad40914bd6040877cb8ee3789c76bd893f607 Mon Sep 17 00:00:00 2001 From: dianlujitao Date: Thu, 20 Feb 2020 21:35:33 +0800 Subject: sdm660-common: Address SELinux denials and clean up Change-Id: I997a268c9ce23eab80f1981293720e17d21bbb7a --- sepolicy/vendor/app.te | 3 +- sepolicy/vendor/file.te | 2 +- sepolicy/vendor/file_contexts | 36 ++++------------------- sepolicy/vendor/genfs_contexts | 29 +++++++++++++++---- sepolicy/vendor/hal_audio_default.te | 1 + sepolicy/vendor/hal_camera_default.te | 5 ---- sepolicy/vendor/hal_fingerprint_sdm660.te | 42 +++++++++++---------------- sepolicy/vendor/hal_power_default.te | 1 + sepolicy/vendor/hwservice.te | 1 - sepolicy/vendor/hwservice_contexts | 14 ++++----- sepolicy/vendor/property_contexts | 47 +++++++++++++++++++++++-------- sepolicy/vendor/system_server.te | 2 -- sepolicy/vendor/thermal-engine.te | 1 + sepolicy/vendor/vendor_init.te | 2 +- sepolicy/vendor/vndservice.te | 1 - sepolicy/vendor/vndservice_contexts | 1 - 16 files changed, 95 insertions(+), 93 deletions(-) create mode 100644 sepolicy/vendor/hal_audio_default.te delete mode 100644 sepolicy/vendor/hal_camera_default.te delete mode 100644 sepolicy/vendor/system_server.te delete mode 100644 sepolicy/vendor/vndservice.te delete mode 100644 sepolicy/vendor/vndservice_contexts (limited to 'sepolicy/vendor') diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te index a2d8aa6..511cc3f 100644 --- a/sepolicy/vendor/app.te +++ b/sepolicy/vendor/app.te @@ -1,3 +1,2 @@ -# Allow appdomain to get vendor_camera_prop -get_prop({ appdomain -isolated_app }, mlipay_prop) get_prop({ appdomain -isolated_app }, hal_fingerprint_prop) +get_prop({ appdomain -isolated_app }, mlipay_prop) diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index c9eeaf7..3901f9c 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -1,5 +1,5 @@ type debugfs_wlan, debugfs_type, fs_type; type ir_dev_file, file_type; type sysfs_touchpanel, fs_type, sysfs_type; -type fingerprint_sysfs, fs_type, sysfs_type; +type sysfs_fingerprint, fs_type, sysfs_type; type thermal_data_file, file_type, data_file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index bc1cbb6..616afd3 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,50 +1,26 @@ # Biometric -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0 -# Fpc Fingerprint -/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0 - -# For Goodix fingerprint -/dev/goodix_fp u:object_r:fingerprint_device:s0 - -# Goodix Fingerprint data +# Fingerprint /data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 -/data/misc/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 -/data/misc/goodix(/.*)? u:object_r:fingerprintd_data_file:s0 -/persist/data/gf* u:object_r:fingerprintd_data_file:s0 /data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 /data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 /data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 # Firmware -/firmware u:object_r:firmware_file:s0 -/bt_firmware u:object_r:bt_firmware_file:s0 - -# Fpc Fingerprint data -/persist/fpc(/.*)? u:object_r:fingerprintd_data_file:s0 - -# HVDCP -/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0 +/firmware u:object_r:firmware_file:s0 +/bt_firmware u:object_r:bt_firmware_file:s0 # IR /dev/lirc0 u:object_r:spidev_device:s0 /dev/spidev7.1 u:object_r:spidev_device:s0 -# Keylayout -/vendor/usr/idc(/.*)? u:object_r:vendor_keylayout_file:s0 -/vendor/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0 - # Light HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0 # Mlipay /(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 -# Persist -/persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0 - -# RTC -/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0(/.*)? u:object_r:sysfs_rtc:s0 - # Thermal /data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index d80c532..4589cfc 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -1,7 +1,26 @@ -genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 -genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 +# Battery +genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs_battery_supply:s0 + +# Fingerprint +genfscon sysfs /devices/soc/soc:fingerprint_fpc/device_prepare u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fingerprint_fpc/wakeup_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/device_prepare u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/fingerdown_wait u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/irq_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/wakeup_enable u:object_r:sysfs_fingerprint:s0 # LED -genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0 + +# Power +genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 + +# RTC +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc u:object_r:sysfs_rtc:s0 + +# Touchpanel +genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..fb3a241 --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1 @@ +allow hal_audio_default sysfs:dir r_dir_perms; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te deleted file mode 100644 index 34531cb..0000000 --- a/sepolicy/vendor/hal_camera_default.te +++ /dev/null @@ -1,5 +0,0 @@ -binder_call(hal_camera_default, hal_configstore_default) -binder_call(hal_camera_default, hal_graphics_allocator_default) - -allow hal_camera_default sysfs:file { getattr open read }; -allow hal_camera_default sysfs_kgsl:file { getattr open read }; diff --git a/sepolicy/vendor/hal_fingerprint_sdm660.te b/sepolicy/vendor/hal_fingerprint_sdm660.te index 6cef299..5809cfd 100644 --- a/sepolicy/vendor/hal_fingerprint_sdm660.te +++ b/sepolicy/vendor/hal_fingerprint_sdm660.te @@ -1,38 +1,30 @@ -type hal_fingerprint_sdm660, domain, binder_in_vendor_violators; +type hal_fingerprint_sdm660, domain; hal_server_domain(hal_fingerprint_sdm660, hal_fingerprint) - + type hal_fingerprint_sdm660_exec, exec_type, vendor_file_type, file_type; -typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators; -binder_use(hal_fingerprint_sdm660) init_daemon_domain(hal_fingerprint_sdm660) -allow hal_fingerprint_sdm660 fingerprint_device:chr_file { read write open ioctl }; -allow hal_fingerprint_sdm660 { tee_device uhid_device }:chr_file { read write open ioctl }; +allow hal_fingerprint_sdm660 { + fingerprint_device + tee_device + uhid_device +}:chr_file rw_file_perms; + +# TODO(b/36644492): Remove data_between_core_and_vendor_violators once +# hal_fingerprint no longer directly accesses fingerprintd_data_file. +typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators; +# access to /data/system/users/[0-9]+/fpdata allow hal_fingerprint_sdm660 fingerprintd_data_file:dir rw_dir_perms; allow hal_fingerprint_sdm660 fingerprintd_data_file:file create_file_perms; -allow hal_fingerprint_sdm660 { fuse mnt_user_file storage_file }:dir search; -allow hal_fingerprint_sdm660 { mnt_user_file storage_file }:lnk_file read; -allow hal_fingerprint_sdm660 fingerprint_sysfs:dir r_dir_perms; -allow hal_fingerprint_sdm660 fingerprint_sysfs:file rw_file_perms; -allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read }; +allow hal_fingerprint_sdm660 sysfs_fingerprint:file rw_file_perms; -binder_call(hal_fingerprint_sdm660, vndservicemanager) -binder_call(hal_fingerprint_sdm660, hal_perf_default) +allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl; -binder_use(hal_fingerprint_sdm660) +allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find; +binder_call(hal_fingerprint_sdm660, hal_perf_default) r_dir_file(hal_fingerprint_sdm660, firmware_file) - -add_service(hal_fingerprint_sdm660, goodixvnd_service) - -allow hal_fingerprint_sdm660 vndbinder_device:chr_file ioctl; - set_prop(hal_fingerprint_sdm660, hal_fingerprint_prop) -vndbinder_use(hal_fingerprint_sdm660) - -dontaudit hal_fingerprint_sdm660 { media_rw_data_file sdcardfs}:dir search; -dontaudit hal_fingerprint_sdm660 media_rw_data_file:dir { read open }; -dontaudit hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find; -dontaudit hal_fingerprint_sdm660 hal_fingerprint_hwservice:hwservice_manager add; +dontaudit hal_fingerprint_default storage_file:dir search; diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te index 6ecf0a0..d09d621 100644 --- a/sepolicy/vendor/hal_power_default.te +++ b/sepolicy/vendor/hal_power_default.te @@ -1,2 +1,3 @@ +allow hal_power_default sysfs_touchpanel:dir search; allow hal_power_default sysfs_touchpanel:file rw_file_perms; r_dir_file(hal_power_default, debugfs_wlan) diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te index 6c299d1..158b6cc 100644 --- a/sepolicy/vendor/hwservice.te +++ b/sepolicy/vendor/hwservice.te @@ -1,2 +1 @@ -type goodixhw_service, hwservice_manager_type; type hal_mlipay_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index 1f1df2d..6ffb1fc 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -1,7 +1,7 @@ -vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0 -vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 +com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 +vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index c5212b1..617ac13 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -1,12 +1,35 @@ -persist.camera. u:object_r:camera_prop:s0 -ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0 -sys.fp.goodix u:object_r:hal_fingerprint_prop:s0 -sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 -persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0 -persist.vendor.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 -persist.vendor.sys.pay.fido u:object_r:mlipay_prop:s0 -persist.vendor.sys.pay.ifaa u:object_r:mlipay_prop:s0 -persist.vendor.sys.pay.soter u:object_r:mlipay_prop:s0 -persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0 -persist.sys.thermal. u:object_r:thermal_engine_prop:s0 -sys.thermal. u:object_r:thermal_engine_prop:s0 +# Audio +audio.sys.noisy.broadcast.delay u:object_r:vendor_default_prop:s0 +audio.sys.offload.pstimeout.secs u:object_r:vendor_default_prop:s0 +audio_hal.in_period_size u:object_r:vendor_default_prop:s0 +audio_hal.period_multiplier u:object_r:vendor_default_prop:s0 +persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0 + +# Camera +cameradaemon.SaveMemAtBoot u:object_r:vendor_default_prop:s0 +cpp.set.clock u:object_r:vendor_default_prop:s0 +disable.cpp.power.collapse u:object_r:vendor_default_prop:s0 +persist.camera. u:object_r:vendor_default_prop:s0 + +# Fingerprint +fpc_kpi u:object_r:vendor_default_prop:s0 +gf.debug.dump_data u:object_r:vendor_default_prop:s0 +persist.sys.fp. u:object_r:hal_fingerprint_prop:s0 +persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0 +ro.boot.fp. u:object_r:hal_fingerprint_prop:s0 +ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0 +sys.fp. u:object_r:hal_fingerprint_prop:s0 + +# Media +gpu.stats.debug.level u:object_r:vendor_default_prop:s0 + +# Mlipay +persist.vendor.sys.pay. u:object_r:mlipay_prop:s0 +persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0 + +# Thermal engine +persist.sys.thermal. u:object_r:thermal_engine_prop:s0 +sys.thermal. u:object_r:thermal_engine_prop:s0 + +# Wlan +persist.vendor.wigig.npt.enable u:object_r:vendor_default_prop:s0 diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te deleted file mode 100644 index b364128..0000000 --- a/sepolicy/vendor/system_server.te +++ /dev/null @@ -1,2 +0,0 @@ -allow system_server vendor_keylayout_file:dir search; -allow system_server vendor_keylayout_file:file r_file_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te index 0e03308..f6f5331 100644 --- a/sepolicy/vendor/thermal-engine.te +++ b/sepolicy/vendor/thermal-engine.te @@ -1,5 +1,6 @@ allow thermal-engine thermal_data_file:dir rw_dir_perms; allow thermal-engine thermal_data_file:file create_file_perms; +allow thermal-engine sysfs:dir r_dir_perms; allow thermal-engine self:capability { chown fowner }; dontaudit thermal-engine self:capability dac_override; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index 8d3b1e6..b3d4c00 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -5,4 +5,4 @@ allow vendor_init { tombstone_data_file }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; -set_prop(vendor_init, camera_prop) +set_prop(vendor_init, freq_prop) diff --git a/sepolicy/vendor/vndservice.te b/sepolicy/vendor/vndservice.te deleted file mode 100644 index ebc594c..0000000 --- a/sepolicy/vendor/vndservice.te +++ /dev/null @@ -1 +0,0 @@ -type goodixvnd_service, vndservice_manager_type; diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts deleted file mode 100644 index 92d3f21..0000000 --- a/sepolicy/vendor/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixvnd_service:s0 -- cgit v1.2.3